Page permalink
Always use the following permalink when referencing this page. It will remain unchanged in future help versions.
https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=logs-file-details
See the troubleshooting log files you must check for each module.
Antivirus and anti-spam
Name | Description | Log file | Service |
---|---|---|---|
Antivirus | Antivirus service | av.log | Antivirus |
Antivirus updates | Antivirus update service | up2date_av.log | |
Anti-spam | Anti-spam service | sasi.log | Anti-spam |
Sandbox | Sandbox service | sandboxd.log | sandboxd |
Sandbox | Sandbox service | sessiontbl.log |
- Sophos Firewall uses Avira and Sophos Antivirus.
Authentication
Name | Description | Log file | Service |
---|---|---|---|
Access server | User authentication, authorization and accounting service | access_server.log | access_server |
Chromebook authentication | Chromebook SSO service | chromebook-sso-backend.log | clientless_access |
NASM | NTLM authentication service | nasm.log | nasm |
- Access server is a custom developed service to handle AAA activity.
Database
Name | Description | Log file | Service |
---|---|---|---|
Configuration database | Configuration database log files | confdbstatus.log | |
Configuration database | Configuration database log files | crreportdb.log | |
Garner | Logging service for postponement, event log and graphs | garner.log | garner |
Migration database | Report migration log files | sac-feedback.log | |
Migration database | Report migration log files | reportmigration.log | |
Postgres database | Configuration database service | postgres.log | postgres |
Signature database | Signature database service | sigdb.log | sigdb |
Reporting database | Report database service | reportdb.log | reportdb |
Firewall
Name | Description | Log file | Service |
---|---|---|---|
BWM | Bandwidth management service (QoS) | bwm.log | bwm |
Firewall rule logging. | Firewall rule logging service | firewall_rule.log | |
Firewall | Virtual host service | vhost.log | |
FWlog | Firewall logging service | fwlog.log | fwlog |
NAT | NAT rule log files | nat_rule.log | |
Pktcap | Packet capture service (GUI DG option) | pktcapd.log | pktcapd |
- Sophos Firewall uses IPtable, ARP table, IPset and conntrack for firewall connections.
- IMQ is used for QoS.
GUI and CLI
Name | Description | Log file | Service |
---|---|---|---|
Apache | GUI service | apache.log | apache |
Apache | GUI Service | apache_access.log | apache |
SSH | SSH logs | sshd.log | sshd |
Error Log | Error log messages for GUI and CLI | error_log.log | |
Tomcat | GUI service | tomcat.log | tomcat |
Heartbeat
Name | Description | Log file | Service |
---|---|---|---|
Heartbeat | Heartbeat to Sophos Central communication service | fwcm-eventd | |
Heartbeat | Heartbeat to Sophos Central communication service | fwcm-heartbeatd | |
Heartbeat | Heartbeat to Sophos Central communication service | fwcm-updaterd | |
Heartbeat | Heartbeat service | heartbeatd.log | heartbeatd |
Heartbeat | Heartbeat to Central communication | hbtrust.log | heartbeatd |
High availability
Name | Description | Log file | Service |
---|---|---|---|
Ctsync | Conntrack synchronization service | ctsyncd.log | ctsyncd |
High availability | HA configuration and status updates | applog.log | |
High availability | HA pair service | ha_pair.log | ha_pair |
High availability | HA tunnel service | ha_tunnel.log | ha_tunnel |
Msync | HA synchronization service | msync.log | msync |
Note
High availability cluster logs are stored on the same appliance where they're generated. We recommend using Sophos Central Firewall Reporting (CFR) to view the consolidated reports from both devices. To view the raw logs of the auxiliary appliance, you must connect to its admin port via SSH. To do this, use the command ssh admin@IPADDRESS
. You must change IPADDRESS to be the admin port IP address of the auxiliary appliance.
Intrusion prevention and application filter
Name | Description | Log file | Service |
---|---|---|---|
Application filter | The application filter uses the same service and log file as IPS | ips.log | ips |
Intrusion prevention and application filter | Antivirus service | avd.log | antivirus |
Intrusion prevention and application filter | Intrusion prevention upgrade service | sig_upgrade.log | |
Intrusion prevention and application filter | Intrusion prevention migration service | sigmigration.log | |
IPS | Intrusion prevention filter service | ips.log | ips |
Network
The following logs relate to general networking services.
