Sophos Firewall Logfile Guide
Logdateien werden von der WebAdmin-Konsole verwendet, um Berichte zu generieren. Sie können die Logdateien entweder über die Protokollansicht oder über das Command Line Interface (CLI) einsehen.
Zugriff auf die Logdateien
Über den WebAdmin:
Klicken Sie auf "Protokollansicht" im oberen rechten Bildschirmbereich. Die Protokollansicht öffnet sich in einem neuen Fenster. Die folgenden Logs können über die Protokollansicht durchsucht werden:
- Admin
- Schutz vor hochentwickelten Bedrohungen
- Anwendungsfilter
- Authentifizierung
- E-Mail
- Firewall
- IPS
- Schadprogramme
- Security Heartbeat
- SSL/TLS-Inspektion
- System
- Internetinhaltsrichtlinie
- Webfilter
- Webserverschutz
- Zero-Day-Schutz
Über die Advanced Shell
- Verbinden Sie sich per SSH-Client über Port 22 mit der Sophos Firewall.
- Wählen Sie Option 5 Device Management --> 3 Advanced Shell
In der Advanced Shell finden Sie die Logdateien im /log-Verzeichnis. Findet eine Logrotation statt, wird ein Anhang an die Dateierweiterung zugefügt (z.B.: aus smtp_main.log wird smtp_main.log0). Sie können die folgenden Befehle nutzen, um den Inhalt der Logdateien auf unterschiedliche Weise auszugeben.
| Befehl |
Beispiel |
Beschreibung |
| tail -f |
tail -f /log/<logfilename>.log |
Gibt die letzten Zeilen der Datei <logfilename>.log aus |
| less |
less /log/<logfilename>.log |
Zeigt <logfilename>.log statisch an. |
| grep |
grep <Keyword> /log/<logfilename>.log |
Durchsucht die Datei <logfilename>.log nach Zeilen die <Keyword> enthalten |
| service |
service <service name>:start/restart/stop/debug -ds nosync |
Startet, Neustartet, Stoppt oder Debugged den Service <service name> |
Die folgenden Logs stehen Ihnen über die Konsole zur Verfügung:
Antivirus
| Name | Description | Log file | Service |
|---|
| Antivirus |
Antivirus service |
av.log |
Antivirus |
| Antivirus updates |
Antivirus update service |
up2date_av.log |
|
| Anti-spam |
Anti-spam service |
sasi.log |
Anti-spam |
| Sandbox |
Sandbox service |
sandboxd.log |
sandboxd |
| Sandbox |
Sandbox service |
sessiontbl.log |
- |
- Sophos Firewall nutzt Avira und Sophos Antivirus
Authentifizierung
| Name | Description | Log file | Service |
|---|
| Access server |
User authentication, authorization, and accounting service |
access_server.log |
access_server |
| Chromebook authentication |
Chromebook SSO service |
chromebook-sso-backend.log |
clientless_access |
| NASM |
NTLM authentication service |
nasm.log |
nasm |
- Der Access Server ist eigens angefertigt um AAA-Aktivitäten zu bearbeiten
Datenbank
| Name | Description | Log file | Service |
|---|
| Configuration database |
Configuration database log files |
confdbstatus.log |
|
| Configuration database |
Configuration database log files |
crreportdb.log |
|
| Configuration database |
Configuration database log files |
crreportdb.log |
|
| Garner |
Logging service for postponement, event log and graphs |
garner.log |
garner |
| Migration database |
Report migration log files |
sac-feedback.log |
|
| Migration database |
Report migration log files |
reportmigration.log |
|
| Postgres database |
Configuration database service |
postgres.log |
postgres |
| Signature database |
Signature database service |
sigdb.log |
sigdb |
| Reporting database |
Report database service |
reportdb.log |
reportdb |
Firewall
| Name | Description | Log file | Service |
|---|
| BWM |
Bandwidth management service (QoS) |
bwm.log |
bwm |
| Firewall rule logging. |
Firewall rule logging service |
firewall_rule.log |
|
| Firewall |
Virtual host service |
vhost.log |
|
| FWlog |
Firewall logging service |
fwlog.log |
fwlog |
| NAT |
NAT rule log files |
nat_rule.log |
|
| NAT |
NAT rule log files |
pimd.log |
pmid |
| Pktcap |
Packet capture service (GUI DG option) |
