XG syslog into SIEM - what is the event for a Sophos Connect IPSec logon or logon failure?

In monitoring the XG syslog we see individual syslog events for each subnet mapped by the Connect policy. This means 8+ syslog events for every single user who connects with Connect via IPSec. Is there a specific syslog setting we can look for or use to make sure only one logon event is registered? The XG logs do not work well with our SIEM by default like our other firewall brands and their VPNs.

  • Hi  

    The Sophos Connect authentication logs would be available in Log Viewer >> Drop Down Menu and Select Authentication or System Events.

    If you want to check IPsec logs, you may check strongswan.log from the advanced shell of the Sophos XG firewall, It will log individual SA entry for each subnet for each user, there is no specific single entry available in the firewall.

  • In reply to Keyur:

    So every time a user connects with Sophos Connect it actually creates essentially 6 or 7 log-on events - one for each subnet that's mapped?

  • Is it possible the log events generated for IPSec VPN logins aren't parsed correctly or in a format a typical SIEM can read and recognize as actual IPSec VPN login events? Events generated by other firewall vendors for IPSec VPN logins are recognized fine out-of-the-box with our SIEM, for example.

  • In reply to King Tomato:

    There should be two different Information. 

    The XG IPsec Information (X SAs build up) and the XG Authentication Information.

    Can you take a look for Authentication information, maybe you can find there a solution for SIEM.