Skip to main content
Skip table of contents

UDLA - McAfee Network Access Control

McAfee NAC stores its event logs in a Microsoft SQL database which is typically included on the McAfee NAC server. Collection from a Microsoft SQL database requires:

  • Universal Database Log Adapter (UDLA) Log Source
  • LogRhythm Agent to collect the logs
  • Access to the Microsoft SQL database that McAfee NAC uses for storing event logs


Identify and note the following prior to configuration:

  • The Microsoft SQL Database Server IP address and host name used by McAfee NAC.
  • The user account and password LogRhythm uses for accessing the McAfee NAC log data on the Microsoft SQL Database Server, if necessary.
  • The LogRhythm System Monitor Agent used to collect the logs from McAfee NAC.

Configure McAfee NAC

An account the LogRhythm agent needs to access the McAfee NAC Microsoft SQL database must be available. This can be the default sa account, an account created with administrator access to be used for LogRhythm, or domain credentials.

Configure the ODBC Driver for McAfee NAC

McAfeeNAC logs are accessed by LogRhythm via an ODBC driver. The recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.

  • Name. SQL Server
  • Company Name. Microsoft Corporation
  • Version. 2000.85.1132.00
  • Date. 4/13/2008
  • Download Location. Pre-installed

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. You must use a LogRhythm System Monitor to collect the logs. The System Monitor does not need to reside on the McAfee NAC server, but it must be able to establish a network ODBC (Open Database Connectivity) connection.

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

Before you begin, download the McAfee NAC XML configuration file. You will import this file later to populate the UDLA configuration fields for the Log Source.

The name of the log message source is UDLA - McAfee Network Access Control. In addition, when configuring this log source:

  • For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
  • For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
  • On the UDLA Settings tab, enter the following:
    • Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.

      In the Connection String box, replace the placeholder values with those that match your deployment.

    • To validate the current settings, click Test.
      If the test fails, verify the connection settings and that all values were entered correctly.
    • When the test passes, close the Test dialog box.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.