Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Logs

The firewall provides event logs and troubleshooting logs.

To lower their disk usage, see Disk space for logs and reports.

Event logs

Event logs provide insight into network activity and system events, allowing you to identify security issues.

These logs show the events the firewall records, such as authentication, connections established, system events, and configuration changes. These logs also show traffic details, such as the source, destination, matching rule, and status.

Note

A percent of the /var folder is allotted for storing eventlogs based on the appliance model.

For example, for the higher-end models, stored logs can take up to 15 percent of the total /var partition or 50 percent of the free space available in the /var partition (whichever is lower).

Event logs are stored as follows:

  • Local: By default, they're locally stored on the firewall. You can see them in the Log viewer. See Log viewer.
  • Syslog server: You can configure syslog servers to which the firewall can send the logs. See Add a syslog server.
  • Sophos Central: You can send the logs to Sophos Central if the firewall is registered for Sophos Central firewall management. You must turn on Sophos Central services and then Send reports and logs to Sophos Central. See Sophos Central services overview.

Note

In firewall rules and SSL/TLS inspection rules, you can select the corresponding log setting to save logs of matching traffic.

To show them in the Log viewer or send them to Sophos Central and syslog servers, make sure you select the corresponding log type on System services > Log settings. See Log settings.

Tip

You can encrypt identities in logs and reports using data anonymization. See Data anonymization.

Troubleshooting logs

Troubleshooting logs are detailed logs that allow you to troubleshoot issues. You can get additional details when you turn on debug mode.

Note

Debug mode takes up disk space. So, after you get the required logs, you must turn off debug mode.

You can access troubleshooting logs from the web admin console and the CLI. See Check troubleshooting logs.

More resources