Your browser doesn’t support copying the link to the clipboard. Please copy it manually.
Log files for modules
See the troubleshooting log files you must check for each module.
Active threat response
Name
Description
Log file
Service
Active threat response
Active threat response service for MDR and third-party threat feeds.
atr.log
ATR
atr-service.log
Antivirus and anti-spam
Name
Description
Log file
Service
Antivirus
Antivirus service
av.log
Antivirus
Antivirus updates
Antivirus update service
up2date_av.log
Anti-spam
Anti-spam service
An inbound or outbound spam policy is required to start the anti-spam service.
sasi.log
Anti-spam
Sandbox
Sandbox service
sandboxd.log
sandboxd
Sandbox
Sandbox service
sessiontbl.log
Sophos Firewall uses Avira and Sophos Antivirus.
Authentication
Name
Description
Log file
Service
Access server
User authentication, authorization and accounting service
access_server.log
access_server
Chromebook authentication
Chromebook SSO service
chromebook-sso-backend.log
clientless_access
NASM
NTLM authentication service
nasm.log
nasm
Access server is a custom developed service to handle AAA activity.
Database
Name
Description
Log file
Service
Configuration database
Configuration database log files
confdbstatus.log
Configuration database
Configuration database log files
crreportdb.log
Garner
Logging service for postponement, event log and graphs
garner.log
garner
Migration database
Report migration log files
sac-feedback.log
Migration database
Report migration log files
reportmigration.log
Postgres database
Configuration database service
postgres.log
postgres
Signature database
Signature database service
sigdb.log
sigdb
Reporting database
Report database service
reportdb.log
reportdb
Firewall
Name
Description
Log file
Service
BWM
Bandwidth management service (QoS)
bwm.log
bwm
Firewall rule logging.
Firewall rule logging service
firewall_rule.log
Firewall
Virtual host service
vhost.log
FWlog
Firewall logging service
fwlog.log
fwlog
NAT
NAT rule log files
nat_rule.log
Pktcap
Packet capture service (GUI DG option)
pktcapd.log
pktcapd
Sophos Firewall uses IPtable, ARP table, IPset and conntrack for firewall connections.
IMQ is used for QoS.
GUI and CLI
Name
Description
Log file
Service
Apache
GUI service
apache.log
apache
Apache
GUI Service
apache_access.log
apache
SSH
SSH logs
sshd.log
sshd
Error Log
Error log messages for GUI and CLI
error_log.log
Tomcat
GUI service
tomcat.log
tomcat
Heartbeat
Name
Description
Log file
Service
Heartbeat
Heartbeat to Sophos Central communication service
fwcm-eventd
Heartbeat
Heartbeat to Sophos Central communication service
fwcm-heartbeatd
Heartbeat
Heartbeat to Sophos Central communication service
fwcm-updaterd
Heartbeat
Heartbeat service
heartbeatd.log
heartbeatd
Heartbeat
Heartbeat to Central communication
hbtrust.log
heartbeatd
High availability
Name
Description
Log file
Service
Ctsync
Conntrack synchronization service
ctsyncd.log
ctsyncd
High availability
HA configuration and status updates
applog.log
High availability
HA pair service
ha_pair.log
ha_pair
High availability
HA tunnel service
ha_tunnel.log
ha_tunnel
Msync
HA synchronization service
msync.log
msync
Note
High availability cluster logs are stored on the same appliance where they're generated. We recommend using Sophos Central Firewall Reporting (CFR) to view the consolidated reports from both devices. To view the raw logs of the auxiliary appliance, you must connect to its admin port via SSH. To do this, use the command ssh admin@IPADDRESS. You must change IPADDRESS to be the admin port IP address of the auxiliary appliance.
Intrusion prevention and application filter
Name
Description
Log file
Service
Application filter
The application filter uses the same service and log file as IPS
ips.log
ips
Intrusion prevention and application filter
Antivirus service
avd.log
antivirus
Intrusion prevention and application filter
Intrusion prevention upgrade service
sig_upgrade.log
Intrusion prevention and application filter
Intrusion prevention migration service
sigmigration.log
IPS
Intrusion prevention filter service
ips.log
ips
Let's Encrypt
Name
Description
Log file
Let's Encrypt
Let's Encrypt certificates
/log/letsencrypt.log
/log/applog.log
Network
The following logs relate to general networking services.
