Log files for troubleshooting
See the list of log files to troubleshoot issues with the different modules.
General log files
These log files are related to the system and configuration. They are relevant for many modules.
Tip
Check these log files in addition to the specific module's log files for troubleshooting.
| Service | Log file |
|---|---|
| System startup | sysinit.log |
| Configuration changes | applog.logcsc.log |
| Configuration database | postgres.log |
| System events at the kernel level(See Log viewer for system and administrator-triggered events) | syslog.log |
| Communication channel(Only between some components, the related services, and their event logs) | garner.log |
| System-generated emails and authentication utilities | cschelper.log |
| System startup for firewalls with FIPS turned on | fips.log |
| Packet capture daemon(You can also perform packet capture on Diagnostics > Packet capture) | pktcapd.log |
| Support access | uma.log |
Monitor & Analyze
Logs and reports
| Service | Log file |
|---|---|
| Connection-related logs(Based on firewall rules' log setting and Log settings) | fwlog.log |
| Log suppression for multiple, consecutive entries of an event | syslog-ng.log |
| Database for reports | reportdb.log |
| Log visualization of the web admin console | iview.log |
Protect
Firewall rules and WAF rules
| Service | Log file |
|---|---|
| Firewall rules | firewall_rule.log |
| Web Application Firewall (WAF) | reverseproxy.logfirewall_rule.log (for some WAF configuration details) |
Network Address Translation (NAT) rules and settings
| Service | Log file |
|---|---|
| NAT rules | nat_rule.log |
| NAT setting in site-to-site IPsec connections | charon.log |
| CLI NAT command | applog.log |
Note
When link load balancing occurs, check the following additional log for DNAT issues: dgd.log.
Antivirus
Sophos Firewall uses Avira and Sophos Antivirus.
| Service | Log file |
|---|---|
| Antivirus service | avd.log |
| Antivirus updates | up2date_av.log |
| Zero-day protection | sandboxd.log |
IPS and application filter
| Service | Log file |
|---|---|
| Intrusion Prevention System (IPS)Encryption and decryption of web traffic when DPI engine is usedApplication filterActive threat response | ips.log |
| Temporary cache of categorized applications before they're stored in the database | appcached.log |
| Signature upgrade for IPS and applications | sig_upgrade.log |
| Signature migration for IPS and applications | sigmigration.log |
Web and FTP
Common web logs
| Service | Log file |
|---|---|
| Web categorization and IP reputation | nSXLd.log |
| Category updates | catUpdateLog |
SSL/TLS inspection
SSL/TLS inspection takes place in the Deep Packet Inspection (DPI) mode.
| Service | Log file |
|---|---|
| Encryption and decryption when DPI engine is used | ips.log |
| Undecrypted HTTPS connections when DPI engine is used | httplogd.log |
Web proxy and FTP
| Service | Log file |
|---|---|
| HTTP and HTTPS traffic when web proxy is used | awarrenhttp.log |
| Per request logs when web proxy is used | awarrenhttp_access.log |
| FTP proxy | ftpproxy.log |
| FTP over HTTP proxy | skein.log |
Note
Sophos Firewall always blocks web pages categorized as highly objectionable criminal activity and hides the domain name in logs and reports.
Wireless
| Service | Log file |
|---|---|
| AP and APX communication with the firewall | awed.log |
| Wireless client communication to AP and APX | wc_remote.log |
| SSID related to LocalWifi | hostapd.log |
| Hotspot events | hotspotd.log |
| Service | Log file |
|---|---|
| SMTP transparent proxy (legacy proxy) | awarrensmtp.log |
| POP/IMAP proxy | warren.log |
| SMTP MTA mode proxy | smtpd_main.log |
| Email email reject events(SMTP MTA mode proxy) | smtpd_reject.log |
| Email scanning error events(SMTP MTA mode proxy) | smtpd_error.log |
| Internal errors(SMTP MTA mode proxy) | smtpd_panic.log |
| Anti-spamAn inbound or outbound spam policy is required to start the anti-spam service | sasi.log |
Active threat response: MDR threat feeds
| Service | Log file |
|---|---|
| License statusConfiguration status | atr.log |
Note
Firewall rules, DNS, IPS, and web modules implement Active threat response based on the type of Indicators of Compromise (IoC). For more information, see How other modules implement threat feeds.
For IP address IoCs, also check the firewall rule log file.
For domains and URL IoCs, also check the firewall rule, DNS, SSL/TLS inspection, and web proxy log files.
