Zitat von mpca am 26. Februar 2021, 21:41 Uhr

https://utm-shop.de/information/technische-informationen/sophos-xgs-firewall/sophos-firewall-logfile-guide

Sophos Firewall Logfile Guide

Logdateien werden von der WebAdmin-Konsole verwendet, um Berichte zu generieren. Sie können die Logdateien entweder über die Protokollansicht oder über das Command Line Interface (CLI) einsehen.

Zugriff auf die Logdateien

Über den WebAdmin:

Klicken Sie auf "Protokollansicht" im oberen rechten Bildschirmbereich. Die Protokollansicht öffnet sich in einem neuen Fenster. Die folgenden Logs können über die Protokollansicht durchsucht werden:

- Admin
- Schutz vor hochentwickelten Bedrohungen
- Anwendungsfilter
- Authentifizierung
- E-Mail
- Firewall
- IPS
- Schadprogramme
- Security Heartbeat
- SSL/TLS-Inspektion
- System
- Internetinhaltsrichtlinie
- Webfilter
- Webserverschutz
- Zero-Day-Schutz

Über die Advanced Shell

1. Verbinden Sie sich per SSH-Client über Port 22 mit der Sophos Firewall.
2. Wählen Sie Option 5 Device Management --> 3 Advanced Shell

In der Advanced Shell finden Sie die Logdateien im /log-Verzeichnis. Findet eine Logrotation statt, wird ein Anhang an die Dateierweiterung zugefügt (z.B.: aus smtp_main.log wird smtp_main.log0). Sie können die folgenden Befehle nutzen, um den Inhalt der Logdateien auf unterschiedliche Weise auszugeben.

Befehl	Beispiel	Beschreibung
tail -f	tail -f /log/<logfilename>.log	Gibt die letzten Zeilen der Datei <logfilename>.log aus
less	less /log/<logfilename>.log	Zeigt <logfilename>.log statisch an.
grep	grep <Keyword> /log/<logfilename>.log	Durchsucht die Datei <logfilename>.log nach Zeilen die <Keyword> enthalten
service	service <service name>:start/restart/stop/debug -ds nosync	Startet, Neustartet, Stoppt oder Debugged den Service <service name>

Die folgenden Logs stehen Ihnen über die Konsole zur Verfügung:

Antivirus

Name	Description	Log file	Service
Antivirus	Antivirus service	av.log	Antivirus
Antivirus updates	Antivirus update service	up2date_av.log
Anti-spam	Anti-spam service	sasi.log	Anti-spam
Sandbox	Sandbox service	sandboxd.log	sandboxd
Sandbox	Sandbox service	sessiontbl.log	-

• Sophos Firewall nutzt Avira und Sophos Antivirus

Authentifizierung

Name	Description	Log file	Service
Access server	User authentication, authorization, and accounting service	access_server.log	access_server
Chromebook authentication	Chromebook SSO service	chromebook-sso-backend.log	clientless_access
NASM	NTLM authentication service	nasm.log	nasm

• Der Access Server ist eigens angefertigt um AAA-Aktivitäten zu bearbeiten

Datenbank

Name	Description	Log file	Service
Configuration database	Configuration database log files	confdbstatus.log
Configuration database	Configuration database log files	crreportdb.log
Configuration database	Configuration database log files	crreportdb.log
Garner	Logging service for postponement, event log and graphs	garner.log	garner
Migration database	Report migration log files	sac-feedback.log
Migration database	Report migration log files	reportmigration.log
Postgres database	Configuration database service	postgres.log	postgres
Signature database	Signature database service	sigdb.log	sigdb
Reporting database	Report database service	reportdb.log	reportdb

Firewall

Name	Description	Log file	Service
BWM	Bandwidth management service (QoS)	bwm.log	bwm
Firewall rule logging.	Firewall rule logging service	firewall_rule.log
Firewall	Virtual host service	vhost.log
FWlog	Firewall logging service	fwlog.log	fwlog
NAT	NAT rule log files	nat_rule.log
NAT	NAT rule log files	pimd.log	pmid
Pktcap	Packet capture service (GUI DG option)	pktcapd.log	pktcapd

