topic How is the record “&lt;Noti:FBD.MAClocking.FirstArrvLrmtExcd&gt; sent to the SITE ENGINE and then to SIEM in ExtremeSwitching (EXOS/Switch Engine) https://community.extremenetworks.com/t5/extremeswitching-exos-switch/how-is-the-record-lt-noti-fbd-maclocking-firstarrvlrmtexcd-gt/m-p/94509#M21734 <P>How the record “&lt;Noti:FBD.MAClocking.FirstArrvLrmtExcd&gt; is sent to the SITE ENGINE and then to another SIEM server (QRADAR)</P><P>Dear greetings:</P><P>I am trying to send the “&lt;Noti:FBD.MAClocking.FirstArrvLrmtExcd&gt;” alert to the SITE ENGINE and then from the SITE ENGINE to send only that notification to a SIEM QRADAR server.</P><P>The switches are linked in the "SITE ENGINE" and the LOGs generated by the switches are being recorded.</P><P>The switches have “mac-locking log rape” enabled and the notification appears in the log“ “&lt;Noti:FBD.MAClocking.FirstArrvLrmtExcd&gt; MAC address XX:XX:XX:XX:XX:XX not learned on port 2 :11 since the Mac address learning limit has been exceeded”, so far everything is fine from the switch.</P><P>But in the "SITE ENGINE" the notification does not appear. So, is there any additional configuration required in SITE ENGINE or switch for &lt;Noti:FBD.MAClocking.FirstArrvLrmtExcd&gt; logging?</P><P>And after solving that in the SITE ENGINE. How should that log be sent to another SIEM server?</P><P>I saw in the SITE ENGINE manual several options from creating alerts, another way is to create notifications or create events? But how should I select which LOG is the one I want to send to the SIEM?</P><P>thank you</P> Wed, 25 Jan 2023 15:48:01 GMT Gago626 2023-01-25T15:48:01Z How is the record “<Noti:FBD.MAClocking.FirstArrvLrmtExcd> sent to the SITE ENGINE and then to SIEM https://community.extremenetworks.com/t5/extremeswitching-exos-switch/how-is-the-record-lt-noti-fbd-maclocking-firstarrvlrmtexcd-gt/m-p/94509#M21734 <P>How the record “&lt;Noti:FBD.MAClocking.FirstArrvLrmtExcd&gt; is sent to the SITE ENGINE and then to another SIEM server (QRADAR)</P><P>Dear greetings:</P><P>I am trying to send the “&lt;Noti:FBD.MAClocking.FirstArrvLrmtExcd&gt;” alert to the SITE ENGINE and then from the SITE ENGINE to send only that notification to a SIEM QRADAR server.</P><P>The switches are linked in the "SITE ENGINE" and the LOGs generated by the switches are being recorded.</P><P>The switches have “mac-locking log rape” enabled and the notification appears in the log“ “&lt;Noti:FBD.MAClocking.FirstArrvLrmtExcd&gt; MAC address XX:XX:XX:XX:XX:XX not learned on port 2 :11 since the Mac address learning limit has been exceeded”, so far everything is fine from the switch.</P><P>But in the "SITE ENGINE" the notification does not appear. So, is there any additional configuration required in SITE ENGINE or switch for &lt;Noti:FBD.MAClocking.FirstArrvLrmtExcd&gt; logging?</P><P>And after solving that in the SITE ENGINE. How should that log be sent to another SIEM server?</P><P>I saw in the SITE ENGINE manual several options from creating alerts, another way is to create notifications or create events? But how should I select which LOG is the one I want to send to the SIEM?</P><P>thank you</P> Wed, 25 Jan 2023 15:48:01 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/how-is-the-record-lt-noti-fbd-maclocking-firstarrvlrmtexcd-gt/m-p/94509#M21734 Gago626 2023-01-25T15:48:01Z