Contextual Intelligence Publishing - Syslog Overview

Overview

Contextual Intelligence Publisher can be configured to export syslog data in CEF, LEEF and Key-Value formats. The syslog data will help to correlate data in a syslog collector with device data from MetaAccess NAC.

Configure the Syslog collector

On the Syslog collector system, configure the MetaAccess NAC Policy Manager IP as a valid source of Syslog.

Configure CIP

Once the Syslog Collector has been configured, navigate to the MetaAccess NAC Configuration at https://portal.myweblogon.com:8443/manage (portal.myweblogon.com can be replaced by the manager IP or a branded URL) and choose “Contextual Intelligence.” Click on “Add” and enter the following information:

  • Publisher: Syslog
  • Name: A name to describe where CIP is publishing Data.
  • Host: IP address of the Syslog Collector
  • Port: listen port of the Syslog Collector
  • Facility: Can be set to whatever is preferred in the Syslog Collector
  • Level: Can be set to whatever is preferred in the Syslog Collector
  • Format: The format best suited for you Syslog Collector

Once finished, click “Submit” and continue to the next section to verify the integration.

Syslog Sample Outputs

Key-Value Format (Splunk Compatible):

Copy

LEEF Format (QRadar compatible, tab delimited):

Copy

CEF Format (ArcSight compatible, space delimited):

Copy

Field Definitions and Descriptions

Key-ValueLEEFCEFDescription
clientIdclientIdsuidThe id of the client record in the MetaAccess NAC database
currentIpsrcsrcThe IP address of this client. This is the IP address of the device as seen from the network.
localIplocalIplocalIpThe IP address of this client as reported by the MetaAccess NAC policy key, if it is installed. This may differ from the ‘currentIp’ if the client is behind a NAT device.
macAddresssrcMACsmacThe MAC address of the client
machineNamemachineNamemachineNameThe machine name of the client
hostRefTypehostRefTypehostRefType

One of a list of strings describing the type of device. Values can be one of:

  • Android
  • Apple Mobile
  • BlackBerry
  • ChromeOS
  • iPad
  • Linux
  • MAC
  • Media
  • Microsoft Gaming Device
  • Miscellaneous
  • Nintendo Gaming Device
  • Nokia Mobile
  • Palm
  • PC
  • Sony Gaming Device
  • Windows Mobile
  • VoIP Phone
policyGrouppolicyGrouppolicyGroupThe name of the policy group this client belongs to, as configured in the MetaAccess NAC policy manager
deviceAttributesAn array of strings that represent any device attributes associated with the client. A device attribute is represented in the string as “SOURCE:NAME:VALUE”. (EX: a client with a device attribute from ‘ActiveDirectory’ with name ‘Domain’ and value ‘opswat’ would be represented as “ActiveDirectory:Domain:opswat”.
usernameusrNamesuserThe username this client is authenticated with. This is identical to the first entry in the ‘principal’ field.
rolesrolerolesEach entry is a string role name, identical to the roles reported following the username in the ‘principal’ field
complianceStatecomplianceStatecomplianceStateWill be either ‘compliant’ or ‘not compliant’
failedPolicyfailedPolicyfailedPolicyContains the name of a policy that is causing the device to be ‘not compliant’
eventTypeeventTypeeventType

The type of event that caused the packet to be sent:

  • Login
  • Logout
  • Authentication
  • complianceChange
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Device Self-Enrollment Configuration
On This Page
Contextual Intelligence Publishing - Syslog OverviewOverviewConfigure the Syslog collectorConfigure CIPSyslog Sample OutputsKey-Value Format (Splunk Compatible):LEEF Format (QRadar compatible, tab delimited):CEF Format (ArcSight compatible, space delimited):Field Definitions and Descriptions