• Sophos Firewall nutzt IPtable, ARP Table, IPset und Conntrack für Firewallverbindungen
• IMQ wird für QoS genutzt

GUI und CLI

Name	Description	Log file	Service
Apache	GUI service	apache.log	apache
Apache	GUI Service	apache_access.log	apache
SSH	SSH logs	sshd.log	sshd
Error Log	Error log messages for GUI and CLI	error_log.log
Tomcat	GUI service	tomcat.log	tomcat

Heartbeat

Name	Description	Log file	Service
Heartbeat	Heartbeat to Sophos Central communication service	fwcm-eventd
Heartbeat	Heartbeat to Sophos Central communication service	fwcm-heartbeatd
Heartbeat	Heartbeat to Sophos Central communication service	fwcm-updaterd
Heartbeat	Heartbeat service	heartbeatd.log	heartbeatd
Heartbeat	Heartbeat to Central communication	hbtrust.log	heartbeatd

High Availability

Name	Description	Log file	Service
Ctsync	Conntrack synchronization service	ctsyncd.log	ctsyncd
High availability	HA configuration and status updates	applog.log
High availability	HA pair service	ha_pair.log	ha_pair
High availability	HA tunnel service	ha_tunnel.log	ha_tunnel
Msync	HA synchronization service	msync.log	msync

Intrusion Prevention und Applikationsfilter

Name	Description	Log file	Service
Application filter	The application filter uses the same service and log file as IPS	ips.log	ips
Intrusion prevention and application filter	Antivirus service	avd.log	antivirus
Intrusion prevention and application filter	Intrusion prevention upgrade service	sig_upgrade.log
Intrusion prevention and application filter	Intrusion prevention migration service	sigmigration.log
IPS	Intrusion prevention filter service	ips.log	ips

Netzwerk

Die nachfolgenden Logs beziehen sich auf generelle Netzwerkservices

Name	Description	Log file	Service
Dead gateway detection	MLM, VPN failover, dead gateway detection	dgd.log	DGD
DHCP	Dynamic host configuration server service	dhcpd.log	dhcpd
DHCP6	Dynamic Host control service for IPv6	dhcp6.log	dhcpd6
DDC	Dynamic domain name service client service	ddc.log	ddc
DNS	DNS service	dnsd.log	dnsd
DNS	DNS service	dnsgrabber.log	dnsd
DNS	DNS service	eacd.log
DNS	DNS service	entity.log
Network	Network service - Interface/IP/PPPOE	networkd.log	networkd
Network	FQDN logging service	fqdnd.log	fqdnd
Network	FQDN logging service	fqdndebug.log	fqdnd
NTPclient	Network time protocol client service	ntpclient.log	ntpclient
RAD	Router advertisement service for IPv6	radvd.log	radvd

Die folgenden Logs gehören zu dynamischen Routingservices

Name	Description	Log file	Service
BGP	Border Gateway Protocol routing service	bgpd.log	bgpd
OSPF	Open Shortest Path First routing service	ospfd.log	ospfd
RIP	Routing Information Protocol routing service	ripd.log	ripd

Die folgenden Logs gehören zu statischen Routingservices

Name	Description	Log file	Service
Application based routing	Application based routing service	appcached.log	appcached
Application based routing	Redis Service	redis	redis-appcache
Multicast-routing	Multicast routing service	mrouting.log	mrouting
Zebra	Static routing service	zebra.log	zebra

Proxy (HTTPs-, SMTPs-, POP-, IMAP-, FTP-, WAF-Proxy)

