Your browser doesn’t support copying the link to the clipboard. Please copy it manually.
Log file details
The reports you see on the web admin console are generated using the log files. You can view logs using the log viewer or the command-line interface (CLI). See Log viewer.
Using the CLI, you can find the log files in the /log directory. You can access the CLI by going to admin > Console, in the upper right corner of the web admin console.
On the CLI, select option 5. Device Management, then option 3. Advanced Shell. Then change to the log directory using the command cd /log.
You can use the following commands for the log files.
Command
Syntax
Example
Description
tail -f
tail –f /log/<logfilename>.log
tail –f /log/ips.log
Shows the log file's latest entries.
less
less /log/<logfilename>.log
less /log/ips.log
Shows static log files.
grep
grep <keyword> /log/<logfilename>.log
grep error /log/ips.log
Applies a search filter for the keyword with the log file.
service
service <service name>:start/restart/stop/debug –ds nosync
service ips:debug -ds nosync
Starts, restarts, stops, or debugs a service.
Note
When a log rotates, a file extension of .log.0 is created. For example, smtpd_main.log.0.
Antivirus and anti-spam
Name
Description
Log file
Service
Antivirus
Antivirus service
av.log
Antivirus
Antivirus updates
Antivirus update service
up2date_av.log
Anti-spam
Anti-spam service
sasi.log
Anti-spam
Sandbox
Sandbox service
sandboxd.log
sandboxd
Sandbox
Sandbox service
sessiontbl.log
Sophos Firewall uses Avira and Sophos Antivirus.
Authentication
Name
Description
Log file
Service
Access server
User authentication, authorization and accounting service
access_server.log
access_server
Chromebook authentication
Chromebook SSO service
chromebook-sso-backend.log
clientless_access
NASM
NTLM authentication service
nasm.log
nasm
Access server is a custom developed service to handle AAA activity.
Database
Name
Description
Log file
Service
Configuration database
Configuration database log files
confdbstatus.log
Configuration database
Configuration database log files
crreportdb.log
Garner
Logging service for postponement, event log and graphs
garner.log
garner
Migration database
Report migration log files
sac-feedback.log
Migration database
Report migration log files
reportmigration.log
Postgres database
Configuration database service
postgres.log
postgres
Signature database
Signature database service
sigdb.log
sigdb
Reporting database
Report database service
reportdb.log
reportdb
Firewall
Name
Description
Log file
Service
BWM
Bandwidth management service (QoS)
bwm.log
bwm
Firewall rule logging.
Firewall rule logging service
firewall_rule.log
Firewall
Virtual host service
vhost.log
FWlog
Firewall logging service
fwlog.log
fwlog
NAT
NAT rule log files
nat_rule.log
NAT
NAT rule log files
pimd.log
pmid
Pktcap
Packet capture service (GUI DG option)
pktcapd.log
pktcapd
Sophos Firewall uses IPtable, ARP table, IPset and conntrack for firewall connections.
IMQ is used for QoS.
GUI and CLI
Name
Description
Log file
Service
Apache
GUI service
apache.log
apache
Apache
GUI Service
apache_access.log
apache
SSH
SSH logs
sshd.log
sshd
Error Log
Error log messages for GUI and CLI
error_log.log
Tomcat
GUI service
tomcat.log
tomcat
Heartbeat
Name
Description
Log file
Service
Heartbeat
Heartbeat to Sophos Central communication service
fwcm-eventd
Heartbeat
Heartbeat to Sophos Central communication service
fwcm-heartbeatd
Heartbeat
Heartbeat to Sophos Central communication service
fwcm-updaterd
Heartbeat
Heartbeat service
heartbeatd.log
heartbeatd
Heartbeat
Heartbeat to Central communication
hbtrust.log
heartbeatd
High availability
Name
Description
Log file
Service
Ctsync
Conntrack synchronization service
ctsyncd.log
ctsyncd
High availability
HA configuration and status updates
applog.log
High availability
HA pair service
ha_pair.log
ha_pair
High availability
HA tunnel service
ha_tunnel.log
ha_tunnel
Msync
HA synchronization service
msync.log
msync
Note
High availability cluster logs are stored on the same appliance where they're generated. We recommend using Sophos Central Firewall Reporting (CFR) to view the consolidated reports from both devices. To view the raw logs of the auxiliary appliance, you must connect to its admin port via SSH. To do this, use the command ssh admin@IPADDRESS. You must change IPADDRESS to be the admin port IP address of the auxiliary appliance.
