Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 989 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect - Where to view client's WAN IP address in logs?

ken9000

Hello. After a Sophos Connect connection we can view the assigned local DHCP address for the client but we cannot seem to find where in the logs the WAN IP address (where in the world they are connecting from) of the client. Where is that viewable? We need to feed this into our SIEM.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to cscheps

    If I filter the Authentication log by IPSec client only, I see no WAN address for those events. The " src_ip and "from" both show only the DHCP address of the client: 2020-12-09 12:45:44Authenticationmessageid="17701" log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" user="user@domain.com" user_group="VPNusers" client_used="IPSec" auth_mechanism="" reason="" src_ip="10.xxx.xxx.xxx" message="User user@domain.com of group VPNusers logged in successfully to Firewall through  authentication mechanism from 10.xxx.xxx.xxx" name="Lastname, firstname" src_mac=""

  • 0 in reply to ken9000

    I have clients authenticate IPsec with local accounts (clients have to authenticate later with LDAP accounts) with long and complex passwords

    So for me, the WAN IP address is present in log entries of "My Account Authentication" notices

  • 0 in reply to cscheps

    Ok, I see that now. Seems odd to classify that as a "Local" login. That would seem to imply someone logging directly into the user portal on the device.