Sophos Firewall Logfile Guide
Logdateien werden von der WebAdmin-Konsole verwendet, um Berichte zu generieren. Sie können die Logdateien entweder über die Protokollansicht oder über das Command Line Interface (CLI) einsehen.
Zugriff auf die Logdateien
Über den WebAdmin:
Klicken Sie auf "Protokollansicht" im oberen rechten Bildschirmbereich. Die Protokollansicht öffnet sich in einem neuen Fenster. Die folgenden Logs können über die Protokollansicht durchsucht werden:
- Admin
- Schutz vor hochentwickelten Bedrohungen
- Anwendungsfilter
- Authentifizierung
- E-Mail
- Firewall
- IPS
- Schadprogramme
- Security Heartbeat
- SSL/TLS-Inspektion
- System
- Internetinhaltsrichtlinie
- Webfilter
- Webserverschutz
- Zero-Day-Schutz
Über die Advanced Shell
- Verbinden Sie sich per SSH-Client über Port 22 mit der Sophos Firewall.
- Wählen Sie Option 5 Device Management --> 3 Advanced Shell
In der Advanced Shell finden Sie die Logdateien im /log-Verzeichnis. Findet eine Logrotation statt, wird ein Anhang an die Dateierweiterung zugefügt (z.B.: aus smtp_main.log wird smtp_main.log0). Sie können die folgenden Befehle nutzen, um den Inhalt der Logdateien auf unterschiedliche Weise auszugeben.
| Befehl | Beispiel | Beschreibung |
| tail -f | tail -f /log/<logfilename>.log | Gibt die letzten Zeilen der Datei <logfilename>.log aus |
| less | less /log/<logfilename>.log | Zeigt <logfilename>.log statisch an. |
| grep | grep <Keyword> /log/<logfilename>.log | Durchsucht die Datei <logfilename>.log nach Zeilen die <Keyword> enthalten |
| service | service <service name>:start/restart/stop/debug -ds nosync | Startet, Neustartet, Stoppt oder Debugged den Service <service name> |
Die folgenden Logs stehen Ihnen über die Konsole zur Verfügung:
Antivirus
| Name | Description | Log file | Service |
|---|
| Antivirus | Antivirus service | av.log | Antivirus |
| Antivirus updates | Antivirus update service | up2date_av.log | |
| Anti-spam | Anti-spam service | sasi.log | Anti-spam |
| Sandbox | Sandbox service | sandboxd.log | sandboxd |
| Sandbox | Sandbox service | sessiontbl.log | - |
- Sophos Firewall nutzt Avira und Sophos Antivirus
Authentifizierung
| Name | Description | Log file | Service |
|---|
| Access server | User authentication, authorization, and accounting service | access_server.log | access_server |
| Chromebook authentication | Chromebook SSO service | chromebook-sso-backend.log | clientless_access |
| NASM | NTLM authentication service | nasm.log | nasm |
- Der Access Server ist eigens angefertigt um AAA-Aktivitäten zu bearbeiten
Datenbank
| Name | Description | Log file | Service |
|---|
| Configuration database | Configuration database log files | confdbstatus.log | |
| Configuration database | Configuration database log files | crreportdb.log | |
| Configuration database | Configuration database log files | crreportdb.log | |
| Garner | Logging service for postponement, event log and graphs | garner.log | garner |
| Migration database | Report migration log files | sac-feedback.log | |
| Migration database | Report migration log files | reportmigration.log | |
| Postgres database | Configuration database service | postgres.log | postgres |
| Signature database | Signature database service | sigdb.log | sigdb |
| Reporting database | Report database service | reportdb.log | reportdb |
Firewall
| Name | Description | Log file | Service |
|---|
| BWM | Bandwidth management service (QoS) | bwm.log | bwm |
| Firewall rule logging. | Firewall rule logging service | firewall_rule.log | |
| Firewall | Virtual host service | vhost.log | |
| FWlog | Firewall logging service | fwlog.log | fwlog |
| NAT | NAT rule log files | nat_rule.log | |
| NAT | NAT rule log files | pimd.log | pmid |
| Pktcap | Packet capture service (GUI DG option) | pktcapd.log | pktcapd |
