Testing Xeams as a Stand Alone server, the intrusion log has a few attempts to brute force, but the IP's show as coming from my router, instead of the attacker's IP:

2018-05-10 07:14:17,797 - User blocked for attempting too many incorrect passwords. IP address:192.168.1.1. Source: Smtp Server. Attempt number 33. Login: noreply
2018-05-10 07:59:35,634 - User blocked for attempting too many incorrect passwords. IP address:192.168.1.1. Source: Smtp Server. Attempt number 34. Login: student
2018-05-10 08:22:44,976 - User blocked for attempting too many incorrect passwords. IP address:192.168.1.1. Source: Smtp Server. Attempt number 35. Login: ftpuser
2018-05-10 08:45:53,766 - User blocked for attempting too many incorrect passwords. IP address:192.168.1.1. Source: Smtp Server. Attempt number 36. Login: besadmin
2018-05-10 09:09:03,491 - User blocked for attempting too many incorrect passwords. IP address:192.168.1.1. Source: Smtp Server. Attempt number 37. Login: internet
2018-05-10 09:31:51,675 - User blocked for attempting too many incorrect passwords. IP address:192.168.1.1. Source: Smtp Server. Attempt number 38. Login: user1


How do I get their IP's to appear in the log properly?

This happens when your router hides the actual IP of the foreign host. Check if there is setting on your router not to do that.

That was it exactly. Appreciate the quick response. 

John,

If you don't mind, could you please tell us which router/firewall you are using and where did you go to change this. Your answer will help others running into the same situation.

Fortigate 311B, Log into the router, go to Policies and Objects --> IP4, and disable NAT for the ports you are forwarding.