DocumentationRelease Notes
Log In
Documentation

Trellix DXL Event Forwarding

Suggest Edits

Configure Trellix DXL event forwarding

The communication between BeyondInsight and the Trellix Data Exchange Layer (DXL) is managed by the BeyondTrust DXL Broker Service. This service is installed as an additional component to the main BeyondInsight installation and facilitates the brokering of events from BeyondInsight to the DXL fabric. Along with this service, the BeyondInsight instance must have a Trellix Agent and DXL Client installed to communicate with your Trellix DXL Broker instance. Within your Trellix ePO instance, you will need to ensure that the Trellix Agent and DXL Client installed on the BeyondInsight instance are configured for proper communication between BeyondInsight and ePO via the DXL fabric.

Installation and configuration overview

  1. Install the Trellix Agent 5.5. on the BeyondInsight instance.
  2. On the Trellix ePO instance:
    • Deploy the DXL Client to the BeyondInsight instance.
    • Configure the BeyondInsight event topics.
  3. On the BeyondInsight instance:
    • Verify the Trellix Agent and DXL Client connectivity.
    • Install the BeyondInsight DXL Broker service.
    • Configure a Trellix Event Forwarding connector within the BeyondInsight management console.
    • Verify the installation and configuration.

Install the Trellix Agent

On the BeyondInsight instance, follow the steps below to install the Trellix Agent.

ℹ️

Note

If you cannot push the Trellix Agent from the ePO admin console due to firewall or other restrictions, you can install the agent manually by copying the installer to the BeyondInsight instance and then manually running the installer.

  1. Locate and run the Trellix Agent installer on the BeyondInsight instance. You must use the installer specific to your Trellix ePO instance. For example, it may be located at:

    C:\Program Files (x86)\Trellix\ePolicy Orchestrator\DB\Software\Current\EPOAGENT3000\Install\0409\FramePkg.exe

  2. Copy the FramePkg.exe file to the BeyondInsight instance and run the installer.

  3. Verify the installation by looking at the system tray for the Trellix icon.

Deploy the DXL Client to the BeyondInsight instance

  1. On the Trellix ePO instance, deploy the a DXL Client to the BeyondInsight instance using a Client Task from within the ePO administration console.
  2. Create a DXL Client Task.
  3. Select Menu > Client Task Catalog.
  4. Under Trellix Agent > Product Deployment, click New Task and then select the following:
    • Task Name: Deploy DXL Client
    • Target Platforms: Check Windows
    • Products and components: Data Exchange Layer Client 4.0+, action=Install, ...
  5. Click Save.
  6. Deploy the DXL Client to the BeyondInsight instance.
  7. Select Menu > Systems > Locate.
  8. Find the BeyondInsight instance to view the server's detail page.
  9. From the Actions list, select Agent > Run Client Task Now.
  10. Locate the Deploy DXL Client task created above.
  11. Select Trellix Agent > Product Deployment > Deploy DXL Client.
  12. Click Run Task Now.

Configure the BeyondInsight event topics

On the Trellix ePO instance, create topic subscriptions for the BeyondInsight categories you wish to receive.

Open the ePO administration console, and then navigate to the SIA DXL Task and to the BeyondInsight topics of interest:

TopicPath
Appliance Health/beyondtrust/event/beyondinsight/genapphlth
Clarity/beyondtrust/event/beyondinsight/clarity_mlwr
File Integrity Monitoring/beyondtrust/event/beyondinsight/fim
PBMac/beyondtrust/event/beyondinsight/pbmac
PBPS/beyondtrust/event/beyondinsight/pbps
PBW - Events/beyondtrust/event/beyondinsight/pbw
PBW - Vulnerabilities/beyondtrust/event/beyondinsight/pbw_vulnerability
Retina/beyondtrust/event/beyondinsight/retina
Uncategorized Events/beyondtrust/event/beyondinsight/uncategorized
Test Events/beyondtrust/event/beyondinsight/test

Verify the Trellix Agent and DXL Client connectivity

After the MacAfee Agent and DXL Clients are successfully installed, verify the connectivity on the BeyondInsight server by opening the system tray Trellix icon About section. It should list the Trellix Agent as running and connected and the DXL Client as running and connected.

ℹ️

Note

The DXL Client might not be in a connected state until BeyondInsight DXL Broker service is installed and running.

Run the BeyondInsight DXL Broker Service installer

  1. Run the BeyondInsightDXLMessageBroker.msi installer from an elevated command prompt and go through the installation steps. Admin privileges are required to enable the MSMQ Windows feature.
  2. An MSMQ Windows feature is enabled with a default DXL events (outbound) queue. This can be managed in the following location: Computer > Manage > Services and Applications > Message Queue.

ℹ️

Note

By default this queue is not accessible by the admin. In order to manage this queue, refer to the steps below.

  1. The installer deploys the BeyondInsight DXL Broker service, along with the service configuration, logs, and utilities to the following location: C:\Program Files\BeyondInsight\DXL Broker Service.
  2. To view and manage the private queues, an admin user might need to do the following:
    • Take ownership of the queue through Properties > Security > Advanced button > Owner.
    • Change the owner to an admin user.
    • Add the admin user to Users and Groups for the queue and assign full control access.
    • Ensure that the Trellix system tray indicates that the DXL Client is connected.

Create the BeyondInsight DXL event forwarding connector

  1. In BeyondInsight, go to Configuration > General > Connectors.

  2. From the Connectors pane, click Create New Connector.

  3. Enter a name for the connector.

  4. Select Trellix DXL Event Forwarding from the Connector Type list.

  5. Click Create Connector.

  6. Leave Active (yes) enabled.

  7. Expand Event Filters, and then select event types to forward.

  8. Click Test Connector to send a test event message. Within ePO, verify that the Test topic has received the test event message.

  9. Click Create Connector.

Troubleshoot issues with Trellix DXL connector

Trellix Agent or DXL Client not showing as connected

After installing the Trellix Agent and DXL Client, a machine reboot might be required to register the new software.

Trellix Agent icon not showing in the system tray

  1. Open the Registry Editor.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
  3. Delete the TrellixUpdaterUI entry.
  4. Create a new value named TrellixUpdaterUI with value of C:\Program Files\Trellix\Agent\x86\UpdaterUI.exe /StartedFromRunKey.
  5. Restart the machine. The Trellix icon is displayed in the system tray.

BeyondTrustDXLMessageBroker installer fails

To debug installer issues, you can execute the installer with the following command:

<path to your installer>\msiexec /i BeyondInsightDXLMessageBroker.msi /l*v MyLogFile.txt

A 1603 Error Code often indicates that the installer is not being executed with sufficient privileges to enable the MSMQ Windows feature.

BeyondTrust DXL Message Broker service cannot be restarted or removed

If necessary, to forcibly remove a stuck service (and subsequently re-install the service), use the following command:

sc delete BeyondInsightDXLMessageBroker

Location of log files

  • BeyondInsight Message Broker logs are located here by default:

    C:\Program Files\BeyondTrust\DXL Message Broker\Logs

  • Trellix Agent and DXL Client logs are located here by default:

    C:\ProgramData\Trellix\Agent\logs

    C:\ProgramData\Trellix\Data_Exchange_Layer

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.