When monitoring Security Events for user logins via AD/LDAP, the NSX Manager syslog displays the source IP address of the NSX L4 TCP Load Balancer rather than the originating client IP address. 

VMware NSX

The L4 TCP load balancer utilizes Source Network Address Translation (SNAT) to ensure symmetrical return traffic routing. This translates the original client source IP in the packet headers to the load balancer's IP address before forwarding the authentication traffic to the NSX Manager.

This is a condition that may occur in a VMware NSX environment.

Workaround:
To preserve and log the original client source IP address, the load balancer topology must be modified to operate inline without SNAT.

1. Modify the load balancing architecture to an inline topology. 
2. Deactivate SNAT Auto Translation on the load balancer configuration.
3. Ensure that client routing is configured to utilize the Tier-1 (T1) gateway hosting the load balancer as their return path to guarantee symmetrical traffic flow without address translation.

Note: Disabling SNAT Auto Translation requires meticulous routing design. If return traffic from the NSX Manager bypasses the T1 gateway hosting the load balancer, asymmetric routing will occur, and connections will fail.

When using NSX native load balancer, the requestor client IP addresses aren't seen in logging at destination web servers.