Log file details

The reports you see on the web admin console are generated using the log files. You can view logs using the log viewer or the command-line interface (CLI). See Log viewer.

Using the CLI, you can find the log files in the /log directory. You can access the CLI by going to admin > Console, in the upper right corner of the web admin console.

On the CLI, select option 5. Device Management, then option 3. Advanced Shell. Then change to the log directory using the command cd /log.

You can use the following commands for the log files.

Command	Syntax	Example	Description
`tail -f`	`tail –f /log/<logfilename>.log`	`tail –f /log/ips.log`	Shows the log file's latest entries.
`less`	`less /log/<logfilename>.log`	`less /log/ips.log`	Shows static log files.
`grep`	`grep <keyword> /log/<logfilename>.log`	`grep error /log/ips.log`	Applies a search filter for the keyword with the log file.
`service`	`service <service name>:start/restart/stop/debug –ds nosync`	`service ips:debug -ds nosync`	Starts, restarts, stops, or debugs a service.

Note

When a log rotates, a file extension of .log.0 is created. For example, smtpd_main.log.0.

Antivirus and anti-spam

Name	Description	Log file	Service
Antivirus	Antivirus service	`av.log`	Antivirus
Antivirus updates	Antivirus update service	`up2date_av.log`
Anti-spam	Anti-spam service	`sasi.log`	Anti-spam
Sandbox	Sandbox service	`sandboxd.log`	sandboxd
Sandbox	Sandbox service	`sessiontbl.log`

Sophos Firewall uses Avira and Sophos Antivirus.

Authentication

Name	Description	Log file	Service
Access server	User authentication, authorization and accounting service	`access_server.log`	access_server
Chromebook authentication	Chromebook SSO service	`chromebook-sso-backend.log`	clientless_access
NASM	NTLM authentication service	`nasm.log`	nasm

Access server is a custom developed service to handle AAA activity.

Database

Name	Description	Log file	Service
Configuration database	Configuration database log files	`confdbstatus.log`
Configuration database	Configuration database log files	`crreportdb.log`
Garner	Logging service for postponement, event log and graphs	`garner.log`	garner
Migration database	Report migration log files	`sac-feedback.log`
Migration database	Report migration log files	`reportmigration.log`
Postgres database	Configuration database service	`postgres.log`	postgres
Signature database	Signature database service	`sigdb.log`	sigdb
Reporting database	Report database service	`reportdb.log`	reportdb

Firewall

Name	Description	Log file	Service
BWM	Bandwidth management service (QoS)	`bwm.log`	bwm
Firewall rule logging.	Firewall rule logging service	`firewall_rule.log`
Firewall	Virtual host service	`vhost.log`
FWlog	Firewall logging service	`fwlog.log`	fwlog
NAT	NAT rule log files	`nat_rule.log`
NAT	NAT rule log files	`pimd.log`	pmid
Pktcap	Packet capture service (GUI DG option)	`pktcapd.log`	pktcapd

Sophos Firewall uses IPtable, ARP table, IPset and conntrack for firewall connections.
IMQ is used for QoS.

GUI and CLI

Name	Description	Log file	Service
Apache	GUI service	`apache.log`	apache
Apache	GUI Service	`apache_access.log`	apache
SSH	SSH logs	`sshd.log`	sshd
Error Log	Error log messages for GUI and CLI	`error_log.log`
Tomcat	GUI service	`tomcat.log`	tomcat

Heartbeat

Name	Description	Log file	Service
Heartbeat	Heartbeat to Sophos Central communication service	`fwcm-eventd`
Heartbeat	Heartbeat to Sophos Central communication service	`fwcm-heartbeatd`
Heartbeat	Heartbeat to Sophos Central communication service	`fwcm-updaterd`
Heartbeat	Heartbeat service	`heartbeatd.log`	heartbeatd
Heartbeat	Heartbeat to Central communication	`hbtrust.log`	heartbeatd

High availability

Name	Description	Log file	Service
Ctsync	Conntrack synchronization service	`ctsyncd.log`	ctsyncd
High availability	HA configuration and status updates	`applog.log`
High availability	HA pair service	`ha_pair.log`	ha_pair
High availability	HA tunnel service	`ha_tunnel.log`	ha_tunnel
Msync	HA synchronization service	`msync.log`	msync

Note

High availability cluster logs are stored on the same appliance where they're generated. We recommend using Sophos Central Firewall Reporting (CFR) to view the consolidated reports from both devices. To view the raw logs of the auxiliary appliance, you must connect to its admin port via SSH. To do this, use the command ssh admin@IPADDRESS. You must change IPADDRESS to be the admin port IP address of the auxiliary appliance.

Intrusion prevention and application filter

Name	Description	Log file	Service
Application filter	The application filter uses the same service and log file as IPS	`ips.log`	ips
Intrusion prevention and application filter	Antivirus service	`avd.log`	antivirus
Intrusion prevention and application filter	Intrusion prevention upgrade service	`sig_upgrade.log`
Intrusion prevention and application filter	Intrusion prevention migration service	`sigmigration.log`
IPS	Intrusion prevention filter service	`ips.log`	ips

Network

The following logs relate to general networking services.

Name	Description	Log file	Service
Dead gateway detection	MLM, VPN failover, dead gateway detection	`dgd.log`	DGD
DHCP	Dynamic host configuration server service	`dhcpd.log`	dhcpd
DHCP6	Dynamic Host control service for IPv6	`dhcp6.log`	dhcpd6
DDC	Dynamic domain name service client service	`ddc.log`	ddc
DNS	DNS service	`dnsd.log`	dnsd
DNS	DNS service	`dnsgrabber.log`	dnsd
DNS	DNS service	`eacd.log`
DNS	DNS service	`entity.log`
Network	Network service - Interface/IP/PPPOE	`networkd.log`	networkd
Network	FQDN logging service	`fqdnd.log`	fqdnd
Network	FQDN logging service	`fqdndebug.log`	fqdnd
NTPclient	Network time protocol client service	`ntpclient.log`	ntpclient
RAD	Router advertisement service for IPv6	`radvd.log`	radvd

The following logs relate to dynamic-routing services.

