Sophos Firewall Logfile Guide
Logdateien werden von der WebAdmin-Konsole verwendet, um Berichte zu generieren. Sie können die Logdateien entweder über die Protokollansicht oder über das Command Line Interface (CLI) einsehen.
Zugriff auf die Logdateien
Über den WebAdmin:
Klicken Sie auf "Protokollansicht" im oberen rechten Bildschirmbereich. Die Protokollansicht öffnet sich in einem neuen Fenster. Die folgenden Logs können über die Protokollansicht durchsucht werden:
- Admin
- Schutz vor hochentwickelten Bedrohungen
- Anwendungsfilter
- Authentifizierung
- E-Mail
- Firewall
- IPS
- Schadprogramme
- Security Heartbeat
- SSL/TLS-Inspektion
- System
- Internetinhaltsrichtlinie
- Webfilter
- Webserverschutz
- Zero-Day-Schutz
Über die Advanced Shell
- Verbinden Sie sich per SSH-Client über Port 22 mit der Sophos Firewall.
- Wählen Sie Option 5 Device Management --> 3 Advanced Shell
In der Advanced Shell finden Sie die Logdateien im /log-Verzeichnis. Findet eine Logrotation statt, wird ein Anhang an die Dateierweiterung zugefügt (z.B.: aus smtp_main.log wird smtp_main.log0). Sie können die folgenden Befehle nutzen, um den Inhalt der Logdateien auf unterschiedliche Weise auszugeben.
Befehl | Beispiel | Beschreibung |
tail -f | tail -f /log/<logfilename>.log | Gibt die letzten Zeilen der Datei <logfilename>.log aus |
less | less /log/<logfilename>.log | Zeigt <logfilename>.log statisch an. |
grep | grep <Keyword> /log/<logfilename>.log | Durchsucht die Datei <logfilename>.log nach Zeilen die <Keyword> enthalten |
service | service <service name>:start/restart/stop/debug -ds nosync | Startet, Neustartet, Stoppt oder Debugged den Service <service name> |
Die folgenden Logs stehen Ihnen über die Konsole zur Verfügung:
Antivirus
Name | Description | Log file | Service |
Antivirus | Antivirus service | av.log | Antivirus |
Antivirus updates | Antivirus update service | up2date_av.log | |
Anti-spam | Anti-spam service | sasi.log | Anti-spam |
Sandbox | Sandbox service | sandboxd.log | sandboxd |
Sandbox | Sandbox service | sessiontbl.log | - |
- Sophos Firewall nutzt Avira und Sophos Antivirus
Authentifizierung
Name | Description | Log file | Service |
Access server | User authentication, authorization, and accounting service | access_server.log | access_server |
Chromebook authentication | Chromebook SSO service | chromebook-sso-backend.log | clientless_access |
NASM | NTLM authentication service | nasm.log | nasm |
- Der Access Server ist eigens angefertigt um AAA-Aktivitäten zu bearbeiten
Datenbank
Name | Description | Log file | Service |
Configuration database | Configuration database log files | confdbstatus.log | |
Configuration database | Configuration database log files | crreportdb.log | |
Configuration database | Configuration database log files | crreportdb.log | |
Garner | Logging service for postponement, event log and graphs | garner.log | garner |
Migration database | Report migration log files | sac-feedback.log | |
Migration database | Report migration log files | reportmigration.log | |
Postgres database | Configuration database service | postgres.log | postgres |
Signature database | Signature database service | sigdb.log | sigdb |
Reporting database | Report database service | reportdb.log | reportdb |
Firewall
Name | Description | Log file | Service |
BWM | Bandwidth management service (QoS) | bwm.log | bwm |
Firewall rule logging. | Firewall rule logging service | firewall_rule.log | |
Firewall | Virtual host service | vhost.log | |
FWlog | Firewall logging service | fwlog.log | fwlog |
NAT | NAT rule log files | nat_rule.log | |
NAT | NAT rule log files | pimd.log | pmid |
