https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33289#M3611 Yes I did check that and there seems to be nothing leaving the nac appliance bound for the SIEM. However, I think I have everything selected that needs to be in order for it to send the data. Just very weird. Mon, 28 Oct 2013 19:20:00 GMT Jimmy_Payne1 2013-10-28T19:20:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33284#M3606 Does anyone have any hands on experience sending NAC events to a Mcafee SIEM receiver? It appears that everything is set correctly but I am not seeing events in my SIEM. Any help would be greatly appreciated. Sat, 19 Oct 2013 00:03:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33284#M3606 Jimmy_Payne1 2013-10-19T00:03:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33285#M3607 Did you use NAC notification configuration to send syslog events to your SIEM? Is there a way (tcpdump) to check whether those events are received on the SIEM appliance? If they are, it's probably a parsing issue or a matter of allowing events from NAC to be received. You can change the syslog messages' format/content in NAC's notification configuration ("overwrite content") or you might be able to change the parsing logic on the McAfee side. Sat, 19 Oct 2013 12:22:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33285#M3607 Kurt_Semba 2013-10-19T12:22:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33286#M3608 Hi Jimmy, Thanks for asking this question in our community as well as McAfee. Hopefully you can give Kurt some additional data to point you in the right direction. Mon, 21 Oct 2013 23:57:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33286#M3608 Tamera_Rousseau 2013-10-21T23:57:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33287#M3609 Hi Kurt Yes I did set those options in NAC and I did a tcpdump on my receiver to see if there were events coming in and there were none. So I am still stumped on that whole deal. Sorry for the late reply. We had some crazy stuff going on around here this week. Fri, 25 Oct 2013 20:36:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33287#M3609 Jimmy_Payne1 2013-10-25T20:36:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33288#M3610 Hey Jimmy, So it seems as either NetSight is not sending the data or something like a firewall is blocking the data before it hits the SIEM. To validate whether the syslog messages are leaving the NetSight appliance, use tcpdump or wireshark (usually udp port 514). Sat, 26 Oct 2013 19:58:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33288#M3610 Kurt_Semba 2013-10-26T19:58:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33289#M3611 Yes I did check that and there seems to be nothing leaving the nac appliance bound for the SIEM. However, I think I have everything selected that needs to be in order for it to send the data. Just very weird. Mon, 28 Oct 2013 19:20:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33289#M3611 Jimmy_Payne1 2013-10-28T19:20:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33290#M3612 If you configure to forward all NAC end-system events within the Notification Engine in NAC Manager then you should see the events going out of the NetSight (!) appliance, not the NAC appliance. If that still doesn't work, I'd suggest to open a ticket with GTAC so they can gather more data and fix your issue. Thanks Kurt Mon, 28 Oct 2013 19:27:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33290#M3612 Kurt_Semba 2013-10-28T19:27:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33291#M3613 Ok. Well I checked the appliance and not the Netsight server. Mon, 28 Oct 2013 19:36:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33291#M3613 Jimmy_Payne1 2013-10-28T19:36:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33292#M3614 Hi, just another tip/hint. Did you configure SMTP server in Netsight? tools -> options? Zdenek Fri, 01 Nov 2013 00:54:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/nac-events-to-thrid-party-siem/m-p/33292#M3614 Zdeněk_Pala 2013-11-01T00:54:00Z