Agent configuration settings with environment variables

All agent configuration options that can be set in the configuration files (such as properties files in Java or ini files in Python) can instead be set by using the environment variables. When set through both environment variables and configuration files, options set with the environment variables will take precedence over the configuration file.

The Application Security environment variable names are prefixed with TREND_AP_. For example:

export TREND_AP_KEY=<your key>
export TREND_AP_SECRET=<your secret>
export TREND_AP_LOG_FILE=path/to/trend_app_protect.log
export TREND_AP_LOG_LEVEL=debug

All configuration options must be encoded with UTF-8, whether the values are provided in a local agent configuration or environment variables.

For all configuration keys listed, the key name must be prefixed with "trend_app_protect" on the PHP platform, in the PHP ini configuration file.

Agent credentials

  • Key: The unique key associated with the application group to protect. The key is obtained from the dashboard, for the group, in Group Settings > Group Credentials.

  • Secret: The unique secret associated with the application group to protect. The secret is obtained from the dashboard, for the group, in Group Settings > Group Credentials.

Configuration key Environment variable Description
Key TREND_AP_KEY Agent credentials Key, found on the dashboard in Group Settings > Group Credentials.
Secret TREND_AP_SECRET Agent credentials Secret, found on the dashboard in Group Settings > Group Credentials.

Agent logging

The agents can generate 2 types of logs:

  • Diagnostic logs. These are typically consulted to investigate or troubleshoot behaviors or issues with the Application Security agents.
  • Security logs (also known as defence logs). These include all security events detected and reported by the agent.
Configuration key Environment variable Description
log_file TREND_AP_LOG_FILE Agent diagnostic log file location. Valid values are: stderr, stdout, syslog or path to log file. Default value: log/trend_app_protect.log. Note that the location needs to have write permission.
log_level TREND_AP_LOG_LEVEL Agent diagnostic logging level. Valid values are: ERROR, WARN, INFO, DEBUG, TRACE Default value: INFO
defence.log_file TREND_AP_DEFENCE_LOG_FILE Security log file location. Default value is null, which disables security event logging. Note that the location needs to have write permission.
defence-json.log_file TREND_AP_DEFENCE_JSON_LOG_FILE Security events log file location. Default value is null, which disables security event logging. The log file generates JSON formatted sensor events generated by agents.

Java environment variables

Jetty

When using Jetty, export the following environment variable:

export JAVA_OPTIONS="${JAVA_OPTIONS} -javaagent:/full/path/to/trend_app_protect-X.X.X.jar -Dcom.trend.app_protect.config.file=path/to/trend_app_protect.properties"

Tomcat

When using the Tomcat web server, export the following environment variable:

export CATALINA_OPTS="${CATALINA_OPTS} -javaagent:/full/path/to/trend_app_protect-X.X.X.jar -Dcom.trend.app_protect.config.file=path/to/trend_app_protect.properties"

Netty

When using the Netty server, export the following environment variable:

export JAVA_OPTS="$JAVA_OPTS -javaagent:lib/trend_app_protect.jar -Dcom.trend.app_protect.config.file=trend_app_protect.properties"

WebSphere

When using the WebSphere server, the javaagent JVM option adding the Application Security agent jar file is configured in the Generic JVM options

-javaagent:lib/trend_app_protect.jar

.NET environment variables

Environment variable Value Comments
CORECLR_ENABLE_PROFILING 1 The value must always be 1 for the agent to function.
CORECLR_PROFILER {a51743a9-9e05-4a9f-adcd-d39aa322615a} The value must always be the guid in this table, for the .NET agent
CORECLR_PROFILER_PATH <installation_directory>/bin/libTrendAppProtectProfiler-x64-linux.so For example, /usr/local/trend_app_protect_netcore/bin/libTrendAppProtectProfiler-x64-linux.so
TREND_AP_CONFIG_FILE <installation_directory>/TrendAppProtect.config For example, /usr/local/trend_app_protect_netcore/TrendAppProtect.config