Monday, November 7, 2011

Monitoring Trendmicro Officescan log entries

I noticed that a Trendmicro officescan installation I have, was not updating the AV patterns for a couple of days. This behaviors happens from time to time (once a month in average), and I still can not pinpoint exactly the cause (wonderful world of windows which does not have proper logging and debugging).
As there is no automated mechanism to alert you on this phenomena I decided to go back to the proven methods: send logs to syslogs, parse with sec to generate alarm.


  • Log files

Officescan keeps a "server update log"  in his home directory: %PROGRAMFILES/Trend Micro\OfficeScan\PCCSRV\Log\update.log. This flat text file store a line for each of the update operations done by the service and erases the file on a regular basis depending on your settings in the 'log maintenance' settings. Example:
20111107042518,4,1,1,8.555.00
20111107075300,4,51,1,8.555.00
The format is not documented and the only things I identified up to now are: timestamp (first field), product code(3rd field, 1 being AV pattern, 51 being Smartscan pattern), version (5th field)

  • Windows to syslog

To allow collecting windows events or flat text logfile on a syslog service you will need to deploy some non MS addon. One of the options is Epilog for Windows by the IntersecAlliance another is to to use cygwin(less straightforward). 
Epilogs' installation is really easy and offer some really nice feature to collect events on a windows system (simple web GUI, filtering of log entries, ...). Just point Epilog to your log files, configure the destination to be your syslog server and wait for something to be written to the log (force a manual update of the AV does the trick).
If everything does well you will see the log lines appear on your syslog server. In my case I use syslog-ng to get those entries in a dedicated log file. Configuration is something like this:

# Log infrastructure servers - OLD
filter h_prodnet { netmask(10.1.1.0/24); };
destination d_local3 { file("/var/log/Windows/$HOST-$YEAR$MONTH$DAY.log" create_dirs(yes) perm(0644)); };
destination d_local2 { file("/var/log/Windows/$HOST-FILELOG-$YEAR$MONTH$DAY.log" create_dirs(yes) perm(0644)); };


  • Syslog parsing
For the log file parsing I am using SEC with some customized set of rules. As I am only interested on the update issues with Trendmicro, I only created a single rule:
#Trendmicro related event
type=Single
ptype=RegExp
pattern=TRENDMICRO;.*unable to complete.*
desc=Trendmicro update problem. Please review console log, stop services and empty all AU_temp directory, reboot server.
action=pipe 'Trendmicro: %s' /usr/bin/mail -s "Trendmicro issue on package updates" youyou@nobody.test

Thats it. Now I get spammed when ever the Officescan encounters issues to update its local databases, and this happens way to often in my opinion.



No comments: