How the record “<Noti:FBD.MAClocking.FirstArrvLrmtExcd> is sent to the SITE ENGINE and then to another SIEM server (QRADAR)
Dear greetings:
I am trying to send the “<Noti:FBD.MAClocking.FirstArrvLrmtExcd>” alert to the SITE ENGINE and then from the SITE ENGINE to send only that notification to a SIEM QRADAR server.
The switches are linked in the "SITE ENGINE" and the LOGs generated by the switches are being recorded.
The switches have “mac-locking log rape” enabled and the notification appears in the log“ “<Noti:FBD.MAClocking.FirstArrvLrmtExcd> MAC address XX:XX:XX:XX:XX:XX not learned on port 2 :11 since the Mac address learning limit has been exceeded”, so far everything is fine from the switch.
But in the "SITE ENGINE" the notification does not appear. So, is there any additional configuration required in SITE ENGINE or switch for <Noti:FBD.MAClocking.FirstArrvLrmtExcd> logging?
And after solving that in the SITE ENGINE. How should that log be sent to another SIEM server?
I saw in the SITE ENGINE manual several options from creating alerts, another way is to create notifications or create events? But how should I select which LOG is the one I want to send to the SIEM?
thank you