Intrusion prevention and application filter
Name
Description
Log file
Service
Application filter
The application filter uses the same service and log file as IPS
ips.log
ips
Intrusion prevention and application filter
Antivirus service
avd.log
antivirus
Intrusion prevention and application filter
Intrusion prevention upgrade service
sig_upgrade.log
Intrusion prevention and application filter
Intrusion prevention migration service
sigmigration.log
IPS
Intrusion prevention filter service
ips.log
ips
Network
The following logs relate to general networking services.
Name
Description
Log file
Service
Dead gateway detection
MLM, VPN failover, dead gateway detection
dgd.log
DGD
DHCP
Dynamic host configuration server service
dhcpd.log
dhcpd
DHCP6
Dynamic Host control service for IPv6
dhcp6.log
dhcpd6
DDC
Dynamic domain name service client service
ddc.log
ddc
DNS
DNS service
dnsd.log
dnsd
DNS
DNS service
dnsgrabber.log
dnsd
DNS
DNS service
eacd.log
DNS
DNS service
entity.log
Network
Network service - Interface/IP/PPPOE
networkd.log
networkd
Network
FQDN logging service
fqdnd.log
fqdnd
Network
FQDN logging service
fqdndebug.log
fqdnd
NTPclient
Network time protocol client service
ntpclient.log
ntpclient
RAD
Router advertisement service for IPv6
radvd.log
radvd
The following logs relate to dynamic-routing services.
Name
Description
Log file
Service
BGP
Border Gateway Protocol routing service
bgpd.log
bgpd
OSPF
Open Shortest Path First routing service
ospfd.log
ospfd
RIP
Routing Information Protocol routing service
ripd.log
ripd
The following logs relate to static routing services.
Name
Description
Log file
Service
Application based routing
Application based routing service
appcached.log
appcached
Application based routing
Redis Service
redis
redis-appcache
Multicast-routing
Multicast routing service
mrouting.log
mrouting
Zebra
Static routing service
zebra.log
zebra
Proxy (HTTPs - SMTPs - POP - IMAP - FTP - WAF)
Name
Description
Log file
Service
Awarrenhttp
HTTPS Proxy service
awarrenhttp.log
awarrenhttp
Awarrenhttp access
HTTPS proxy service website access
awarrenhttp_access.log
awarrenhttp
Awarrensmtp
SMTPS legacy proxy service
awarrensmtp.log
awarrensmtp
Awarrenmta
Mail transfer agent proxy service
awarrenmta.log
awarrenmta
Awarrenmta debug
(v17+) Mail transfer agent proxy service debug mode
awarrenmta_debug.log
awarrenmta
FTP
FTP proxy service
ftpproxy.log
FTPproxy
nSXLd
web categorization and IP reputation
nSXLd.log
nSXLd
Skein
HTTP/FTP legacy proxy
skein.log
SMTP
(v17.5+) Mail transfer agent proxy service
smtpd_main.log
smtpd
SMTP error
(v17.5+) Mail transfer agent proxy service errors
smtpd_error.log
smtpd
SMTP panic
(v17.5+) Mail transfer agent proxy service panic
smtpd_panic.log
smtpd
SMTP reject
(v17.5+) Mail transfer agent proxy service reject
smtpd_reject.log
smtpd
Warren
POP/IMAP proxy service
warren.log
warren
WAF
Web application firewall proxy service
reverseproxy.log
reverseproxy
Web proxy
Web proxy service
webproxy.log
WINGc
(v15+) web categorization
WINGc.log
WINGc
Note
Sophos Firewall always blocks web pages categorized as highly objectionable criminal activity and hides the domain name in logs and reports.
VPN
Name
Description
Log file
Service
Clientless SSL VPN
Clientless SSL VPN client service
clientless_access.log
clientless_access
IPsec
(v15-v16) IPsec VPN service
ipsec.log
ipsec
IPsec
(v17+) IPsec VPN service
strongswan.log
strongswan
IPsec
(v17+) IPsec VPN service
charon.log
strongswan
IPsec
IPsec connection testing log files
ipsec_Test_Connect.log
IPsec
IPsec monitoring service
ipsec_monitor.log
ipsec_monitor
L2TP
Layer 2 tunneling protocol daemon
l2tpd.log
l2tpd
PPTP
Point-to-point tunneling VPN daemon
pptpvpn.log
pptpd
SSL VPN
SSL VPN client service
sslvpn.log
sslvpn
VPN PKI
VPN PKI logs
vpncertificate.log
VPN PKI
VPN PKI logs
wc_remote.log
VPN service
VPN service
strongswan-monitor.log
strongswan
VPN service
VPN service
sync.log
XFRM
XFRM tunnel interface service
xfrmi.log
Sophos Firewall uses Openswan for IPsec VPN and OpenVPN for SSL VPN.