- Sophos Firewall nutzt IPtable, ARP Table, IPset und Conntrack für Firewallverbindungen
- IMQ wird für QoS genutzt
GUI und CLI
| Name | Description | Log file | Service |
|---|
| Apache | GUI service | apache.log | apache |
| Apache | GUI Service | apache_access.log | apache |
| SSH | SSH logs | sshd.log | sshd |
| Error Log | Error log messages for GUI and CLI | error_log.log | |
| Tomcat | GUI service | tomcat.log | tomcat |
Heartbeat
| Name | Description | Log file | Service |
|---|
| Heartbeat | Heartbeat to Sophos Central communication service | fwcm-eventd | |
| Heartbeat | Heartbeat to Sophos Central communication service | fwcm-heartbeatd | |
| Heartbeat | Heartbeat to Sophos Central communication service | fwcm-updaterd | |
| Heartbeat | Heartbeat service | heartbeatd.log | heartbeatd |
| Heartbeat | Heartbeat to Central communication | hbtrust.log | heartbeatd |
High Availability
| Name | Description | Log file | Service |
|---|
| Ctsync | Conntrack synchronization service | ctsyncd.log | ctsyncd |
| High availability | HA configuration and status updates | applog.log | |
| High availability | HA pair service | ha_pair.log | ha_pair |
| High availability | HA tunnel service | ha_tunnel.log | ha_tunnel |
| Msync | HA synchronization service | msync.log | msync |
Intrusion Prevention und Applikationsfilter
| Name | Description | Log file | Service |
|---|
| Application filter | The application filter uses the same service and log file as IPS | ips.log | ips |
| Intrusion prevention and application filter | Antivirus service | avd.log | antivirus |
| Intrusion prevention and application filter | Intrusion prevention upgrade service | sig_upgrade.log | |
| Intrusion prevention and application filter | Intrusion prevention migration service | sigmigration.log | |
| IPS | Intrusion prevention filter service | ips.log | ips |
Netzwerk
Die nachfolgenden Logs beziehen sich auf generelle Netzwerkservices
| Name | Description | Log file | Service |
|---|
| Dead gateway detection | MLM, VPN failover, dead gateway detection | dgd.log | DGD |
| DHCP | Dynamic host configuration server service | dhcpd.log | dhcpd |
| DHCP6 | Dynamic Host control service for IPv6 | dhcp6.log | dhcpd6 |
| DDC | Dynamic domain name service client service | ddc.log | ddc |
| DNS | DNS service | dnsd.log | dnsd |
| DNS | DNS service | dnsgrabber.log | dnsd |
| DNS | DNS service | eacd.log | |
| DNS | DNS service | entity.log | |
| Network | Network service - Interface/IP/PPPOE | networkd.log | networkd |
| Network | FQDN logging service | fqdnd.log | fqdnd |
| Network | FQDN logging service | fqdndebug.log | fqdnd |
| NTPclient | Network time protocol client service | ntpclient.log | ntpclient |
| RAD | Router advertisement service for IPv6 | radvd.log | radvd |
Die folgenden Logs gehören zu dynamischen Routingservices
| Name | Description | Log file | Service |
|---|
| BGP | Border Gateway Protocol routing service | bgpd.log | bgpd |
| OSPF | Open Shortest Path First routing service | ospfd.log | ospfd |
| RIP | Routing Information Protocol routing service | ripd.log | ripd |
Die folgenden Logs gehören zu statischen Routingservices
| Name | Description | Log file | Service |
|---|
| Application based routing | Application based routing service | appcached.log | appcached |
| Application based routing | Redis Service | redis | redis-appcache |
| Multicast-routing | Multicast routing service | mrouting.log | mrouting |
| Zebra | Static routing service | zebra.log | zebra |
Proxy (HTTPs-, SMTPs-, POP-, IMAP-, FTP-, WAF-Proxy)
| Name | Description | Log file | Service |
|---|
| Awarrenhttp | HTTPS Proxy service | awarrenhttp.log | awarrenhttp |
| Awarrenhttp access | HTTPS proxy service website access | awarrenhttp_access.log | awarrenhttp |
