This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG syslog into SIEM - what is the event for a Sophos Connect IPSec logon or logon failure?

In monitoring the XG syslog we see individual syslog events for each subnet mapped by the Connect policy. This means 8+ syslog events for every single user who connects with Connect via IPSec. Is there a specific syslog setting we can look for or use to make sure only one logon event is registered? The XG logs do not work well with our SIEM by default like our other firewall brands and their VPNs.

This thread was automatically locked due to age.

Parents

0 Keyur over 5 years ago

Hi ken9000

The Sophos Connect authentication logs would be available in Log Viewer >> Drop Down Menu and Select Authentication or System Events.

If you want to check IPsec logs, you may check strongswan.log from the advanced shell of the Sophos XG firewall, It will log individual SA entry for each subnet for each user, there is no specific single entry available in the firewall.
Cancel
Vote Up 0 Vote Down

Cancel
0 ken9000 over 5 years ago in reply to Keyur

So every time a user connects with Sophos Connect it actually creates essentially 6 or 7 log-on events - one for each subnet that's mapped?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ken9000 over 5 years ago in reply to Keyur

So every time a user connects with Sophos Connect it actually creates essentially 6 or 7 log-on events - one for each subnet that's mapped?
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data