McAfee NAC stores its event logs in a Microsoft SQL database which is typically included on the McAfee NAC server. Collection from a Microsoft SQL database requires:
- Universal Database Log Adapter (UDLA) Log Source
- LogRhythm Agent to collect the logs
- Access to the Microsoft SQL database that McAfee NAC uses for storing event logs
Identify and note the following prior to configuration:
- The Microsoft SQL Database Server IP address and host name used by McAfee NAC.
- The user account and password LogRhythm uses for accessing the McAfee NAC log data on the Microsoft SQL Database Server, if necessary.
- The LogRhythm System Monitor Agent used to collect the logs from McAfee NAC.
Configure McAfee NAC
An account the LogRhythm agent needs to access the McAfee NAC Microsoft SQL database must be available. This can be the default sa account, an account created with administrator access to be used for LogRhythm, or domain credentials.
Configure the ODBC Driver for McAfee NAC
McAfeeNAC logs are accessed by LogRhythm via an ODBC driver. The recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.
- Name. SQL Server
- Company Name. Microsoft Corporation
- Version. 2000.85.1132.00
- Date. 4/13/2008
- Download Location. Pre-installed
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. You must use a LogRhythm System Monitor to collect the logs. The System Monitor does not need to reside on the McAfee NAC server, but it must be able to establish a network ODBC (Open Database Connectivity) connection.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the McAfee NAC XML configuration file. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA - McAfee Network Access Control. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
In the Connection String box, replace the placeholder values with those that match your deployment.
- To validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly.
- When the test passes, close the Test dialog box.