Log viewer
Show event information for different modules and filter logs. Take action on linked rules and policies.
To generate logs, select Log firewall traffic in each firewall rule.
The log viewer opens in a new full-screen browser window. By default, it shows firewall logs.
You can take the following actions:
- Customize the view by selecting different modules or switching between tabular and detailed views. You can also decrypt anonymized information.
- Filter by module, field, value, time, or free text.
- Change web policies, firewall rules, or SSL/TLS rules.
For more information on logs and their values, see the Logfile guide.
The log viewer automatically refreshes the view with new information as it comes in.
How to change the view
Use the following controls to change what the log viewer shows:
Control | Name of control | Description |
---|---|---|
Module selector | Select a different module to view other or additional logs. | |
Detailed view | See a detailed view of each log. You can also hover on a module icon to see details. | |
Standard view | View logs in table format. | |
Add/Remove columns | Add or remove columns to the list. | |
Pause | Pause automatic refresh of the logs. | |
Refresh | Force the logs to refresh. | |
Export | Export logs in CSV format. | |
Open PCAP | Open PCAP | View packet information when packet capture is turned on. |
Deanonymize | View identities when data anonymization is turned on. You must be authorized and must provide your authentication credentials. | |
Copy to clipboard | Copy the information to the clipboard. |
How to filter logs
Use filters to break down information.
-
Filter by module: Select a module from the module drop-down menu.
There's no limit to the number of log events stored for each module in the log viewer. The number of entries shown depends on the disk size of the firewall.
-
Filter by field and value: Click Add filter and select a field, a condition, and a value. Find available values in the Logfile guide.
You can also click a field to add it as a filter.
-
Filter by time: Select a time frame from the Timer filter.
- Free text search: Use the search field or click a field and select Free text search. For example, you can use ports, IP addresses, usernames, or rules. This works with anonymized information as well.
To clear all filters at once, click Reset.
How to edit policies and rules
The log viewer provides actions and links based on the module and log. This helps you manage web policies, NAT and firewall rules, and IPS policies. You can do the following:
-
Exclude a website or web category from decryption: Select SSL/TLS inspection from the module drop-down menu. Then move right to Manage and select Exclude. Select an option from the following list in the pop-up window and select Exclude.
- Subdomain or Domain: Domains and subdomains are added to the URL group Local TLS exclusion list.
- Web category: Web categories are added to the rule Exclusions by website or category.
- Other properties: Example: Username or IP address. Select the SSL/TLS engine rule to specify the object. The exclude option isn't shown for traffic with error IDs
19004
(allowed traffic) and19005
(blocked by a web policy).
To view the exclusion lists, go to Rules and policies > SSL/TLS inspection rules.
-
Remove a signature for an IPS policy: Click on a signature ID and select Disable signature for this IPS policy.
-
Edit a rule: When you click a web policy, a NAT rule, or a firewall rule, you can follow a link back to the web admin console to edit that specific rule.
Note
Firewall rules: Sessions are logged when a connection is terminated upon receiving a connection "Destroy" event. Connections that are terminated without a "Destroy" event being seen by Sophos Firewall, such as during the loss of internet connection, aren't logged.
SSL/TLS connections: Logs are recorded after the handshake is completed or when the connection is closed.
Differences between the standard view and detailed view
If you use a translated source address other than the MASQ (default masqueraded) address, the standard view of firewall rules shows the MASQ address as the outgoing address. To see the actual translated source address, see the src_trans_ip in the detailed view.
More resources