Name
Description
Log file
Service
Dead gateway detection
MLM, VPN failover, dead gateway detection
dgd.log
DGD
DHCP
Dynamic host configuration server service
dhcpd.log
dhcpd
DHCP6
Dynamic Host control service for IPv6
dhcp6.log
dhcpd6
DDC
Dynamic domain name service client service
ddc.log
ddc
DNS
DNS service
dnsd.log
dnsd
DNS
DNS service
dnsgrabber.log
dnsd
DNS
DNS service
eacd.log
DNS
DNS service
entity.log
Network
Network service - Interface/IP/PPPOE
networkd.log
networkd
Network
FQDN logging service
fqdnd.log
fqdnd
Network
FQDN logging service
fqdndebug.log
fqdnd
NTPclient
Network time protocol client service
ntpclient.log
ntpclient
RAD
Router advertisement service for IPv6
radvd.log
radvd
Cellular WAN
Name
What you must look for
Log file
WWAN
Insertion and removal of USB devices
mdev.log
Network
Modem-related network configurations
networkd.log
Syslog
Syslogs for USB, modem, and PPP
(Point-to-Point protocol)
syslog.log
Routing
Dynamic routes
Name
Description
Log file
Service
BGP
Border Gateway Protocol routing service
bgpd.log
bgpd
Multicast (PIM-SM)
Protocol Independent Multicast (PIM) routing service
pimd.log
pimd
OSPF
Open Shortest Path First routing service
ospfd.log
ospfd
OSPFv3
Open Shortest Path First version 3
ospf6d.log
ospf6d
RIP
Routing Information Protocol routing service
ripd.log
ripd
Static routes
Name
Description
Log file
Service
Application based routing
Application based routing service
appcached.log
appcached
Application based routing
Redis Service
redis
redis-appcache
Multicast-routing
Multicast routing service
mrouting.log
mrouting
Zebra
Static routing service
zebra.log
zebra
Staticd
Static routing service
staticd.log
staticd
Proxies
HTTPS, FTP, WAF
Name
Description
Log file
Service
Awarrenhttp
HTTPS Proxy service
awarrenhttp.log
awarrenhttp
Awarrenhttp access
HTTPS proxy service website access
awarrenhttp_access.log
awarrenhttp
nSXLd
web categorization and IP reputation
nSXLd.log
nSXLd
Web proxy
Web proxy service
webproxy.log
Skein
HTTP/FTP legacy proxy
skein.log
FTP
FTP proxy service
ftpproxy.log
FTPproxy
WAF
Web server protection proxy service
reverseproxy.log
reverseproxy
Note
Sophos Firewall always blocks web pages categorized as highly objectionable criminal activity and hides the domain name in logs and reports.
SMTP(S), POP(S), IMAP(S)
Name
Description
Log file
Service
Awarrensmtp
SMTPS legacy proxy service
awarrensmtp.log
awarrensmtp
Awarrenmta
Mail transfer agent proxy service
awarrenmta.log
awarrenmta
Awarrenmta debug
(v17+) Mail transfer agent proxy service debug mode
awarrenmta_debug.log
awarrenmta
SMTP
(v17.5+) Mail transfer agent proxy service
smtpd_main.log
smtpd
SMTP error
(v17.5+) Mail transfer agent proxy service errors
smtpd_error.log
smtpd
SMTP panic
(v17.5+) Mail transfer agent proxy service panic
smtpd_panic.log
smtpd
SMTP reject
(v17.5+) Mail transfer agent proxy service reject
smtpd_reject.log
smtpd
Warren
POP/IMAP proxy service
warren.log
warren
VPN
Name
Description
Log file
Service
Clientless SSL VPN
Clientless SSL VPN client service
clientless_access.log
clientless_access
IPsec
(v15-v16) IPsec VPN service
ipsec.log
ipsec
IPsec
(v17+) IPsec VPN service
strongswan.log
strongswan
IPsec
(v17+) IPsec VPN service
charon.log
strongswan
IPsec
IPsec connection testing log files
ipsec_Test_Connect.log
IPsec
IPsec monitoring service
ipsec_monitor.log
ipsec_monitor
L2TP
Layer 2 tunneling protocol daemon
l2tpd.log
l2tpd
PPTP
Point-to-point tunneling VPN daemon
pptpvpn.log
pptpd
SSL VPN
SSL VPN client service
sslvpn.log
sslvpn
VPN PKI
VPN PKI logs
vpncertificate.log
VPN PKI
VPN PKI logs
wc_remote.log
VPN service
VPN service
strongswan-monitor.log
strongswan
VPN service
VPN service
sync.log
XFRM
XFRM tunnel interface service
xfrmi.log
Sophos Firewall uses strongSwan for IPsec VPN and OpenVPN for SSL VPN.