Log viewer
Display event information for different modules and filter logs. Take action on linked rules and policies.
To generate logs, select Log firewall traffic in each firewall rule.
The log viewer opens in a new full-screen browser window. By default, it shows firewall logs.
You can take the following actions:
- Customize the view by selecting different modules or switch between tabular and detailed view. You can also decrypt anonymized information.
- Filter by module, field, value, time, or free text.
- Modify web policies, firewall rules, or SSL/TLS rules.
For more information on logs and their values, see the Logfile guide.
The log viewer automatically refreshes the view with new information as it comes in.
How to change the view
Use the following controls to change what the log viewer shows:
How to filter logs
Use filters to break down information.
-
Filter by module: Select a module from the module drop-down menu.
There's no limit to the number of log events stored for each module in the log viewer. The number of entries shown depends on the disk size of the firewall.
-
Filter by field and value: Click Add filter and select a field, a condition, and a value. Find available values in the Logfile guide.
You can also click on a field to add it as a filter.
-
Filter by time: Select a time frame from the Timer filter.
- Free text search: Use the search field or click on a field and select Free text search. For example, you can use ports, IP addresses, usernames, or rules. This works with anonymized information as well.
To clear all filters at once, click Reset.
How to modify policies and rules
The log viewer provides actions and links based on the module and log. This helps you manage web policies, NAT and firewall rules, and IPS policies. You can do the following:
-
Exclude a website or web category from decryption: Select SSL/TLS inspection from the module drop-down menu. Then move right to Manage and select Exclude. Select an option from the following list in the pop-up window and then select Exclude.
- Subdomain or Domain: Domains and subdomains are added to the URL group Local TLS exclusion list.
- Web category: Web categories are added to the rule Exclusions by website or category.
- Other properties: Example: Username or IP address. Select the SSL/TLS engine rule to specify the object. The exclude option is not shown for traffic with error IDs
19004
(allowed traffic) and19005
(blocked by a web policy).
To view the exclusion lists, go to Rules and policies > SSL/TLS inspection rules.
-
Remove a signature for an IPS policy: Click on a signature ID and select Disable signature for this IPS policy.
-
Edit a rule: When you click a web policy, a NAT rule, or a firewall rule, you can follow a link back to the web admin console to edit that specific rule.
Note
Firewall rules: Sessions are logged when a connection is terminated upon receiving a connection "Destroy" event. Connections that are terminated without a "Destroy" event being seen by Sophos Firewall, such as during the loss of internet connection, aren't logged.
SSL/TLS connections: Logs are recorded after the handshake is completed or when the connection is closed.
Differences between the standard view and detailed view
If you use a translated source address other than the MASQ (default masqueraded) address, the standard view of firewall rules shows the MASQ address as the outgoing address. To see the actual translated source address, see the src_trans_ip in the detailed view.
More resources