Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 986 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect - Where to view client's WAN IP address in logs?

ken9000

Hello. After a Sophos Connect connection we can view the assigned local DHCP address for the client but we cannot seem to find where in the logs the WAN IP address (where in the world they are connecting from) of the client. Where is that viewable? We need to feed this into our SIEM.



This thread was automatically locked due to age.
  • 0

    You can find the IP's in the authentication logs (log viewer)

  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    As mentioned by  you should see the user's public IP address from the log viewer's authentication logs or search the user name in access_server logs and see the remote user's public IP address. 

    You can run the following command from the Advanced shell: grep -i "user name" /log/access_server.log

    Thanks,

  • 0 in reply to cscheps

    If I filter the Authentication log by IPSec client only, I see no WAN address for those events. The " src_ip and "from" both show only the DHCP address of the client: 2020-12-09 12:45:44Authenticationmessageid="17701" log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" user="user@domain.com" user_group="VPNusers" client_used="IPSec" auth_mechanism="" reason="" src_ip="10.xxx.xxx.xxx" message="User user@domain.com of group VPNusers logged in successfully to Firewall through  authentication mechanism from 10.xxx.xxx.xxx" name="Lastname, firstname" src_mac=""

  • 0 in reply to ken9000

    I have clients authenticate IPsec with local accounts (clients have to authenticate later with LDAP accounts) with long and complex passwords

    So for me, the WAN IP address is present in log entries of "My Account Authentication" notices

  • 0 in reply to cscheps

    Ok, I see that now. Seems odd to classify that as a "Local" login. That would seem to imply someone logging directly into the user portal on the device.