Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Log files for modules

See the troubleshooting log files you must check for each module.

Active threat response

Name Description Log file Service
Active threat response Active threat response service for MDR and third-party threat feeds. atr.log ATR
atr-service.log

Antivirus and anti-spam

Name Description Log file Service
Antivirus Antivirus service av.log Antivirus
Antivirus updates Antivirus update service up2date_av.log
Anti-spam

Anti-spam service

An inbound or outbound spam policy is required to start the anti-spam service.

sasi.log Anti-spam
Sandbox Sandbox service sandboxd.log sandboxd
Sandbox Sandbox service sessiontbl.log
  • Sophos Firewall uses Avira and Sophos Antivirus.

Authentication

Name Description Log file Service
Access server User authentication, authorization and accounting service access_server.log access_server
Chromebook authentication Chromebook SSO service chromebook-sso-backend.log clientless_access
NASM NTLM authentication service nasm.log nasm
  • Access server is a custom developed service to handle AAA activity.

Database

Name Description Log file Service
Configuration database Configuration database log files confdbstatus.log
Configuration database Configuration database log files crreportdb.log
Garner Logging service for postponement, event log and graphs garner.log garner
Migration database Report migration log files sac-feedback.log
Migration database Report migration log files reportmigration.log
Postgres database Configuration database service postgres.log postgres
Signature database Signature database service sigdb.log sigdb
Reporting database Report database service reportdb.log reportdb

Firewall

Name Description Log file Service
BWM Bandwidth management service (QoS) bwm.log bwm
Firewall rule logging. Firewall rule logging service firewall_rule.log
Firewall Virtual host service vhost.log
FWlog Firewall logging service fwlog.log fwlog
NAT NAT rule log files nat_rule.log
Pktcap Packet capture service (GUI DG option) pktcapd.log pktcapd
  • Sophos Firewall uses IPtable, ARP table, IPset and conntrack for firewall connections.
  • IMQ is used for QoS.

GUI and CLI

Name Description Log file Service
Apache GUI service apache.log apache
Apache GUI Service apache_access.log apache
SSH SSH logs sshd.log sshd
Error Log Error log messages for GUI and CLI error_log.log
Tomcat GUI service tomcat.log tomcat

Heartbeat

Name Description Log file Service
Heartbeat Heartbeat to Sophos Central communication service fwcm-eventd
Heartbeat Heartbeat to Sophos Central communication service fwcm-heartbeatd
Heartbeat Heartbeat to Sophos Central communication service fwcm-updaterd
Heartbeat Heartbeat service heartbeatd.log heartbeatd
Heartbeat Heartbeat to Central communication hbtrust.log heartbeatd

High availability

Name Description Log file Service
Ctsync Conntrack synchronization service ctsyncd.log ctsyncd
High availability HA configuration and status updates applog.log
High availability HA pair service ha_pair.log ha_pair
High availability HA tunnel service ha_tunnel.log ha_tunnel
Msync HA synchronization service msync.log msync

Note

High availability cluster logs are stored on the same appliance where they're generated. We recommend using Sophos Central Firewall Reporting (CFR) to view the consolidated reports from both devices. To view the raw logs of the auxiliary appliance, you must connect to its admin port via SSH. To do this, use the command ssh admin@IPADDRESS. You must change IPADDRESS to be the admin port IP address of the auxiliary appliance.

Intrusion prevention and application filter

Name Description Log file Service
Application filter The application filter uses the same service and log file as IPS ips.log ips
Intrusion prevention and application filter Antivirus service avd.log antivirus
Intrusion prevention and application filter Intrusion prevention upgrade service sig_upgrade.log
Intrusion prevention and application filter Intrusion prevention migration service sigmigration.log
IPS Intrusion prevention filter service ips.log ips

Let's Encrypt

Name Description Log file
Let's Encrypt Let's Encrypt certificates /log/letsencrypt.log
/log/applog.log

Network

The following logs relate to general networking services.

Name Description Log file Service
Dead gateway detection MLM, VPN failover, dead gateway detection dgd.log DGD
DHCP Dynamic host configuration server service dhcpd.log dhcpd
DHCP6 Dynamic Host control service for IPv6 dhcp6.log dhcpd6
DDC Dynamic domain name service client service ddc.log ddc
DNS DNS service dnsd.log dnsd
DNS DNS service dnsgrabber.log dnsd
DNS DNS service eacd.log
DNS DNS service entity.log
Network Network service - Interface/IP/PPPOE networkd.log networkd
Network FQDN logging service fqdnd.log fqdnd
Network FQDN logging service fqdndebug.log fqdnd
NTPclient Network time protocol client service ntpclient.log ntpclient
RAD Router advertisement service for IPv6 radvd.log radvd

Cellular WAN

Name What you must look for Log file
WWAN Insertion and removal of USB devices mdev.log
Network Modem-related network configurations networkd.log
Syslog