Pktcap | Packet capture service (GUI DG option) | pktcapd.log | pktcapd |
- Sophos Firewall nutzt IPtable, ARP Table, IPset und Conntrack für Firewallverbindungen
- IMQ wird für QoS genutzt
GUI und CLI
Name | Description | Log file | Service |
Apache | GUI service | apache.log | apache |
Apache | GUI Service | apache_access.log | apache |
SSH | SSH logs | sshd.log | sshd |
Error Log | Error log messages for GUI and CLI | error_log.log | |
Tomcat | GUI service | tomcat.log | tomcat |
Heartbeat
Name | Description | Log file | Service |
Heartbeat | Heartbeat to Sophos Central communication service | fwcm-eventd | |
Heartbeat | Heartbeat to Sophos Central communication service | fwcm-heartbeatd | |
Heartbeat | Heartbeat to Sophos Central communication service | fwcm-updaterd | |
Heartbeat | Heartbeat service | heartbeatd.log | heartbeatd |
Heartbeat | Heartbeat to Central communication | hbtrust.log | heartbeatd |
High Availability
Name | Description | Log file | Service |
Ctsync | Conntrack synchronization service | ctsyncd.log | ctsyncd |
High availability | HA configuration and status updates | applog.log | |
High availability | HA pair service | ha_pair.log | ha_pair |
High availability | HA tunnel service | ha_tunnel.log | ha_tunnel |
Msync | HA synchronization service | msync.log | msync |
Intrusion Prevention und Applikationsfilter
Name | Description | Log file | Service |
Application filter | The application filter uses the same service and log file as IPS | ips.log | ips |
Intrusion prevention and application filter | Antivirus service | avd.log | antivirus |
Intrusion prevention and application filter | Intrusion prevention upgrade service | sig_upgrade.log | |
Intrusion prevention and application filter | Intrusion prevention migration service | sigmigration.log | |
IPS | Intrusion prevention filter service | ips.log | ips |
Netzwerk
Die nachfolgenden Logs beziehen sich auf generelle Netzwerkservices
Name | Description | Log file | Service |
Dead gateway detection | MLM, VPN failover, dead gateway detection | dgd.log | DGD |
DHCP | Dynamic host configuration server service | dhcpd.log | dhcpd |
DHCP6 | Dynamic Host control service for IPv6 | dhcp6.log | dhcpd6 |
DDC | Dynamic domain name service client service | ddc.log | ddc |
DNS | DNS service | dnsd.log | dnsd |
DNS | DNS service | dnsgrabber.log | dnsd |
DNS | DNS service | eacd.log | |
DNS | DNS service | entity.log | |
Network | Network service - Interface/IP/PPPOE | networkd.log | networkd |
Network | FQDN logging service | fqdnd.log | fqdnd |
Network | FQDN logging service | fqdndebug.log | fqdnd |
NTPclient | Network time protocol client service | ntpclient.log | ntpclient |
RAD | Router advertisement service for IPv6 | radvd.log | radvd |
Die folgenden Logs gehören zu dynamischen Routingservices
Name | Description | Log file | Service |
BGP | Border Gateway Protocol routing service | bgpd.log | bgpd |
OSPF | Open Shortest Path First routing service | ospfd.log | ospfd |
RIP | Routing Information Protocol routing service | ripd.log | ripd |
Die folgenden Logs gehören zu statischen Routingservices
Name | Description | Log file | Service |
Application based routing | Application based routing service | appcached.log | appcached |
Application based routing | Redis Service | redis | redis-appcache |
Multicast-routing | Multicast routing service | mrouting.log | mrouting |
Zebra | Static routing service | zebra.log | zebra |
Proxy (HTTPs-, SMTPs-, POP-, IMAP-, FTP-, WAF-Proxy)
Name | Description | Log file | Service |
Awarrenhttp | HTTPS Proxy service | awarrenhttp.log | awarrenhttp |
Awarrenhttp access | HTTPS proxy service website access | awarrenhttp_access.log | awarrenhttp |