Configure
VPN
IPsec VPN
Sophos Firewall uses strongSwan for site-to-site and remote access IPsec VPN.
| Service | Log file |
|---|---|
| IPsec service and connections | strongswan.log |
| IPsec service monitoring | ipsec_monitor.log |
| IPsec VPN service | charon.log |
| Connection-specific actions to activate, deactivate, and connect the tunnels(On the web admin console) | /log/ipsec_conn/ipsec_<connectionname>.log |
| XFRM tunnel interfaces | xfrmi.log |
SSL VPN
Sophos Firewall uses OpenVPN for site-to-site and remote access SSL VPN.
| Service | Log file |
|---|---|
| SSL VPN service | sslvpn.log |
| SSL VPN active connections | openvpn-status0.logIndividual log files are created based on the number of processes, for example, openvpn-status1.log |
| Per-user certificates generated | peruser_cert_sslvpn.log(In 20.0 MR1 and later versions) |
Other remote access VPNs
| Service | Log file |
|---|---|
| Clientless SSL VPN client | clientless_access.log |
| L2TP | l2tpd.log |
| PPTP | pptpvpn.log |
Note
For authentication of VPN users, check access_server.log.
For VPN portal, check vpnportal.log.
Network
| Service | Log file |
|---|---|
| Physical and virtual interfaces | networkd.log |
| WAN link management, gateway managementLink failover, VPN failoverDNAT | dgd.log |
| DHCP server | dhcpd.log |
| DHCPv6 server | dhcpd6.log |
| IPv6 router advertisement | radvd.log |
| DNS | dnsd.log |
| DDNS | ddc.log |
RED
| Service | Log file |
|---|---|
| RED service for all the configured RED devices, including site-to-site RED and SD-RED | red.log |
| Specific to the SD-RED device | red-<serial ID of RED>.log |
| Specific to the site-to-site RED configuration | red-<RED ID>.logTo see the RED ID, go to Network > Interfaces and click the specific site-to-site RED. |
Cellular WAN
| Service | Log file |
|---|---|
| WWAN(Insertion and removal of USB devices) | modemd.log(In 20.0 MR2 and later versions)mdev.log(In 20.0 MR1 and earlier versions) |
| Modem-related network configurations | networkd.log |
| Syslogs for USB, modem, and PPP (Point-to-Point Protocol) | syslog.log |
Routing
Dynamic routes
| Service | Log file |
|---|---|
| BGP and BGP-IPv6 | bgpd.log |
| OSPF | ospfd.log |
| OSPFv3 | ospf6d.log |
| RIP | ripd.log |
| Multicast (PIM-SM) | pimd.log |
| Installs IPv4 and IPv6 dynamic routes in the kernel | zebra.log |
Note
For opcode information and service restart, check csc.log.
For HA logs, check msync.log, and applog.log.
Static routes
| Service | Log file |
|---|---|
| Unicast routes | staticd.log |
| Installs IPv4 static unicast routes in the kernel | zebra.log |
| Multicast routes | mrouting.log |
Note
For opcode information and service restart, check csc.log.
For HA logs, check msync.log, and applog.log.
SD-WAN routes
| Service | Log file |
|---|---|
| Application-based routing | appcached.log |
Note
Additionally, check applog.log, csc.log, and dgd.log.
If SD-WAN routes are used with IPsec VPN, check the IPsec logs.
Authentication
| Service | Log file |
|---|---|
| User authentication, authorization, and accounting | access_server.log |
| Captive portal sign-in with SSO | oauth_sso_captive.log |
| Web admin console sign-in with SSO | oauth_sso_webadmin.log |
| Chromebook SSO | chromebook-sso-backend.log |
| Chromebook SSO workflow | csd.log |
| NTLM authentication | nasm.log |
High availability
| Description | Log file |
|---|---|
| Conntrack synchronization service | ctsyncd.log |
| HA synchronization service | msync.log |
| Peer HA device discovery in QuickHA mode | ha_pair.log |
| SSH tunnel connection(Between the HA devices over the dedicated link) | ha_tunnel.log |
| File synchronization to the auxiliary device(Applies to some services, such as dynamic routes and DHCP) | filesync.log |
Note
Each HA device only stores the logs and reports for the traffic it processes. To see the consolidated reports for both devices, you can use Sophos Central Firewall Reporting (CFR).
To see the auxiliary device’s troubleshooting logs, sign in to its CLI using the IP address or FQDN of its administration interface.