pktcapd.log |
pktcapd |
- Sophos Firewall nutzt IPtable, ARP Table, IPset und Conntrack für Firewallverbindungen
- IMQ wird für QoS genutzt
GUI und CLI
| Name | Description | Log file | Service |
|---|
| Apache |
GUI service |
apache.log |
apache |
| Apache |
GUI Service |
apache_access.log |
apache |
| SSH |
SSH logs |
sshd.log |
sshd |
| Error Log |
Error log messages for GUI and CLI |
error_log.log |
|
| Tomcat |
GUI service |
tomcat.log |
tomcat |
Heartbeat
| Name | Description | Log file | Service |
|---|
| Heartbeat |
Heartbeat to Sophos Central communication service |
fwcm-eventd |
|
| Heartbeat |
Heartbeat to Sophos Central communication service |
fwcm-heartbeatd |
|
| Heartbeat |
Heartbeat to Sophos Central communication service |
fwcm-updaterd |
|
| Heartbeat |
Heartbeat service |
heartbeatd.log |
heartbeatd |
| Heartbeat |
Heartbeat to Central communication |
hbtrust.log |
heartbeatd |
High Availability
| Name | Description | Log file | Service |
|---|
| Ctsync |
Conntrack synchronization service |
ctsyncd.log |
ctsyncd |
| High availability |
HA configuration and status updates |
applog.log |
|
| High availability |
HA pair service |
ha_pair.log |
ha_pair |
| High availability |
HA tunnel service |
ha_tunnel.log |
ha_tunnel |
| Msync |
HA synchronization service |
msync.log |
msync |
Intrusion Prevention und Applikationsfilter
| Name | Description | Log file | Service |
|---|
| Application filter |
The application filter uses the same service and log file as IPS |
ips.log |
ips |
| Intrusion prevention and application filter |
Antivirus service |
avd.log |
antivirus |
| Intrusion prevention and application filter |
Intrusion prevention upgrade service |
sig_upgrade.log |
|
| Intrusion prevention and application filter |
Intrusion prevention migration service |
sigmigration.log |
|
| IPS |
Intrusion prevention filter service |
ips.log |
ips |
Netzwerk
Die nachfolgenden Logs beziehen sich auf generelle Netzwerkservices
| Name | Description | Log file | Service |
|---|
| Dead gateway detection |
MLM, VPN failover, dead gateway detection |
dgd.log |
DGD |
| DHCP |
Dynamic host configuration server service |
dhcpd.log |
dhcpd |
| DHCP6 |
Dynamic Host control service for IPv6 |
dhcp6.log |
dhcpd6 |
| DDC |
Dynamic domain name service client service |
ddc.log |
ddc |
| DNS |
DNS service |
dnsd.log |
dnsd |
| DNS |
DNS service |
dnsgrabber.log |
dnsd |
| DNS |
DNS service |
eacd.log |
|
| DNS |
DNS service |
entity.log |
|
| Network |
Network service - Interface/IP/PPPOE |
networkd.log |
networkd |
| Network |
FQDN logging service |
fqdnd.log |
fqdnd |
| Network |
FQDN logging service |
fqdndebug.log |
fqdnd |
| NTPclient |
Network time protocol client service |
ntpclient.log |
ntpclient |
| RAD |
Router advertisement service for IPv6 |
radvd.log |
radvd |
Die folgenden Logs gehören zu dynamischen Routingservices
| Name | Description | Log file | Service |
|---|
| BGP |
Border Gateway Protocol routing service |
bgpd.log |
bgpd |
| OSPF |
Open Shortest Path First routing service |
ospfd.log |
ospfd |
| RIP |
Routing Information Protocol routing service |
ripd.log |
ripd |
Die folgenden Logs gehören zu statischen Routingservices
| Name | Description | Log file | Service |
|---|
| Application based routing |
Application based routing service |
appcached.log |
appcached |
| Application based routing |
Redis Service |
redis |
redis-appcache |
| Multicast-routing |
Multicast routing service |
mrouting.log |
mrouting |
| Zebra |
Static routing service |
zebra.log |
zebra |
Proxy (HTTPs-, SMTPs-, POP-, IMAP-, FTP-, WAF-Proxy)
| Name | Description | Log file | Service |
|---|
| Awarrenhttp |
HTTPS Proxy service |
awarrenhttp.log |
awarrenhttp |
| Awarrenhttp access |
HTTPS proxy service website access |
awarrenhttp_access.log |
