Sophos XG Firewall: Logfile guide

  • Article ID: 132211
  • Updated: 31 Jul 2019
  • 6 people found this helpful

Overview

This article provides information regarding the logfiles of the Sophos XG Firewall. It includes the description of each logfile and the service that uses it.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos Firewall

Logfile guide

All log files can be found in the WebAdmin at Reports.

All log files can be found via the Command Line Interface (CLI) in the directory /log. The CLI can be accessed by going to Admin > Console located in the upper right corner of the WebAdmin.

Database

Name Description Logfile Service
Postgres database Configuration Database Service postgres.log postgres
Signature database Signature Database Service sigdb.log sigdb
Reporting database Report Database Service reportdb.log reportdb
Garner Logging service for postponement, event log and graphs. garner.log garner
  • Uses PGSQL for configuration, report and signature databases.

GUI und CLI

Name Description Logfile Service
Tomcat GUI service tomcat.log tomcat
Apache GUI service apache.log apache
Error Log Error log messages for GUI and CLI error_log.log -
Dropbear SSH logs dropbear.log -
  • Uses Apache and Tomcat for GUI and CISH for CLI.

Proxy (HTTPs - SMTPs - POP - IMAP - FTP - WAF)

Name Description Logfile Service
Awarrenhttp HTTPs Proxy Service awarrenhttp.log awarrenhttp
Awarrenhttp Access HTTPs Proxy Service Website Access awarrenhttp_access.log awarrenhttp
Awarrensmtp SMTPs Legacy Proxy Service awarrensmtp.log awarrensmtp
Awarrenmta Mail Transfer Agent Proxy Service awarrenmta.log awarrenmta
Awarrenmta Debug (v17+) Mail Transfer Agent Proxy Service Debug Mode awarrenmta_debug.log awarrenmta
SMTP (v17.5+) Mail Transfer Agent Proxy Service smtpd_main.log smtpd
SMTP Error (v17.5+) Mail Transfer Agent Proxy Service errors smtpd_error.log smtpd
SMTP Panic (v17.5+) Mail Transfer Agent Proxy Service panic smtpd_panic.log smtpd
SMTP Reject (v17.5+) Mail Transfer Agent Proxy Service reject smtpd_reject.log smtpd
Warren POP/IMAP Proxy Service warren.log warren
FTP FTP Proxy Service ftpproxy.log FTPproxy
WAF Web Application Firewall Proxy Service reverseproxy.log reverseproxy
WINGc (v15+) Web Categorization WINGc.log WINGc
nSXLd (v17+) Web Categorization nSXLd.log nSXLd

Network

Name Description Logfile Service
Network Network Service - Interface/IP/PPPOE networkd.log networkd
Dead Gateway Detect MLM, VPN failover, Dead Gateway Detect dgd.log DGD
RAD Router Advertisement service for IPv6 radvd.log radvd
DHCP Dynamic Host Configuration Server service dhcpd.log dhcpd
DDC Dynamic Domain Name Service client service ddc.log ddc
NTPclient Network Time Protocol client service ntpclient.log ntpclient
Dynamic Routing
Name Description Logfile Service
RIP Routing Information Protocol routing service ripd.log ripd
OSPF Open Shortest Path First routing service opsfd.log ospfd
BGP Border Gateway Protocol routing service bgpd.log bgpd
Static Routing
Name Description Logfile Service
Zebra Static routing service zebra.log zebra
Multicast Routing Multicast routing service mrouting.log mrouting
  • Sophos uses QUAGGA for dynamic and static routing.

Authentication

Name Description Logfile Service
Access Server User Authentication, authorisation and accounting service access_server.log access_server
NASM NTLM Authentication Service nasm.log nasm
  • Access server is a custom developed service to handle AAA activity.

Intrusion Prevention / Application Filter

Name Description Logfile Service
IPS Intrusion Prevention filter service ips.log ips
Application Filter The application filter uses the same service and logfile as IPS ips.log ips
  • Sophos XG Firewall uses customized SNORT for the IPS and Application Filter.

Antivirus and Antispam

Name Description Logfile Service
Antivirus Antivirus Service av.log antivirus
Antispam Antispam Service ctasd.log antispam
CTIP CTIP daemon ctipd.log ctipd
  • Sophos XG Firewall uses Avira and Sophos antivirus.
  • Sophos is an OEM customer of Cyren for Anti-spam and IP reputation services.

Heartbeat

Name Description Logfile Service
Heartbeat Heartbeat Service heartbeatd.log heartbeatd
Heartbeat Heartbeat to Central communication hbtrust.log heartbeatd

VPN

Name Description Logfile Service
IPsec (v15+) IPsec VPN Service ipsec.log ipsec
IPsec (v17+) IPsec VPN Service strongswan.log ipsec
IPsec (v17+) IPsec VPN Service charon.log ipsec
SSL VPN SSL VPN Client Service sslvpn.log sslvpn
Clientless SSL VPN Clientless SSL VPN Client Service clientless_access.log clientless_access
PPTP Point to Point Tunneling VPN daemon pptpvpn.log pptpd
L2TP Layer 2 Tunneling Protocol daemon l2tpd.log l2tpd
  • Sophos XG Firewall uses OPENSWAN for IPsec VPN and OPENVPN for SSL VPN.

Firewall

Name Description Logfile Service
FWlog Firewall Logging Service fwlog.log fwlog
Pktcap Packet Capture Service (GUI DG option) pktcapd.log pktcapd
BWM Bandwidth Management Service (QoS) bwm.log bwm
  • Sophos XG Firewall uses IPtable, ARP table, IPset and conntrack for Firewall.
  • IMQ is used for QoS.

High Availability

Name Description Logfile Service
Msync HA Synchronization Service msync.log msync
Ctsync Conntrack Synchronization Service ctsyncd.log ctsyncd
  • Customized High Availability is used for traffic load balance among clusters.

Other

Name Description Logfile Service
CSC Central Service which manages all services csc.log csc
Sysinit System FSCK logs sysinit.log sysinit
Syslog Syslog service syslog.log syslog
RED RED Service red.log red
AWED Wireless Controller Service awed.log awed
Hotspot Hotspot Service hotspot.log hotspotd
Licensing Licensing Logfiles licensing.log -
System Updates System Update logs u2d.log -
Signature Upgrade Signature Upgrade logs sig_update.log -

Note: In case the log rotates, a file extension of .log.0 could be created. (i.e. smtpd_main.log.0)

Related information

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Article appears in the following topics

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

Sophos Footer