Name	Description	Log file	Service
BGP	Border Gateway Protocol routing service	`bgpd.log`	bgpd
OSPF	Open Shortest Path First routing service	`ospfd.log`	ospfd
RIP	Routing Information Protocol routing service	`ripd.log`	ripd

The following logs relate to static routing services.

Name	Description	Log file	Service
Application based routing	Application based routing service	`appcached.log`	appcached
Application based routing	Redis Service	`redis`	redis-appcache
Multicast-routing	Multicast routing service	`mrouting.log`	mrouting
Zebra	Static routing service	`zebra.log`	zebra

Proxy (HTTPs - SMTPs - POP - IMAP - FTP - WAF)

Name	Description	Log file	Service
Awarrenhttp	HTTPS Proxy service	`awarrenhttp.log`	awarrenhttp
Awarrenhttp access	HTTPS proxy service website access	`awarrenhttp_access.log`	awarrenhttp
Awarrensmtp	SMTPS legacy proxy service	`awarrensmtp.log`	awarrensmtp
Awarrenmta	Mail transfer agent proxy service	`awarrenmta.log`	awarrenmta
Awarrenmta debug	(v17+) Mail transfer agent proxy service debug mode	`awarrenmta_debug.log`	awarrenmta
FTP	FTP proxy service	`ftpproxy.log`	FTPproxy
nSXLd	web categorization and IP reputation	`nSXLd.log`	nSXLd
Skein	HTTP/FTP legacy proxy	`skein.log`
SMTP	(v17.5+) Mail transfer agent proxy service	`smtpd_main.log`	smtpd
SMTP error	(v17.5+) Mail transfer agent proxy service errors	`smtpd_error.log`	smtpd
SMTP panic	(v17.5+) Mail transfer agent proxy service panic	`smtpd_panic.log`	smtpd
SMTP reject	(v17.5+) Mail transfer agent proxy service reject	`smtpd_reject.log`	smtpd
Warren	POP/IMAP proxy service	`warren.log`	warren
WAF	Web application firewall proxy service	`reverseproxy.log`	reverseproxy
Web proxy	Web proxy service	`webproxy.log`
WINGc	(v15+) web categorization	`WINGc.log`	WINGc

Note

Sophos Firewall always blocks web pages categorized as highly objectionable criminal activity and hides the domain name in logs and reports.

VPN

Name	Description	Log file	Service
Clientless SSL VPN	Clientless SSL VPN client service	`clientless_access.log`	clientless_access
IPsec	(v15-v16) IPsec VPN service	`ipsec.log`	ipsec
IPsec	(v17+) IPsec VPN service	`strongswan.log`	strongswan
IPsec	(v17+) IPsec VPN service	`charon.log`	strongswan
IPsec	IPsec connection testing log files	`ipsec_Test_Connect.log`
IPsec	IPsec monitoring service	`ipsec_monitor.log`	ipsec_monitor
L2TP	Layer 2 tunneling protocol daemon	`l2tpd.log`	l2tpd
PPTP	Point-to-point tunneling VPN daemon	`pptpvpn.log`	pptpd
SSL VPN	SSL VPN client service	`sslvpn.log`	sslvpn
VPN PKI	VPN PKI logs	`vpncertificate.log`
VPN PKI	VPN PKI logs	`wc_remote.log`
VPN service	VPN service	`strongswan-monitor.log`	strongswan
VPN service	VPN service	`sync.log`
XFRM	XFRM tunnel interface service	`xfrmi.log`

Sophos Firewall uses Openswan for IPsec VPN and OpenVPN for SSL VPN.

Other logs

Name	Description	Log file	Service
API	API service log	`apiparser.log`
API	API service log	`app-feedback.log`
AWED	Wireless controller service	`awed.log`	awed
Category updates	Category update log file	`catUpdateLog`
Central management	Central management service	`centralmanagement.log`
Central management	Central management service	`sophos-central.log`
CSC	Sophos Central service which manages all services	`csc.log`	csc
CSC helper	CSC helper service	`cschelper.log`	csc
CSC	CSC service	`csd.log`	csc
CSC	Configuration logs	`applog.log`	csc
Hotspot	Hotspot service	`hostapd.log`	hostapd
Hotspot	Hotspot service	`hotspot.log`	hotspotd
Hotspot	Hotspot service	`hotspotd.log`	hotspotd
iView	iVew logging service	`iview.log`
Licensing	Licensing log	`licensing.log`
Net-SNMP	SNMP log file	`snmpd.log`	snmpd
OpenSSH	OpenSSH/Dropbear service	`sshd.log`
OpenSSH	OpenSSH/Dropbear service	`ssod.log`	ssod
RED	RED service	`red.log`	red
SMB filesystem	SMB filesystem log files	`smbnetfs.log`
SMB filesystem	SMB filesystem log files	`snireport.log`
Sysinit	System FSCK logs	`sysinit.log`	sysinit
Syslog	Syslog service	`syslog.log`	syslog
System Updates	System update log	`u2d.log`	u2d
Signature upgrade	Signature upgrade log	`sig_update.log`
Validation	Validation log files	`validation.log`
Validation	Validation log files	`validationError.log`
VMware tools	VMware tool service (SRM)	`vmtool.log`	vmtool
Wi-Fi	Wi-Fi authentication service	`wifiauth.log`