awarrenhttp |
| Awarrensmtp |
SMTPS legacy proxy service |
awarrensmtp.log |
awarrensmtp |
| Awarrenmta |
Mail transfer agent proxy service |
awarrenmta.log |
awarrenmta |
| Awarrenmta debug |
(v17+) Mail transfer agent proxy service debug mode |
awarrenmta_debug.log |
awarrenmta |
| FTP |
FTP proxy service |
ftpproxy.log |
FTPproxy |
| nSXLd |
web categorization and IP reputation |
nSXLd.log |
nSXLd |
| Skein |
HTTP/FTP legacy proxy |
skein.log |
|
| SMTP |
(v17.5+) Mail transfer agent proxy service |
smtpd_main.log |
smtpd |
| SMTP error |
(v17.5+) Mail transfer agent proxy service errors |
smtpd_error.log |
smtpd |
| SMTP panic |
(v17.5+) Mail transfer agent proxy service panic |
smtpd_panic.log |
smtpd |
| SMTP reject |
(v17.5+) Mail transfer agent proxy service reject |
smtpd_reject.log |
smtpd |
| Warren |
POP/IMAP proxy service |
warren.log |
warren |
| WAF |
Web application firewall proxy service |
reverseproxy.log |
reverseproxy |
| Web proxy |
Web proxy service |
webproxy.log |
|
| WINGc |
(v15+) web categorization |
WINGc.log |
WINGc |
VPN
| Name | Description | Log file | Service |
|---|
| Clientless SSL VPN |
Clientless SSL VPN client service |
clientless_access.log |
clientless_access |
| IPsec |
(v15-v16) IPsec VPN service |
ipsec.log |
ipsec |
| IPsec |
(v17+) IPsec VPN service |
strongswan.log |
strongswan |
| IPsec |
(v17+) IPsec VPN service |
charon.log |
strongswan |
| IPsec |
IPsec connection testing log files |
ipsec_Test_Connect.log |
|
| IPsec |
IPsec monitoring service |
ipsec_monitor.log |
ipsec_monitor |
| L2TP |
Layer 2 tunneling protocol daemon |
l2tpd.log |
l2tpd |
| PPTP |
Point-to-point tunneling VPN daemon |
pptpvpn.log |
pptpd |
| SSL VPN |
SSL VPN client service |
sslvpn.log |
sslvpn |
| VPN PKI |
VPN PKI logs |
vpncertificate.log |
|
| VPN PKI |
VPN PKI logs |
wc_remote.log |
|
| VPN service |
VPN service |
strongswan-monitor.log |
strongswan |
| VPN service |
VPN service |
sync.log |
|
| XFRM |
XFRM tunnel interface service |
xfrmi.log |
|
- Sophos Firewall nutzt Openswan für IPsec-VPN und OpenVPN für SSL-VPN.
Andere Logdateien
| Name | Description | Log file | Service |
|---|
| API |
API service log |
apiparser.log |
|
| API |
API service log |
app-feedback.log |
|
| AWED |
Wireless controller service |
awed.log |
awed |
| Category updates |
Category update log file |
catUpdateLog |
|
| Central management |
Central management service |
centralmanagement.log |
|
| Central management |
Central management service |
sophos-central.log |
|
| CSC |
Sophos Central service which manages all services |
csc.log |
csc |
| CSC helper |
CSC helper service |
cschelper.log |
csc |
| CSC |
CSC service |
csd.log |
csc |
| CSC |
Configuration logs |
applog.log |
csc |
| Hotspot |
Hotspot service |
hostapd.log |
hostapd |
| Hotspot |
Hotspot service |
hotspot.log |
hotspotd |
| Hotspot |
Hotspot service |
hotspotd.log |
hotspotd |
| iView |
iVew logging service |
iview.log |
|
| Licensing |
Licensing log |
licensing.log |
|
| Net-SNMP |
SNMP log file |
snmpd.log |
snmpd |
| OpenSSH |
OpenSSH/Dropbear service |
sshd.log |
|
| OpenSSH |
OpenSSH/Dropbear service |
ssod.log |
ssod |
| RED |
RED service |
red.log |
red |
| SMB filesystem |
SMB filesystem log files |
smbnetfs.log |
|
| SMB filesystem |
SMB filesystem log files |
snireport.log |
|
| Sysinit |
System FSCK logs |
sysinit.log |
sysinit |
| Syslog |
Syslog service |
syslog.log |
syslog |
| System Updates |
System update log |
u2d.log |
u2d |
| Signature upgrade |
Signature upgrade log |
sig_update.log |
|
| Validation |
Validation log files |
validation.log |
|
| Validation |
Validation log files |
validationError.log |
|
| VMware tools |
VMware tool service (SRM) |
vmtool.log |
vmtool |
| Wi-Fi |
Wi-Fi authentication service |
wifiauth.log |
|
