This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Event 2887, Event 2889 on Domain Controller

Hello. I have a Sophos UTM running version 9.509-3. At the domain controller the above  events are logged. I attached the files. The IP address logged belongs to the UTM. It is configured (Definitions & Users-->Authentication Services-->Servers) to use the domains controllers to synchronize AD users. Does it have to do with UTM settings?

Regards

Event 2887.docxEvent 2889.docx



This thread was automatically locked due to age.
Parents
  • What do you see in the logs when you raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello. The files i attached is after raising logging category to level 2

    Regards

  • 1.2.3.4 is used in Wireless Protection, so this must be the UTM making this connection and it's probably innocuous.  I'd be tempted to lower the logging level so that you don't see every such access logged, but I'd be interested in what Sophos Support has to say about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello. 1.2.3.4 is an example IP (instead x.x.x.x). At the log appears utm's actual IP address. Also i don't use Wireless Protection at all.

    Also these logs appeared the last 2-3 months while the utm is running more than 2 years with AD sync. Reducing the logging level to default (0) logs only 2887. Raising it to 2 logs 2889, where the IP address is visible.

    Regards

  • I've found that the best way to obfuscate the real IP is to use the following approaches:

    Public: 8.8.8.8 -> 8.x.y.8
    Private: 10.1.2.3 -> 10.x.y.3 in 10/8
    Private: 172.16.1.1 -> 172.x.y.1 in 172.16/12
    Private: 192.168.22.3 -> 192.168.x.3 in 192.168/16

    That way, others can see if the IPs are private or public and they can see enough detail of the IP to better understand what you're showing them.

    If this is the UTM's IP, then I suspect a Windows update caused this issue.  Do contact Sophos Support.  This may be an issue that's easy to address in an upcoming release.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I've found that the best way to obfuscate the real IP is to use the following approaches:

    Public: 8.8.8.8 -> 8.x.y.8
    Private: 10.1.2.3 -> 10.x.y.3 in 10/8
    Private: 172.16.1.1 -> 172.x.y.1 in 172.16/12
    Private: 192.168.22.3 -> 192.168.x.3 in 192.168/16

    That way, others can see if the IPs are private or public and they can see enough detail of the IP to better understand what you're showing them.

    If this is the UTM's IP, then I suspect a Windows update caused this issue.  Do contact Sophos Support.  This may be an issue that's easy to address in an upcoming release.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data