Skip to content

Log file details

The reports you see on the web admin console are generated using the log files. You can view logs using the log viewer or the command-line interface (CLI). See Log viewer.

Using the CLI, you can find the log files in the /log directory. You can access the CLI by going to admin > Console, in the upper right corner of the web admin console.

On the CLI, select option 5. Device Management, then option 3. Advanced Shell. Then change to the log directory using the command cd /log.

You can use the following commands for the log files.

Command Syntax Example Description
tail -f tail –f /log/<logfilename>.log tail –f /log/ips.log Shows the log file's latest entries.
less less /log/<logfilename>.log less /log/ips.log Shows static log files.
grep grep <keyword> /log/<logfilename>.log grep error /log/ips.log Applies a search filter for the keyword with the log file.
service service <service name>:start/restart/stop/debug –ds nosync service ips:debug -ds nosync Starts, restarts, stops, or debugs a service.

Note

When a log rotates, a file extension of .log.0 is created. For example, smtpd_main.log.0.

Antivirus and anti-spam

Name Description Log file Service
Antivirus Antivirus service av.log Antivirus
Antivirus updates Antivirus update service up2date_av.log
Anti-spam Anti-spam service sasi.log Anti-spam
Sandbox Sandbox service sandboxd.log sandboxd
Sandbox Sandbox service sessiontbl.log
  • Sophos Firewall uses Avira and Sophos Antivirus.

Authentication

Name Description Log file Service
Access server User authentication, authorization and accounting service access_server.log access_server
Chromebook authentication Chromebook SSO service chromebook-sso-backend.log clientless_access
NASM NTLM authentication service nasm.log nasm
  • Access server is a custom developed service to handle AAA activity.

Database

Name Description Log file Service
Configuration database Configuration database log files confdbstatus.log
Configuration database Configuration database log files crreportdb.log
Garner Logging service for postponement, event log and graphs garner.log garner
Migration database Report migration log files sac-feedback.log
Migration database Report migration log files reportmigration.log
Postgres database Configuration database service postgres.log postgres
Signature database Signature database service sigdb.log sigdb
Reporting database Report database service reportdb.log reportdb

Firewall

Name Description Log file Service
BWM Bandwidth management service (QoS) bwm.log bwm
Firewall rule logging. Firewall rule logging service firewall_rule.log
Firewall Virtual host service vhost.log
FWlog Firewall logging service fwlog.log fwlog
NAT NAT rule log files nat_rule.log
NAT NAT rule log files pimd.log pmid
Pktcap Packet capture service (GUI DG option) pktcapd.log pktcapd
  • Sophos Firewall uses IPtable, ARP table, IPset and conntrack for firewall connections.
  • IMQ is used for QoS.

GUI and CLI

Name Description Log file Service
Apache GUI service apache.log apache
Apache GUI Service apache_access.log apache
SSH SSH logs sshd.log sshd
Error Log Error log messages for GUI and CLI error_log.log
Tomcat GUI service tomcat.log tomcat

Heartbeat

Name Description Log file Service
Heartbeat Heartbeat to Sophos Central communication service fwcm-eventd
Heartbeat Heartbeat to Sophos Central communication service fwcm-heartbeatd
Heartbeat Heartbeat to Sophos Central communication service fwcm-updaterd
Heartbeat Heartbeat service heartbeatd.log heartbeatd
Heartbeat Heartbeat to Central communication hbtrust.log heartbeatd

High availability

Name Description Log file Service
Ctsync Conntrack synchronization service ctsyncd.log ctsyncd
High availability HA configuration and status updates applog.log
High availability HA pair service ha_pair.log ha_pair
High availability HA tunnel service ha_tunnel.log ha_tunnel
Msync HA synchronization service msync.log msync

Note

High availability cluster logs are stored on the same appliance where they're generated. We recommend using Sophos Central Firewall Reporting (CFR) to view the consolidated reports from both devices. To view the raw logs of the auxiliary appliance, you must connect to its admin port via SSH. To do this, use the command ssh admin@IPADDRESS. You must change IPADDRESS to be the admin port IP address of the auxiliary appliance.

Intrusion prevention and application filter

Name Description Log file Service
Application filter The application filter uses the same service and log file as IPS ips.log ips
Intrusion prevention and application filter Antivirus service avd.log antivirus
Intrusion prevention and application filter Intrusion prevention upgrade service sig_upgrade.log
Intrusion prevention and application filter Intrusion prevention migration service sigmigration.log
IPS Intrusion prevention filter service ips.log ips

Network

The following logs relate to general networking services.

