Contextual Intelligence Publishing - Syslog Overview
Overview
Contextual Intelligence Publisher can be configured to export syslog data in CEF, LEEF and Key-Value formats. The syslog data will help to correlate data in a syslog collector with device data from MetaAccess NAC.
Configure the Syslog collector
On the Syslog collector system, configure the MetaAccess NAC Policy Manager IP as a valid source of Syslog.
Configure CIP
Once the Syslog Collector has been configured, navigate to the MetaAccess NAC Configuration at https://portal.myweblogon.com:8443/manage (portal.myweblogon.com can be replaced by the manager IP or a branded URL) and choose “Contextual Intelligence.” Click on “Add” and enter the following information:
- Publisher: Syslog
- Name: A name to describe where CIP is publishing Data.
- Host: IP address of the Syslog Collector
- Port: listen port of the Syslog Collector
- Facility: Can be set to whatever is preferred in the Syslog Collector
- Level: Can be set to whatever is preferred in the Syslog Collector
- Format: The format best suited for you Syslog Collector

Once finished, click “Submit” and continue to the next section to verify the integration.
Syslog Sample Outputs
Key-Value Format (Splunk Compatible):
LEEF Format (QRadar compatible, tab delimited):
CEF Format (ArcSight compatible, space delimited):
Field Definitions and Descriptions
Key-Value | LEEF | CEF | Description |
---|---|---|---|
clientId | clientId | suid | The id of the client record in the MetaAccess NAC database |
currentIp | src | src | The IP address of this client. This is the IP address of the device as seen from the network. |
localIp | localIp | localIp | The IP address of this client as reported by the MetaAccess NAC policy key, if it is installed. This may differ from the ‘currentIp’ if the client is behind a NAT device. |
macAddress | srcMAC | smac | The MAC address of the client |
machineName | machineName | machineName | The machine name of the client |
hostRefType | hostRefType | hostRefType | One of a list of strings describing the type of device. Values can be one of:
|
policyGroup | policyGroup | policyGroup | The name of the policy group this client belongs to, as configured in the MetaAccess NAC policy manager |
deviceAttributes | An array of strings that represent any device attributes associated with the client. A device attribute is represented in the string as “SOURCE:NAME:VALUE”. (EX: a client with a device attribute from ‘ActiveDirectory’ with name ‘Domain’ and value ‘opswat’ would be represented as “ActiveDirectory:Domain:opswat”. | ||
username | usrName | suser | The username this client is authenticated with. This is identical to the first entry in the ‘principal’ field. |
roles | role | roles | Each entry is a string role name, identical to the roles reported following the username in the ‘principal’ field |
complianceState | complianceState | complianceState | Will be either ‘compliant’ or ‘not compliant’ |
failedPolicy | failedPolicy | failedPolicy | Contains the name of a policy that is causing the device to be ‘not compliant’ |
eventType | eventType | eventType | The type of event that caused the packet to be sent:
|