Name | Description | Log file | Service |
---|---|---|---|
Dead gateway detection | MLM, VPN failover, dead gateway detection | dgd.log | DGD |
DHCP | Dynamic host configuration server service | dhcpd.log | dhcpd |
DHCP6 | Dynamic Host control service for IPv6 | dhcp6.log | dhcpd6 |
DDC | Dynamic domain name service client service | ddc.log | ddc |
DNS | DNS service | dnsd.log | dnsd |
DNS | DNS service | dnsgrabber.log | dnsd |
DNS | DNS service | eacd.log | |
DNS | DNS service | entity.log | |
Network | Network service - Interface/IP/PPPOE | networkd.log | networkd |
Network | FQDN logging service | fqdnd.log | fqdnd |
Network | FQDN logging service | fqdndebug.log | fqdnd |
NTPclient | Network time protocol client service | ntpclient.log | ntpclient |
RAD | Router advertisem*nt service for IPv6 | radvd.log | radvd |
Cellular WAN
Name | What you must look for | Log file |
---|---|---|
WWAN | Insertion and removal of USB devices | mdev.log |
Network | Modem-related network configurations | networkd.log |
Syslog | Syslogs for USB, modem, and PPP (Point-to-Point protocol) | syslog.log |
Routing
Dynamic routes
Name | Description | Log file | Service |
---|---|---|---|
BGP | Border Gateway Protocol routing service | bgpd.log | bgpd |
Multicast (PIM-SM) | Protocol Independent Multicast (PIM) routing service | pimd.log | pimd |
OSPF | Open Shortest Path First routing service | ospfd.log | ospfd |
OSPFv3 | Open Shortest Path First version 3 | ospf6d.log | ospf6d |
RIP | Routing Information Protocol routing service | ripd.log | ripd |
Static routes
Name | Description | Log file | Service |
---|---|---|---|
Application based routing | Application based routing service | appcached.log | appcached |
Application based routing | Redis Service | redis | redis-appcache |
Multicast-routing | Multicast routing service | mrouting.log | mrouting |
Zebra | Static routing service | zebra.log | zebra |
Staticd | Static routing service | staticd.log | staticd |
Proxies
HTTPS, FTP, WAF
Name | Description | Log file | Service |
---|---|---|---|
Awarrenhttp | HTTPS Proxy service | awarrenhttp.log | awarrenhttp |
Awarrenhttp access | HTTPS proxy service website access | awarrenhttp_access.log | awarrenhttp |
nSXLd | web categorization and IP reputation | nSXLd.log | nSXLd |
Web proxy | Web proxy service | webproxy.log | |
Skein | HTTP/FTP legacy proxy | skein.log | |
FTP | FTP proxy service | ftpproxy.log | FTPproxy |
WAF | Web application firewall proxy service | reverseproxy.log | reverseproxy |
Note
Sophos Firewall always blocks web pages categorized as highly objectionable criminal activity and hides the domain name in logs and reports.
SMTP(S), POP(S), IMAP(S)
Name | Description | Log file | Service |
---|---|---|---|
Awarrensmtp | SMTPS legacy proxy service | awarrensmtp.log | awarrensmtp |
Awarrenmta | Mail transfer agent proxy service | awarrenmta.log | awarrenmta |
Awarrenmta debug | (v17+) Mail transfer agent proxy service debug mode | awarrenmta_debug.log | awarrenmta |
SMTP | (v17.5+) Mail transfer agent proxy service | smtpd_main.log | smtpd |
SMTP error | (v17.5+) Mail transfer agent proxy service errors | smtpd_error.log | smtpd |
SMTP panic | (v17.5+) Mail transfer agent proxy service panic | smtpd_panic.log | smtpd |
SMTP reject | (v17.5+) Mail transfer agent proxy service reject | smtpd_reject.log | smtpd |
Warren | POP/IMAP proxy service | warren.log | warren |
VPN
Name | Description | Log file | Service |
---|---|---|---|
Clientless SSL VPN | Clientless SSL VPN client service | clientless_access.log | clientless_access |
IPsec | (v15-v16) IPsec VPN service | ipsec.log | ipsec |
IPsec | (v17+) IPsec VPN service | strongswan.log | strongswan |
IPsec | (v17+) IPsec VPN service | charon.log | strongswan |
IPsec | IPsec connection testing log files | ipsec_Test_Connect.log | |
IPsec | IPsec monitoring service | ipsec_monitor.log | ipsec_monitor |
L2TP | Layer 2 tunneling protocol daemon | l2tpd.log | l2tpd |
PPTP | Point-to-point tunneling VPN daemon | pptpvpn.log | pptpd |
SSL VPN | SSL VPN client service | sslvpn.log | sslvpn |
VPN PKI | VPN PKI logs | vpncertificate.log | |
VPN PKI | VPN PKI logs | wc_remote.log | |
VPN service | VPN service | strongswan-monitor.log | strongswan |
VPN service | VPN service | sync.log | |
XFRM | XFRM tunnel interface service | xfrmi.log |
- Sophos Firewall uses strongSwan for IPsec VPN and OpenVPN for SSL VPN.
Other logs
Name | Description | Log file | Service |
---|---|---|---|
API | API service log | apiparser.log | |
API | API service log | app-feedback.log | |
AWED | Wireless controller service | awed.log | awed |
Category updates | Category update log file | catUpdateLog | |
Central management | Central management service | centralmanagement.log | |
Central management | Central management service | sophos-central.log | |
CSC | Sophos Central service which manages all services | csc.log | csc |
CSC helper | CSC helper service | cschelper.log | csc |
CSC | CSC service | csd.log | csc |
CSC | Configuration logs | applog.log | csc |
Hotspot | Hotspot service | hostapd.log | hostapd |
Hotspot | Hotspot service | hotspot.log | hotspotd |
Hotspot | Hotspot service | hotspotd.log | hotspotd |
iView | iVew logging service | iview.log | |
Licensing | Licensing log | licensing.log | |
Net-SNMP | SNMP log file | snmpd.log | snmpd |
OpenSSH | OpenSSH/Dropbear service | sshd.log | |
OpenSSH | OpenSSH/Dropbear service | ssod.log | ssod |
RED | RED service | red.log | red |
SMB filesystem | SMB filesystem log files | smbnetfs.log | |
SMB filesystem | SMB filesystem log files | snireport.log | |
Sysinit | System FSCK logs | sysinit.log | sysinit |
Syslog | Syslog service | syslog.log | syslog |
System Updates | System update log | u2d.log | u2d |
Signature upgrade | Signature upgrade log | sig_update.log | |
Validation | Validation log files | validation.log | |
Validation | Validation log files | validationError.log | |
VMware tools | VMware tool service (SRM) | vmtool.log | vmtool |
Wi-Fi | Wi-Fi authentication service | wifiauth.log |