TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Extreme NAC Event Logs | ✅ | ✅ | extreme_nac_event_logs | TEXT | S3 |
Overview
Extreme Networks Network Access Control (NAC) event logs, primarily managed within ExtremeCloud IQ - Site Engine (formerly Extreme Management Center), provide comprehensive visibility into network security, authentication, and end-system connectivity. The NAC Manager utilizes several distinct log views for troubleshooting and auditing, including "NAC Manager Events" for system-level errors and configuration changes, "End-Systems Activity" for tracking device 
connection attempts, and "NAC Appliance Events" to monitor RADIUS activity, reauthentications, and engine-specific logs (e.g., /var/log/tag.log). As of version 7 and higher, End System Event logs are directly written to the MySQL database and can be exported via the Administration tab, while older versions used files in the appdata/logs directory. These logs are crucial for security forensics, allowing administrators to track user logins, MAC addresses, and specific timestamps for network access changes.
Supported data types
Extreme NAC Event Logs
Overview:
Extreme Networks Network Access Control (NAC) event logs, often managed via ExtremeCloud IQ Site Engine or Extreme Management Center, provide comprehensive visibility into network security, authentication, and policy enforcement. These logs, generally viewed within the NAC Manager's Event View, are categorized into several key areas: NAC Manager Events record system-level operations, configuration changes, and connectivity issues with engines; NAC Appliance Events detail RADIUS authentication successes/failures and reauthentication activity; and End-Systems Activity tracks specific user device connections. In newer versions, these end-system events are written directly to a MySQL database, which can be exported via the Administration tab for auditing purposes. The system also generates Audit Events for registration activities, such as when devices are added, removed, or expired via the captive portal. For deeper troubleshooting, diagnostic logs (e.g., tag.log, radius.log) can be accessed directly from the NAC engine CLI or WebView.
Table name: extreme_nac_event_logs
Send data to Hunters
Hunters supports the ingestion of Extreme NAC Event Logs via an intermediary AWS S3 bucket.
To connect Extreme NAC Event Logs:
Export your logs from Extreme NAC Event Logs to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in TEXT format:
XIQ-SE End-System Trigger Any conditions Appliances=0.0.0.0'0.0.0.0 macAddress 00:00:00:00:00:00 macOUIVendor HP Inc. ipAddress 0.0.0.0 hostname host2 OS Windows 8/ 8.1/ 10/ 11/ 2012 switchNichName switch2 switchIP 0.0.0.0 switchPort 10122