Trend Micro Deep Security configure syslog notifications using REST API

Question

How to configure Deep Security/Workload Security syslog settings using API?

According to https://automation.deepsecurity.trendmicro.com/article/20_0/api-reference/tag/System-Settings#operation/modifySystemSettings Following code

value = deepsecurity.SettingValue('1')
system_settings = deepsecurity.SystemSettings(platform_setting_syslog_config_id=value) 
api_response = api_instance.modify_system_settings(system_settings, 'v1')

gives ability to modify platformSettingSyslogConfigId changing syslog server configuration profile, but how to add configure actual syslog server IP, port, protocol (UDP/TCP), syslog facility and format (CEF/LEEF)?

I want my python script to configure syslog to point to particular host with rsyslogd running using only API, i.e. without opening Web Console.

Answer 1

I believe the answer you are looking for is in the Create a Syslog Configuration section of the API documentation.

As of today, this method is not present in the Python SDK, so will have to be invoked manually.

Something like the following -- which makes use of the requests Python module -- may work for you:

import requests

# define credentials
API_KEY = "<YOUR_API_KEY>"
MANAGER_ADDRESS = "<C1WS_OR_DS_ENDPOINT>"

# init required headers
headers = {
    # for Cloud One Workload Security
    "Authorization": f"ApiKey {API_KEY}",
    # for DS:
    "api-secret-key": API_KEY,

    "api-version": "v1",
    "Content-Type": "application/json",
}

# define syslog configuration
payload = {
    # main options
    "name": "<YOUR_SYSLOG_NAME>",
    "description": "<YOUR_SYSLOG_DESCRIPTION>",
    "hostName": "<YOUR_SYSLOG_ENDPOINT>",
    "port": 514,
    "transport": "tcp|udp",
    "facility": "kernel|user|mail|daemon|authorization|syslog|printer|news|uucp|clock|authpriv|ftp|ntp|log-audit|log-alert|cron|local0|local1|local2|local3|local4|local5|local6|local7",
    "eventFormat": "standard|cef|leef",

    # additional options
    "agentDirectForwarding": True | False,
    "includeTimezone": True | False,
    "privateKey": "<string>",
    "certificateChain": ["<string>"],
    "sourceIdentifier": "<string>",
}

# make post request to manager
response = requests.request(
    method="POST",
    url=MANAGER_ADDRESS,
    headers=headers,
    data=payload,
    # for DS:
    verify=False,
)