Logs
The firewall provides event logs and troubleshooting logs.
To lower their disk usage, see Disk space for logs and reports.
Event logs
Event logs provide insight into network activity and system events, allowing you to identify security issues.
These logs show the events the firewall records, such as authentication, connections established, system events, and configuration changes. These logs also show traffic details, such as the source, destination, matching rule, and status.
Note
A percent of the /var
folder is allotted for storing eventlogs based on the appliance model.
For example, for the higher-end models, stored logs can take up to 15 percent of the total /var
partition or 50 percent of the free space available in the /var
partition (whichever is lower).
Event logs are stored as follows:
- Local: By default, they're locally stored on the firewall. You can see them in the Log viewer. See Log viewer.
- Syslog server: You can configure syslog servers to which the firewall can send the logs. See Add a syslog server.
- Sophos Central: You can send the logs to Sophos Central if the firewall is registered for Sophos Central firewall management. You must turn on Sophos Central services and then Send reports and logs to Sophos Central. See Sophos Central services overview.
Note
In firewall rules and SSL/TLS inspection rules, you can select the corresponding log setting to save logs of matching traffic.
To show them in the Log viewer or send them to Sophos Central and syslog servers, make sure you select the corresponding log type on System services > Log settings. See Log settings.
Tip
You can encrypt identities in logs and reports using data anonymization. See Data anonymization.
Troubleshooting logs
Troubleshooting logs are detailed logs that allow you to troubleshoot issues. You can get additional details when you turn on debug mode.
Note
Debug mode takes up disk space. So, after you get the required logs, you must turn off debug mode.
You can access troubleshooting logs from the web admin console and the CLI. See Check troubleshooting logs.
More resources