Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP Log of an XGS3100


I am trying to extract specific info from a DHCP syslog generated from an XGS3100, 1 log per day for 253 IP's for the last 50 days, masses of data.

What I am trying to find out is, can the log tell me when a given IP was 'last seen' or would that be when an IP address no longer renews?

With 253 reserved addresses and without expanding the subnet, hoping to remove some un-needed IP's/MAC's.

Has anyone needed to do a similar exercise? Any inspiration would be appreciated.

I guess an alternative would be to remove all reservations, let any leases naturally expire and see what's left.

Many Thanks,


This thread was automatically locked due to age.
  • May want to ask in the XG forums.  ;)

    PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
    (Former Sophos UTM Veteran, XG Rookie)

  • Moving this thread to the proper forum for you, Roy.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    I can't help with your specific log request, but you could change the time to live of the DHCP settings to reduce the idle number of addresses. After you have done that, restart the XGS.


    XG115W - v20 EAP 1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Roy,

    Thank you for contacting the Sophos Community.

    The dhcp.leases "log" has  the following information, when the lease started (given) and when it will end, but I am not sure 

    lease {
    starts 2 2022/05/31 16:59:51;
    ends 3 2022/06/01 16:59:51;
    tstp 3 2022/06/01 16:59:51;
    cltt 2 2022/05/31 16:59:51;
    binding state free;
    hardware ethernet 00:0c:29:f7:b2:32;
    uid "\001\000\014)\367\2622";
    lease {
    starts 3 2022/06/22 22:05:46;
    ends 4 2022/06/23 22:05:46;
    cltt 3 2022/06/22 22:05:46;
    binding state active;
    next binding state free;
    rewind binding state free;
    hardware ethernet 00:0c:29:b1:58:03;
    uid "\001\000\014)\261X\003";

    Also if you use the Log Viewer, System and then Add a Filter  "Log Comp" >> "is" >> DCHP Server 

    This should give you the Status of the DHCP, Renew, Expire 

    The information in the Log Viewer would rotate so not sure how far back it might go for you. 


    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.