Header Only - DO NOT REMOVE - Extreme Networks

NAC EVENTS to Thrid Party SIEM

  • 18 October 2013
  • 8 replies

Does anyone have any hands on experience sending NAC events to a Mcafee SIEM receiver? It appears that everything is set correctly but I am not seeing events in my SIEM. Any help would be greatly appreciated.

8 replies

Userlevel 3
Did you use NAC notification configuration to send syslog events to your SIEM? Is there a way (tcpdump) to check whether those events are received on the SIEM appliance? If they are, it's probably a parsing issue or a matter of allowing events from NAC to be received. You can change the syslog messages' format/content in NAC's notification configuration ("overwrite content") or you might be able to change the parsing logic on the McAfee side.
Userlevel 2
Hi Jimmy, Thanks for asking this question in our community as well as McAfee. Hopefully you can give Kurt some additional data to point you in the right direction.
Hi Kurt Yes I did set those options in NAC and I did a tcpdump on my receiver to see if there were events coming in and there were none. So I am still stumped on that whole deal. Sorry for the late reply. We had some crazy stuff going on around here this week.
Userlevel 3
Hey Jimmy, So it seems as either NetSight is not sending the data or something like a firewall is blocking the data before it hits the SIEM. To validate whether the syslog messages are leaving the NetSight appliance, use tcpdump or wireshark (usually udp port 514).
Yes I did check that and there seems to be nothing leaving the nac appliance bound for the SIEM. However, I think I have everything selected that needs to be in order for it to send the data. Just very weird.
Userlevel 3
If you configure to forward all NAC end-system events within the Notification Engine in NAC Manager then you should see the events going out of the NetSight (!) appliance, not the NAC appliance. If that still doesn't work, I'd suggest to open a ticket with GTAC so they can gather more data and fix your issue. Thanks Kurt
Ok. Well I checked the appliance and not the Netsight server.
Userlevel 7
Hi, just another tip/hint. Did you configure SMTP server in Netsight? tools -> options? Zdenek