Name Description Log file Service
Dead gateway detection MLM, VPN failover, dead gateway detection dgd.log DGD
DHCP Dynamic host configuration server service dhcpd.log dhcpd
DHCP6 Dynamic Host control service for IPv6 dhcp6.log dhcpd6
DDC Dynamic domain name service client service ddc.log ddc
DNS DNS service dnsd.log dnsd
DNS DNS service dnsgrabber.log dnsd
DNS DNS service eacd.log
DNS DNS service entity.log
Network Network service - Interface/IP/PPPOE networkd.log networkd
Network FQDN logging service fqdnd.log fqdnd
Network FQDN logging service fqdndebug.log fqdnd
NTPclient Network time protocol client service ntpclient.log ntpclient
RAD Router advertisement service for IPv6 radvd.log radvd

The following logs relate to dynamic-routing services.

Name Description Log file Service
BGP Border Gateway Protocol routing service bgpd.log bgpd
OSPF Open Shortest Path First routing service ospfd.log ospfd
RIP Routing Information Protocol routing service ripd.log ripd

The following logs relate to static routing services.

Name Description Log file Service
Application based routing Application based routing service appcached.log appcached
Application based routing Redis Service redis redis-appcache
Multicast-routing Multicast routing service mrouting.log mrouting
Zebra Static routing service zebra.log zebra

Proxy (HTTPs - SMTPs - POP - IMAP - FTP - WAF)

Name Description Log file Service
Awarrenhttp HTTPS Proxy service awarrenhttp.log awarrenhttp
Awarrenhttp access HTTPS proxy service website access awarrenhttp_access.log awarrenhttp
Awarrensmtp SMTPS legacy proxy service awarrensmtp.log awarrensmtp
Awarrenmta Mail transfer agent proxy service awarrenmta.log awarrenmta
Awarrenmta debug (v17+) Mail transfer agent proxy service debug mode awarrenmta_debug.log awarrenmta
FTP FTP proxy service ftpproxy.log FTPproxy
nSXLd web categorization and IP reputation nSXLd.log nSXLd
Skein HTTP/FTP legacy proxy skein.log
SMTP (v17.5+) Mail transfer agent proxy service smtpd_main.log smtpd
SMTP error (v17.5+) Mail transfer agent proxy service errors smtpd_error.log smtpd
SMTP panic (v17.5+) Mail transfer agent proxy service panic smtpd_panic.log smtpd
SMTP reject (v17.5+) Mail transfer agent proxy service reject smtpd_reject.log smtpd
Warren POP/IMAP proxy service warren.log warren
WAF Web application firewall proxy service reverseproxy.log reverseproxy
Web proxy Web proxy service webproxy.log

Note

Sophos Firewall always blocks web pages categorized as highly objectionable criminal activity and hides the domain name in logs and reports.

VPN

Name Description Log file Service
Clientless SSL VPN Clientless SSL VPN client service clientless_access.log clientless_access
IPsec (v15-v16) IPsec VPN service ipsec.log ipsec
IPsec (v17+) IPsec VPN service strongswan.log strongswan
IPsec (v17+) IPsec VPN service charon.log strongswan
IPsec IPsec connection testing log files ipsec_Test_Connect.log
IPsec IPsec monitoring service ipsec_monitor.log ipsec_monitor
L2TP Layer 2 tunneling protocol daemon l2tpd.log l2tpd
PPTP Point-to-point tunneling VPN daemon pptpvpn.log pptpd
SSL VPN SSL VPN client service sslvpn.log sslvpn
VPN PKI VPN PKI logs vpncertificate.log
VPN PKI VPN PKI logs wc_remote.log
VPN service VPN service strongswan-monitor.log strongswan
VPN service VPN service sync.log
XFRM XFRM tunnel interface service xfrmi.log
  • Sophos Firewall uses strongSwan for IPsec VPN and OpenVPN for SSL VPN.

Other logs

Name Description Log file Service
API API service log apiparser.log
API API service log app-feedback.log
AWED Wireless controller service awed.log awed
Category updates Category update log file catUpdateLog
Central management Central management service centralmanagement.log
Central management Central management service sophos-central.log
CSC Sophos Central service which manages all services csc.log csc
CSC helper CSC helper service cschelper.log csc
CSC CSC service csd.log csc
CSC Configuration logs applog.log csc
Hotspot Hotspot service hostapd.log hostapd
Hotspot Hotspot service hotspot.log hotspotd
Hotspot Hotspot service hotspotd.log hotspotd
iView iVew logging service iview.log
Licensing Licensing log licensing.log
Net-SNMP SNMP log file snmpd.log snmpd
OpenSSH OpenSSH/Dropbear service sshd.log
OpenSSH OpenSSH/Dropbear service ssod.log ssod
RED RED service red.log red
SMB filesystem SMB filesystem log files smbnetfs.log
SMB filesystem SMB filesystem log files snireport.log
Sysinit System FSCK logs sysinit.log sysinit
Syslog Syslog service syslog.log syslog
System Updates System update log u2d.log u2d
Signature upgrade Signature upgrade log sig_update.log
Validation Validation log files validation.log
Validation Validation log files validationError.log
VMware tools VMware tool service (SRM) vmtool.log vmtool
Wi-Fi Wi-Fi authentication service wifiauth.log