Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-analyze-logs

Log

The Syslog protocol allows devices to send event notification messages in response to events, faults, or errors occurring on the platform, as well as changes in configuration or other occurrences across an IP network to syslog servers. It then collects the event messages, providing powerful support for users to monitor network operation and diagnose malfunctions. A syslog enabled device can generate a syslog message and send it to a Syslog server.

Syslog is defined in RFC 3164. The RFC defines the packet format, content, and system log related information of Syslog messages. Each Syslog message has a facility and severity level. The Syslog facility identifies a file in the Syslog server. Refer to the documentation of your Syslog program for details. The following table describes the Syslog severity levels.

Code Severity Description General Description
0 EMERG System is unusable. The switch is unusable. All connected devices have lost network connectivity.
1 ALERT Immediate action is needed. Immediate action is required to restore functionality. For example, the loss of a primary ISP connection.
2 CRIT Critical conditions. Indicates a failure in a secondary system that requires action. For example, the loss of a backup ISP connection.
3 ERROR Error conditions. Non-urgent failures. You must resolve these items within a given time.
4 WARNING Warning conditions. Warning messages that indicate an error will occur if you don't take action. For example, "file system 85% full". You must resolve these items within a given time.
5 NOTICE Normal but significant condition. Events that are unusual but not error conditions. No immediate action is required.
6 INFO Informational messages. Normal operational messages for reporting, measuring throughput, and so on. No action is required.
7 DEBUG Detailed events. This provides detailed messages about all activity on the switch. You must turn it on only for troubleshooting and make sure you turn it off when finished.

Global Settings

From here, you can Enable or Disable the log settings for the Switch.

Click Apply to update the system settings.

Local Logging

The system Log is designed to monitor the switch's operation by recording the event messages it generates during normal operation. These events may provide vital information about system activity that can help identify and solve system problems.

The switch records events in two locations: Flash and RAM. The information stored in the system's RAM log is lost after the switch is restarted or powered off, while the information stored in the system's Flash is kept even if the switch is rebooted or powered off. When the log reaches capacity, the switch deletes the oldest entries and replaces them with newer entries.

To set the events recorded in local logging, do as follows:

Warning

The default log level for Flash logging is Critical. If you change the Flash log level, for example, to Debug to troubleshoot an issue on the switch, you must revert your changes when finished to avoid excessive wear on the device caused by the increase in logged events.

  1. Click Edit for RAM or Flash logging.

  2. Select the log level from the drop-down list.

    Note

    When you select a log level, the switch also logs all higher-severity messages. For example, when you select Warning as your log level, Error, Critical, Alert, and Emergency messages are also logged even if they weren't selected before.

  3. Click Apply.

Remote Logging

The internal log of the Sophos Switch has a fixed capacity; at a certain level, the Sophos switch will start deleting the oldest entries to make room for the newest. If you want a permanent record of all logging activities, you can set up your syslog server to receive log contents from the Sophos switch. Use this page to direct all logging to the syslog server. Click the Add button, define your syslog server, and select the severity level of events you wish to log.

Click the Apply button to accept the changes or the Cancel button to discard them.

Log table

This page displays the most recent records in the Switch's internal log. Log entries are listed in reverse chronological order (with the latest logs at the top of the list). Click a column header to sort the contents by that category.

Display logs in:

  • RAM: The information stored in the system’s RAM log will be lost after the Switch is rebooted or powered off.
  • Flash: The information stored in the system’s Flash will be kept effective even if the Switch is rebooted or powered off.

Export: Click the Export button to export the current buffered log to a .txt file.

Clear: Click the Clear button to clear the buffered log in the system's memory.