Awarrensmtp | SMTPS legacy proxy service | awarrensmtp.log | awarrensmtp |
Awarrenmta | Mail transfer agent proxy service | awarrenmta.log | awarrenmta |
Awarrenmta debug | (v17+) Mail transfer agent proxy service debug mode | awarrenmta_debug.log | awarrenmta |
FTP | FTP proxy service | ftpproxy.log | FTPproxy |
nSXLd | web categorization and IP reputation | nSXLd.log | nSXLd |
Skein | HTTP/FTP legacy proxy | skein.log | |
SMTP | (v17.5+) Mail transfer agent proxy service | smtpd_main.log | smtpd |
SMTP error | (v17.5+) Mail transfer agent proxy service errors | smtpd_error.log | smtpd |
SMTP panic | (v17.5+) Mail transfer agent proxy service panic | smtpd_panic.log | smtpd |
SMTP reject | (v17.5+) Mail transfer agent proxy service reject | smtpd_reject.log | smtpd |
Warren | POP/IMAP proxy service | warren.log | warren |
WAF | Web application firewall proxy service | reverseproxy.log | reverseproxy |
Web proxy | Web proxy service | webproxy.log | |
WINGc | (v15+) web categorization | WINGc.log | WINGc |
VPN
Name | Description | Log file | Service |
Clientless SSL VPN | Clientless SSL VPN client service | clientless_access.log | clientless_access |
IPsec | (v15-v16) IPsec VPN service | ipsec.log | ipsec |
IPsec | (v17+) IPsec VPN service | strongswan.log | strongswan |
IPsec | (v17+) IPsec VPN service | charon.log | strongswan |
IPsec | IPsec connection testing log files | ipsec_Test_Connect.log | |
IPsec | IPsec monitoring service | ipsec_monitor.log | ipsec_monitor |
L2TP | Layer 2 tunneling protocol daemon | l2tpd.log | l2tpd |
PPTP | Point-to-point tunneling VPN daemon | pptpvpn.log | pptpd |
SSL VPN | SSL VPN client service | sslvpn.log | sslvpn |
VPN PKI | VPN PKI logs | vpncertificate.log | |
VPN PKI | VPN PKI logs | wc_remote.log | |
VPN service | VPN service | strongswan-monitor.log | strongswan |
VPN service | VPN service | sync.log | |
XFRM | XFRM tunnel interface service | xfrmi.log | |
- Sophos Firewall nutzt Openswan für IPsec-VPN und OpenVPN für SSL-VPN.
Andere Logdateien
Name | Description | Log file | Service |
API | API service log | apiparser.log | |
API | API service log | app-feedback.log | |
AWED | Wireless controller service | awed.log | awed |
Category updates | Category update log file | catUpdateLog | |
Central management | Central management service | centralmanagement.log | |
Central management | Central management service | sophos-central.log | |
CSC | Sophos Central service which manages all services | csc.log | csc |
CSC helper | CSC helper service | cschelper.log | csc |
CSC | CSC service | csd.log | csc |
CSC | Configuration logs | applog.log | csc |
Hotspot | Hotspot service | hostapd.log | hostapd |
Hotspot | Hotspot service | hotspot.log | hotspotd |
Hotspot | Hotspot service | hotspotd.log | hotspotd |
iView | iVew logging service | iview.log | |
Licensing | Licensing log | licensing.log | |
Net-SNMP | SNMP log file | snmpd.log | snmpd |
OpenSSH | OpenSSH/Dropbear service | sshd.log | |
OpenSSH | OpenSSH/Dropbear service | ssod.log | ssod |
RED | RED service | red.log | red |
SMB filesystem | SMB filesystem log files | smbnetfs.log | |
SMB filesystem | SMB filesystem log files | snireport.log | |
Sysinit | System FSCK logs | sysinit.log | sysinit |
Syslog | Syslog service | syslog.log | syslog |
System Updates | System update log | u2d.log | u2d |
Signature upgrade | Signature upgrade log | sig_update.log | |
Validation | Validation log files | validation.log | |
Validation | Validation log files | validationError.log | |
VMware tools | VMware tool service (SRM) | vmtool.log | vmtool |
Wi-Fi | Wi-Fi authentication service | wifiauth.log | |