| Awarrensmtp | SMTPS legacy proxy service | awarrensmtp.log | awarrensmtp |
| Awarrenmta | Mail transfer agent proxy service | awarrenmta.log | awarrenmta |
| Awarrenmta debug | (v17+) Mail transfer agent proxy service debug mode | awarrenmta_debug.log | awarrenmta |
| FTP | FTP proxy service | ftpproxy.log | FTPproxy |
| nSXLd | web categorization and IP reputation | nSXLd.log | nSXLd |
| Skein | HTTP/FTP legacy proxy | skein.log | |
| SMTP | (v17.5+) Mail transfer agent proxy service | smtpd_main.log | smtpd |
| SMTP error | (v17.5+) Mail transfer agent proxy service errors | smtpd_error.log | smtpd |
| SMTP panic | (v17.5+) Mail transfer agent proxy service panic | smtpd_panic.log | smtpd |
| SMTP reject | (v17.5+) Mail transfer agent proxy service reject | smtpd_reject.log | smtpd |
| Warren | POP/IMAP proxy service | warren.log | warren |
| WAF | Web application firewall proxy service | reverseproxy.log | reverseproxy |
| Web proxy | Web proxy service | webproxy.log | |
| WINGc | (v15+) web categorization | WINGc.log | WINGc |
VPN
| Name | Description | Log file | Service |
|---|
| Clientless SSL VPN | Clientless SSL VPN client service | clientless_access.log | clientless_access |
| IPsec | (v15-v16) IPsec VPN service | ipsec.log | ipsec |
| IPsec | (v17+) IPsec VPN service | strongswan.log | strongswan |
| IPsec | (v17+) IPsec VPN service | charon.log | strongswan |
| IPsec | IPsec connection testing log files | ipsec_Test_Connect.log | |
| IPsec | IPsec monitoring service | ipsec_monitor.log | ipsec_monitor |
| L2TP | Layer 2 tunneling protocol daemon | l2tpd.log | l2tpd |
| PPTP | Point-to-point tunneling VPN daemon | pptpvpn.log | pptpd |
| SSL VPN | SSL VPN client service | sslvpn.log | sslvpn |
| VPN PKI | VPN PKI logs | vpncertificate.log | |
| VPN PKI | VPN PKI logs | wc_remote.log | |
| VPN service | VPN service | strongswan-monitor.log | strongswan |
| VPN service | VPN service | sync.log | |
| XFRM | XFRM tunnel interface service | xfrmi.log | |
- Sophos Firewall nutzt Openswan für IPsec-VPN und OpenVPN für SSL-VPN.
Andere Logdateien
| Name | Description | Log file | Service |
|---|
| API | API service log | apiparser.log | |
| API | API service log | app-feedback.log | |
| AWED | Wireless controller service | awed.log | awed |
| Category updates | Category update log file | catUpdateLog | |
| Central management | Central management service | centralmanagement.log | |
| Central management | Central management service | sophos-central.log | |
| CSC | Sophos Central service which manages all services | csc.log | csc |
| CSC helper | CSC helper service | cschelper.log | csc |
| CSC | CSC service | csd.log | csc |
| CSC | Configuration logs | applog.log | csc |
| Hotspot | Hotspot service | hostapd.log | hostapd |
| Hotspot | Hotspot service | hotspot.log | hotspotd |
| Hotspot | Hotspot service | hotspotd.log | hotspotd |
| iView | iVew logging service | iview.log | |
| Licensing | Licensing log | licensing.log | |
| Net-SNMP | SNMP log file | snmpd.log | snmpd |
| OpenSSH | OpenSSH/Dropbear service | sshd.log | |
| OpenSSH | OpenSSH/Dropbear service | ssod.log | ssod |
| RED | RED service | red.log | red |
| SMB filesystem | SMB filesystem log files | smbnetfs.log | |
| SMB filesystem | SMB filesystem log files | snireport.log | |
| Sysinit | System FSCK logs | sysinit.log | sysinit |
| Syslog | Syslog service | syslog.log | syslog |
| System Updates | System update log | u2d.log | u2d |
| Signature upgrade | Signature upgrade log | sig_update.log | |
| Validation | Validation log files | validation.log | |
| Validation | Validation log files | validationError.log | |
| VMware tools | VMware tool service (SRM) | vmtool.log | vmtool |
| Wi-Fi | Wi-Fi authentication service | wifiauth.log | |
