Skip to content


Logs provide insight into network activity and system events that let you identify security issues and see which of the configured rules apply. You can send logs to a syslog server or view them through the log viewer. Using data anonymization, you can encrypt identities in logs and reports.

Local logs

Local logs are the log files you can see using the log viewer or the command-line interface. They're also the basis for the reports in Sophos Firewall.

Find detailed information on local logs in Log file details.

Log storage

The firewall stores logs in its /var partition. Stored logs can take up to 15 percent of the total /var partition or 50 percent of the free space available in the /var partition (whichever is less).

The firewall copies log files from its memory to its file system. If the firewall stops responding, files that aren't already copied to the file system are erased.

Log rotation

The firewall allocates different size limits for log files based on their module. When the log file reaches the limit, the firewall compresses it into a .gz file and starts storing logs using the original filename.

It creates upto five rotations, that is, compressed files, depending on the subsystem. When the logs for a subsystem reach its disk limit, the firewall starts deleting the earliest .gz file first.

Purge logs

You can purge the compressed logs, all logs, or logs for specific subsystems. Sign in to the CLI, enter 4 for Device console, and enter one of the following commands:

  • All subsystems:

    • Purge all logs: system diagnostics purge-all-logs
    • Purge all compressed logs: system diagnostics purge-old-logs
  • Specific subsystems

    • Purge all logs of specific subsystems: system diagnostics <subsystem> purge-log
    • Purge the compressed logs of specific subsystems: system diagnostics <subsystem> purge-old-log

Syslog information

Find detailed information about syslog IDs, types, messages, and their meaning in the Syslog file guide.

The log ID is a twelve-character code in the following format:



  • c1c2: Log type ID
  • c3c4: Log component ID
  • c5c6: Log subtype ID
  • c7: Priority
  • c8c9c10c11c12: Message ID



c1c2: 01 (Security policy)

c3c4: 01 (Firewall rule)

c5c6: 01 (Allowed)

c7: 6 (Information)

c8c9c10c11c12: 00001 (Firewall traffic allowed)

More resources