Logs provide insight into network activity and system events that let you identify security issues and see which of the configured rules apply. You can send logs to a syslog server or view them through the log viewer. Using data anonymization, you can encrypt identities in logs and reports.
Local logs are the log files you can see using the log viewer or the command-line interface. They're also the basis for the reports in Sophos Firewall.
Find detailed information on local logs in Log file details.
Log storage on Sophos Firewall
Sophos Firewall stores logs on its
/var partition. Stored logs can take up to 15 percent of the total
/var partition or 50 percent of the free space available in the
/var partition (whichever is less). Sophos Firewall stores logs in chunks of 50 MB. Log deletion is based on a first in, first out (FIFO) system. When disk space fills up, Sophos Firewall deletes logs in 50 MB chunks.
Sophos Firewall copies log files from its memory to its file system. If Sophos Firewall stops responding, any files that aren't already copied to the file system are erased.
Find detailed information about syslog IDs, types, messages, and their meaning in the Syslog file guide.
The log ID is a twelve-character code in the following format:
c1c2: Log type ID
c3c4: Log component ID
c5c6: Log subtype ID
c8c9c10c11c12: Message ID
c1c2: 01 (Security policy)
c3c4: 01 (Firewall rule)
c5c6: 01 (Allowed)
c7: 6 (Information)
c8c9c10c11c12: 00001 (Firewall traffic allowed)