Name	Description	Log file	Service
Awarrenhttp	HTTPS Proxy service	awarrenhttp.log	awarrenhttp
Awarrenhttp access	HTTPS proxy service website access	awarrenhttp_access.log	awarrenhttp
Awarrensmtp	SMTPS legacy proxy service	awarrensmtp.log	awarrensmtp
Awarrenmta	Mail transfer agent proxy service	awarrenmta.log	awarrenmta
Awarrenmta debug	(v17+) Mail transfer agent proxy service debug mode	awarrenmta_debug.log	awarrenmta
FTP	FTP proxy service	ftpproxy.log	FTPproxy
nSXLd	web categorization and IP reputation	nSXLd.log	nSXLd
Skein	HTTP/FTP legacy proxy	skein.log
SMTP	(v17.5+) Mail transfer agent proxy service	smtpd_main.log	smtpd
SMTP error	(v17.5+) Mail transfer agent proxy service errors	smtpd_error.log	smtpd
SMTP panic	(v17.5+) Mail transfer agent proxy service panic	smtpd_panic.log	smtpd
SMTP reject	(v17.5+) Mail transfer agent proxy service reject	smtpd_reject.log	smtpd
Warren	POP/IMAP proxy service	warren.log	warren
WAF	Web application firewall proxy service	reverseproxy.log	reverseproxy
Web proxy	Web proxy service	webproxy.log
WINGc	(v15+) web categorization	WINGc.log	WINGc

VPN

Name	Description	Log file	Service
Clientless SSL VPN	Clientless SSL VPN client service	clientless_access.log	clientless_access
IPsec	(v15-v16) IPsec VPN service	ipsec.log	ipsec
IPsec	(v17+) IPsec VPN service	strongswan.log	strongswan
IPsec	(v17+) IPsec VPN service	charon.log	strongswan
IPsec	IPsec connection testing log files	ipsec_Test_Connect.log
IPsec	IPsec monitoring service	ipsec_monitor.log	ipsec_monitor
L2TP	Layer 2 tunneling protocol daemon	l2tpd.log	l2tpd
PPTP	Point-to-point tunneling VPN daemon	pptpvpn.log	pptpd
SSL VPN	SSL VPN client service	sslvpn.log	sslvpn
VPN PKI	VPN PKI logs	vpncertificate.log
VPN PKI	VPN PKI logs	wc_remote.log
VPN service	VPN service	strongswan-monitor.log	strongswan
VPN service	VPN service	sync.log
XFRM	XFRM tunnel interface service	xfrmi.log

• Sophos Firewall nutzt Openswan für IPsec-VPN und OpenVPN für SSL-VPN.

Andere Logdateien

Name	Description	Log file	Service
API	API service log	apiparser.log
API	API service log	app-feedback.log
AWED	Wireless controller service	awed.log	awed
Category updates	Category update log file	catUpdateLog
Central management	Central management service	centralmanagement.log
Central management	Central management service	sophos-central.log
CSC	Sophos Central service which manages all services	csc.log	csc
CSC helper	CSC helper service	cschelper.log	csc
CSC	CSC service	csd.log	csc
CSC	Configuration logs	applog.log	csc
Hotspot	Hotspot service	hostapd.log	hostapd
Hotspot	Hotspot service	hotspot.log	hotspotd
Hotspot	Hotspot service	hotspotd.log	hotspotd
iView	iVew logging service	iview.log
Licensing	Licensing log	licensing.log
Net-SNMP	SNMP log file	snmpd.log	snmpd
OpenSSH	OpenSSH/Dropbear service	sshd.log
OpenSSH	OpenSSH/Dropbear service	ssod.log	ssod
RED	RED service	red.log	red
SMB filesystem	SMB filesystem log files	smbnetfs.log
SMB filesystem	SMB filesystem log files	snireport.log
Sysinit	System FSCK logs	sysinit.log	sysinit
Syslog	Syslog service	syslog.log	syslog
System Updates	System update log	u2d.log	u2d
Signature upgrade	Signature upgrade log	sig_update.log
Validation	Validation log files	validation.log
Validation	Validation log files	validationError.log
VMware tools	VMware tool service (SRM)	vmtool.log	vmtool
Wi-Fi	Wi-Fi authentication service	wifiauth.log