Sophos Firewall: Log settings
Sophos Firewall provides event logs for traffic, system, and network protection functions. Use logs to analyze network activity and identify security issues.
Where to find it
Go to System services > Log settings.
What you can configure
On the Log settings page, you can choose which log types to:
- store locally and view in the Log viewer
- send to Sophos Central
- send to syslog servers
You can select logs by:
- module or feature
- all logs
Local reporting
To store event logs locally and display them in the Log viewer, select the desired log types under Local reporting.
Central reporting
To send logs to Sophos Central:
- Turn on Sophos Central services in Sophos Central.
- On the Log settings page, select the log types under Central reporting.
Note: This applies to logs only, not reports.
Syslog servers
You can configure up to five syslog servers to receive event logs.
- Syslog normally uses UDP port 514
- To add a server, click Add and enter the server details
TLS note
If you use a TLS connection in LINCE mode, the certificate Common Name (CN) or Subject Alternative Name (SAN) must match the syslog server’s domain. If LINCE is off, the firewall verifies only the CN.
Log suppression
You can suppress repeated consecutive log entries for the same event to save space and processing.
- Applies to logs sent to:
- Log viewer
- Sophos Central
- third-party syslog servers
- Under Suppress logs, select All to suppress all logs currently supported under Firewall
Related log types
Examples of log sources include:
- Firewall: traffic, firewall rules, MAC filtering, DoS attacks
- NAT: NAT rules and settings
- IPS/Application filter: intrusion prevention, app control
- Antivirus: AV service and updates
- Web: web categorization, IP reputation, and related web traffic logs
If you want, I can also turn this into a shorter KB-style article with headings, prerequisites, and steps.