Syslogs for USB, modem, and PPP

(Point-to-Point protocol)

syslog.log

Routing

Dynamic routes

Name Description Log file Service
BGP Border Gateway Protocol routing service bgpd.log bgpd
Multicast (PIM-SM) Protocol Independent Multicast (PIM) routing service pimd.log pimd
OSPF Open Shortest Path First routing service ospfd.log ospfd
OSPFv3 Open Shortest Path First version 3 ospf6d.log ospf6d
RIP Routing Information Protocol routing service ripd.log ripd

Static routes

Name Description Log file Service
Application based routing Application based routing service appcached.log appcached
Application based routing Redis Service redis redis-appcache
Multicast-routing Multicast routing service mrouting.log mrouting
Zebra Static routing service zebra.log zebra
Staticd Static routing service staticd.log staticd

Proxies

HTTPS, FTP, WAF

Name Description Log file Service
Awarrenhttp HTTPS Proxy service awarrenhttp.log awarrenhttp
Awarrenhttp access HTTPS proxy service website access awarrenhttp_access.log awarrenhttp
nSXLd web categorization and IP reputation nSXLd.log nSXLd
Web proxy Web proxy service webproxy.log
Skein HTTP/FTP legacy proxy skein.log
FTP FTP proxy service ftpproxy.log FTPproxy
WAF Web server protection proxy service reverseproxy.log reverseproxy

Note

Sophos Firewall always blocks web pages categorized as highly objectionable criminal activity and hides the domain name in logs and reports.

SMTP(S), POP(S), IMAP(S)

Name Description Log file Service
Awarrensmtp SMTPS legacy proxy service awarrensmtp.log awarrensmtp
Awarrenmta Mail transfer agent proxy service awarrenmta.log awarrenmta
Awarrenmta debug (v17+) Mail transfer agent proxy service debug mode awarrenmta_debug.log awarrenmta
SMTP (v17.5+) Mail transfer agent proxy service smtpd_main.log smtpd
SMTP error (v17.5+) Mail transfer agent proxy service errors smtpd_error.log smtpd
SMTP panic (v17.5+) Mail transfer agent proxy service panic smtpd_panic.log smtpd
SMTP reject (v17.5+) Mail transfer agent proxy service reject smtpd_reject.log smtpd
Warren POP/IMAP proxy service warren.log warren

VPN

Name Description Log file Service
Clientless SSL VPN Clientless SSL VPN client service clientless_access.log clientless_access
IPsec (v15-v16) IPsec VPN service ipsec.log ipsec
IPsec (v17+) IPsec VPN service strongswan.log strongswan
IPsec (v17+) IPsec VPN service charon.log strongswan
IPsec IPsec connection testing log files ipsec_Test_Connect.log
IPsec IPsec monitoring service ipsec_monitor.log ipsec_monitor
L2TP Layer 2 tunneling protocol daemon l2tpd.log l2tpd
PPTP Point-to-point tunneling VPN daemon pptpvpn.log pptpd
SSL VPN SSL VPN client service sslvpn.log sslvpn
VPN PKI VPN PKI logs vpncertificate.log
VPN PKI VPN PKI logs wc_remote.log
VPN service VPN service strongswan-monitor.log strongswan
VPN service VPN service sync.log
XFRM XFRM tunnel interface service xfrmi.log
  • Sophos Firewall uses strongSwan for IPsec VPN and OpenVPN for SSL VPN.

Other logs

Name Description Log file Service
API API service log apiparser.log
API API service log app-feedback.log
AWED Wireless controller service awed.log awed
Category updates Category update log file catUpdateLog
Central management Central management service centralmanagement.log
Central management Central management service sophos-central.log
CSC Sophos Central service which manages all services csc.log csc
CSC helper CSC helper service cschelper.log csc
CSC CSC service csd.log csc
CSC Configuration logs applog.log csc
Hotspot Hotspot service hostapd.log hostapd
Hotspot Hotspot service hotspot.log hotspotd
Hotspot Hotspot service hotspotd.log hotspotd
Interface mapper Backup-restore interfacemapping.log
iView iVew logging service iview.log
Licensing Licensing log licensing.log
Net-SNMP SNMP log file snmpd.log snmpd
OpenSSH OpenSSH/Dropbear service sshd.log
OpenSSH OpenSSH/Dropbear service ssod.log ssod
RED RED service red.log red
SMB filesystem SMB filesystem log files smbnetfs.log
SMB filesystem SMB filesystem log files snireport.log
Sysinit System FSCK logs sysinit.log sysinit
Syslog Syslog service syslog.log syslog
System Updates System update log u2d.log u2d
Signature upgrade Signature upgrade log sig_update.log
Validation Validation log files validation.log
Validation Validation log files validationError.log
VMware tools VMware tool service (SRM) vmtool.log vmtool
Wi-Fi Wi-Fi authentication service wifiauth.log