Traffic shaping
| Service | Log file |
|---|---|
| Bandwidth management (QoS) events | bwm.log |
System
Sophos Central
Sophos Central services
| Service | Log file |
|---|---|
| Zone and interface information sent to Sophos Central(Used in dynamic objects in Sophos Central) | fwcm-eventd.log |
| Firewall connectivity with Sophos Central | fwcm-heartbeatd.log |
| Configuration pushed by Sophos Central to the firewall | fwcm-updaterd.log |
| MDR analysis pushed to the firewall | fwcm-api-executor.log |
| Accessing the firewall from Sophos CentralFirmware upgrade information from firewall to Sophos CentralFirewall backups taken in Sophos Central | ssod.log |
Deployment and registration
| Service | Log file |
|---|---|
| True Zero Touch deploymentControlled Zero Touch deployment (with EAP code) | zt.log(In 20.0 MR1 and later versions)czt.log(In 20.0 GA and earlier versions)fwcm-heartbeatd.log |
Zero touch deployment using USB(fwcm-heartbeatd.log won't appear for this deployment) | zerotouch.log |
| Firewall registration to Sophos CentralAccess token generation for the firewall to communicate with Sophos Central | sophos-central.log |
| Sophos Central management and reporting turned on in the firewall | centralmanagement.log |
Note
For communication between the firewall and Sophos Central, check hbtrust.log.
For events generated by the firewall and the information it sends to Sophos Central, check garner.log. In garner, check the SCM plugin logs for central management and CR plugin logs for central reporting.
For firmware upgrade and related details, check csc.log.
For firewall registration and deregistration with Sophos Central, check applog.log
Zero Touch Network Access (ZTNA)
| Service | Log file |
|---|---|
| Sophos Central customer account and ZTNA connector IDsStatus of the ZTNA connector, ZTNA tunnel connectionsApplications accessed, configuration updates | ztna-connector.log |
Security Heartbeat and Synchronized Security
| Service | Log file |
|---|---|
| Endpoint status and application information sent to the firewall | heartbeatd.log |
| Communication between the firewall and Sophos Central | hbtrust.log |
| Weekly Synchronized Application Control (SAC) database optimization | sac-vacuum.log |
| Data sent to SophosLabs | sac-feedback.log |
Note
Additionally, check csc.log and applog.log.
Hosts and services
| Service | Log file |
|---|---|
| FQDN service | fqdnd.log |
| Wildcard FQDN service | dnsgrabber.log |
Administration
| Service | Log file |
|---|---|
| Licensing | licensing.log |
| Apache HTTP server (httpd)(For the web admin console and user portal) | apache.logapache_access.logerror_log.log |
| Jetty web application server(For the web admin console and user portal) | tomcat.log |
| SSH access | sshd.log |
| VPN portal | vpnportal.log |
| NTP client | ntpclient.log |
| Net-SNMP | snmpd.log |
Backup and firmware
| Service | Log file |
|---|---|
| Backup-restore interface mapper | interfacemapping.log |
| Backup generation without Secure Storage Master Key | legacyconversion.log |
| Firmware installation and management | fwmgmt.log |
| API translation between JSON and XML formats | apiparser.log |
| API validation | validation.log |
| API validation | validationError.log |
| System updates | u2d.log |
| System updates for airgap | u2d_airgap.log |
| Hotfix errors | cps_messages.log |
Note
For backup-restore, check the following additional logs: applog.log, migrationhash.log, and postgres.log
Certificates
| Service | Log file |
|---|---|
| Certificates, CAs, CSRs, CRLs | vpncertificate.log |
Common log files
Database and other services
| Service | Log file |
|---|---|
| Signature database | sigdb.log |
| Database cleanup when the firewall restarts | dbcleanup.log |
| Read objects for internal services | readobject.log |
| File system trimming | fstrim.log |
Log rotation to .gz files | logrotate.log |
Migration
| Service | Log file |
|---|---|
| Configuration migration | migration.log |
| Report migration | reportmigration.log |
Deployment platforms
Hardware
| Description | Log file |
|---|---|
| NPU startup | npu-startup.log |
| NPU syslogs | npu_syslog.log |
| CPU usage and temperature, fan speed, and NPU management port | xgs-healthmond.log |
| NPU host driver logs during startup | xgs-host.log |
| NPU compatibility check, NPU upgrade, and NPU recovery | xgs-npu-fw.log |
| NPU serial port | xgs-npu-serial.log |
| Physical interface creation during startup | xgs-pport-wait.log |
| Software RAID status | raid.log |
| LCD on hardware firewalls | lcd.log |
VMware
| Description | Log file |
|---|---|
| VMware tools | vmtool.log |
Note
Additionally, check syslog.log.
Azure cloud deployment
| Service | Log file |
|---|---|
| Configuration provisioning and license inspection | iaasd.log |
| Azure provisioning agentOS level provisioning, health monitoring | waagent.log |
FastPath acceleration
| Service | Log file |
|---|---|
| Syslogs for NPU-based FastPath | npu_syslog.log |
| Syslogs for host communication with NPU-based FastPath | syslog.log |
Note
For more information about NPU-based FastPath, see Architecture for offloading.