Sophos Firewall provides extensive logging capabilities for traffic, system, and network protection functions. You can use logs to analyze network activity to help identify security issues and reduce network abuse.
You can store logs locally, send them to Sophos Central, or send them to third-party syslog servers.
You can select logs to store or send by module or feature, or you can select all logs.
You can suppress logs, eliminating multiple consecutive log entries for an event. Log suppression saves logging space and processing cycles. If you turn on this feature, it applies to logs sent to the log viewer, Sophos Central, and third-party syslog servers. You can see the number of log entries for an event under Log occurrence in the log viewer.
To view or change log settings, go to System services > Log settings.
- To store logs locally, select logs under Local reporting.
To send logs to Sophos Central you must go to the Sophos Central page and turn on Sophos Central services.
On the Log settings page, the logs supported by central reporting are selected by default. You can select and deselect logs under Central reporting.
To send logs to a syslog server, click Add and specify the syslog server details. The syslog server will appear on the log settings page. Select the logs to send. You can also edit or delete syslog servers.
- Under Suppress logs, select All to suppress all logs. Currently, you can only suppress the logs under Firewall.
Syslog is a protocol for collecting and forwarding messages from devices such as Sophos Firewall to a server running a syslog daemon. Syslog normally uses UDP port 514 for communication.
Syslog servers provide a central logging facility and long-term protected storage for logs, which is useful for routine troubleshooting and incident handling.
Sophos Firewall can send detailed logs to external syslog servers. Sophos Firewall supports a maximum of five syslog servers.
Firewall: Firewall logs provide information about traffic associated with the firewall configuration, such as firewall rules, MAC filtering, and DoS attacks.
IPS: IPS logs provide records of detected and dropped attacks based on unknown or suspicious patterns (anomalies) and signatures.
Antivirus: Antivirus logs provide details of viruses detected in HTTP, SMTP, FTP, POP3, IMAP4, HTTPS, SMTPS, IMAPS, and POPS traffic.
Anti-spam: Anti-spam logs provide details about SMTP, POP3, IMAP4, SMTPS, POPS, IMAPS spam, and probable spam mails.
Content filtering: Content filtering logs provide details about web and application filtering events, such as those associated with web policies.
To view events associated with a web policy, you must select Log firewall traffic in the associated firewall rule.
Events: Event logs provide information about configuration activities, authentication activities, and system activities.
Web server protection: Web server protection logs provide details of web server protection activities, for example, protection policies.
Active threat response: Active threat response logs provide information about logged and blocked traffic based on MDR threat feeds and Sophos X-Ops threat feeds.
Wireless: Wireless logs provide details about access point activity and SSIDs.
Under Local reporting, Access points & SSID is turned off by default, as wireless logs aren't available in the Sophos Firewall log viewer. You can view wireless logs if you send them to a syslog server.
Heartbeat: Heartbeat logs provide information about the health status of the endpoints.
System health: System health logs provide details of CPU usage, memory usage, number of live users, interfaces, and disk partitions.
Zero-day protection: Zero-day protection logs provide records of all Zero-day protection events.