We have a couple of Forescout NAC devices. They are configured to forward to our local Kiwi servers, and then rules on the Kiwi are supposed to be sending warning & above messages to the main Orion server. Unfortunately, I have oodles (technical term) of info messages showing in the main repository. I'm pretty sure the Kiwi rules are correct (they are working for other devices) but our on site security guy isn't a Forescout expert, so he hasn't been able to see anything wrong on the NAC itself. I'm thinking we have it set to forward directly to Orion under a different facility, but that's a pure guess. From what I've seen of the NAC's SYSLOG setup there aren't drop downs to look at different facilities.
Does anyone have experience with this? Thanks in advance!