Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 2100 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG syslog into SIEM - what is the event for a Sophos Connect IPSec logon or logon failure?

ken9000

In monitoring the XG syslog we see individual syslog events for each subnet mapped by the Connect policy. This means 8+ syslog events for every single user who connects with Connect via IPSec. Is there a specific syslog setting we can look for or use to make sure only one logon event is registered? The XG logs do not work well with our SIEM by default like our other firewall brands and their VPNs.



This thread was automatically locked due to age.
  • 0

    Hi  

    The Sophos Connect authentication logs would be available in Log Viewer >> Drop Down Menu and Select Authentication or System Events.

    If you want to check IPsec logs, you may check strongswan.log from the advanced shell of the Sophos XG firewall, It will log individual SA entry for each subnet for each user, there is no specific single entry available in the firewall.

  • 0 in reply to Keyur

    So every time a user connects with Sophos Connect it actually creates essentially 6 or 7 log-on events - one for each subnet that's mapped?

  • 0

    Is it possible the log events generated for IPSec VPN logins aren't parsed correctly or in a format a typical SIEM can read and recognize as actual IPSec VPN login events? Events generated by other firewall vendors for IPSec VPN logins are recognized fine out-of-the-box with our SIEM, for example.

  • 0 in reply to King Tomato

    There should be two different Information. 

    The XG IPsec Information (X SAs build up) and the XG Authentication Information.

    Can you take a look for Authentication information, maybe you can find there a solution for SIEM.