Skip to content
Find out how we support MDR.

Trend Micro Apex Central

Log collector

Adds notifications from Trend Micro Apex Central, a centralized management console for Trend Micro security products, to the Sophos Data Lake.

You can integrate Apex Central with Sophos Central so that it sends audit data to Sophos for analysis.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.


A VM can host integrations for multiple products, but can't host more than one integration of the same product.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure Apex Central to send data to the log collector.

Add an integration

To integrate Apex Central with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center and click Integrations.
  2. Click Trend Micro Apex Central.

    If you've already set up connections to Apex Central, you see them here.

  3. Click Add integration.


    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration steps you configure your VM to receive data from Apex Central. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.
  2. Enter a name and description for the VM.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.


      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address later, when you configure Apex Central to send data to it.

  5. Select a Protocol.

  6. Complete any remaining fields on the form.
  7. Click Save.

    We create the integration and it appears in your list. It may take a few minutes for the OVA file to be ready for download.

Deploy the VM


The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure Apex Central

Now configure Apex Central to send audit data to the VM, as follows:

  1. Go to Detections > Notifications > Notification Method Settings.
  2. In the Syslog Settings section, enter the following:

    • Server IP address: Type the IPv6 or IPv4 address of the syslog server.
    • Port: The port number of the syslog server.
    • Facility: Select the facility code.
  3. Click Save.

Turn on syslog forwarding

We use syslog forwarding to send data to the Sophos log collector.

To forward syslog traffic, do as follows:

  1. Log in to Apex Central console using an Administrator account.
  2. Go to Administration > Settings > Syslog Settings.
  3. Select Enable syslog forwarding.
  4. Configure the following settings:

    • Server address: FQDN or IP address of the VM hosting your Sophos log collector.
    • Port: Enter the port number of your Sophos log collector.
    • Protocol: Select TCP or UDP. Choose the same one that you set up for your log collector.
  5. Select CEF as the log format:

  6. Select the log types to forward:

    1. Select a log category from the Log type drop-down list:

      • Security logs
      • Product information
    2. Select the check boxes for the logs you want to forward. Apex Central shows the total number of selected log types next to the Log type list.

    3. You can select another log category from Log type dropdown list.
  7. Click Test Connection to test the server connection. The syslog server connection status appears at the top of the screen.

  8. Click Save.

    Apex Central starts forwarding logs to your log collector. The data should appear in the Sophos Data Lake after validation.

    To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

More information