Skip to content

Log viewer

Display event information for different modules and filter logs. Take action on linked rules and policies.

To generate logs, select Log firewall traffic in each firewall rule.

The log viewer opens in a new full-screen browser window. By default, it shows firewall logs.

Default view.

You can take the following actions:

  • Customize the view by selecting different modules or switch between tabular and detailed view. You can also decrypt anonymized information.
  • Filter by module, field, value, time, or free text.
  • Modify web policies, firewall rules, or SSL/TLS rules.

For more information on logs and their values, see the Logfile guide.

The log viewer automatically refreshes the view with new information as it comes in.

How to change the view

Use the following controls to change what the log viewer shows:

Control Name of control Description
Select modules. Module selector Select a different module to view other or additional logs.
Detailed view button. Detailed view See a detailed view of each log.

You can also hover on a module icon to see details.
Standard view button. Standard view View logs in table format.
Button to add or remove columns. Add/Remove columns Add or remove columns to the list.
Pause button. Pause Pause automatic refresh of the logs.
Refresh button. Refresh Force the logs to refresh.
Export logs button. Export Export logs in CSV format.
Open PCAP Open PCAP View packet information when packet capture is turned on.
Data anonymization button. Deanonymize View identities when data anonymization is turned on. You must be authorized and must provide your authentication credentials.
Button to copy logs to clipboard. Copy to clipboard Copy the information to the clipboard.

How to filter logs

Use filters to break down information.

  • Filter by module: Select a module from the module drop-down menu.

    There's no limit to the number of log events stored for each module in the log viewer. The number of entries shown depends on the disk size of the firewall.

  • Filter by field and value: Click Add filter and select a field, a condition, and a value. Find available values in the Logfile guide.

    You can also click on a field to add it as a filter.

  • Filter by time: Select a time frame from the Timer filter.

  • Free text search: Use the search field or click on a field and select Free text search. For example, you can use ports, IP addresses, usernames, or rules. This works with anonymized information as well.

To clear all filters at once, click Reset.

How to modify policies and rules

The log viewer provides actions and links based on the module and log. This helps you manage web policies, NAT and firewall rules, and IPS policies. You can do the following:

  • Exclude a website or web category from decryption: Select SSL/TLS inspection from the module drop-down menu. Then move right to Manage and select Exclude. Select an option from the following list in the pop-up window and then select Exclude.

    • Subdomain or Domain: Domains and subdomains are added to the URL group Local TLS exclusion list.
    • Web category: Web categories are added to the rule Exclusions by website or category.

    • Other properties: Example: Username or IP address. Select the SSL/TLS engine rule to specify the object.

    The exclude option is not shown for traffic with error IDs 19004 (allowed traffic) and 19005 (blocked by a web policy).

    To view the exclusion lists, go to Rules and policies > SSL/TLS inspection rules.

  • Remove a signature for an IPS policy: Click on a signature ID and select Disable signature for this IPS policy.

  • Edit a rule: When you click a web policy, a NAT rule, or a firewall rule, you can follow a link back to the web admin console to edit that specific rule.

    Filter a NAT rule.


Firewall rules: Sessions are logged when a connection is terminated upon receiving a connection "Destroy" event. Connections that are terminated without a "Destroy" event being seen by Sophos Firewall, such as during the loss of internet connection, aren't logged.

SSL/TLS connections: Logs are recorded after the handshake is completed or when the connection is closed.

Differences between the standard view and detailed view

If you use a translated source address other than the MASQ (default masqueraded) address, the standard view of firewall rules shows the MASQ address as the outgoing address. To see the actual translated source address, see the src_trans_ip in the detailed view.

More resources