This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG syslog into SIEM - what is the event for a Sophos Connect IPSec logon or logon failure?

In monitoring the XG syslog we see individual syslog events for each subnet mapped by the Connect policy. This means 8+ syslog events for every single user who connects with Connect via IPSec. Is there a specific syslog setting we can look for or use to make sure only one logon event is registered? The XG logs do not work well with our SIEM by default like our other firewall brands and their VPNs.

This thread was automatically locked due to age.

Parents

0 King Tomato over 5 years ago

Is it possible the log events generated for IPSec VPN logins aren't parsed correctly or in a format a typical SIEM can read and recognize as actual IPSec VPN login events? Events generated by other firewall vendors for IPSec VPN logins are recognized fine out-of-the-box with our SIEM, for example.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 King Tomato over 5 years ago

Is it possible the log events generated for IPSec VPN logins aren't parsed correctly or in a format a typical SIEM can read and recognize as actual IPSec VPN login events? Events generated by other firewall vendors for IPSec VPN logins are recognized fine out-of-the-box with our SIEM, for example.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 5 years ago in reply to King Tomato

There should be two different Information.

The XG IPsec Information (X SAs build up) and the XG Authentication Information.

Can you take a look for Authentication information, maybe you can find there a solution for SIEM.
Cancel
Vote Up 0 Vote Down

Cancel