Skip to content
Avanet

Save Sophos Firewall logs for support and analysis

Sophos Firewall

For outages, VPN issues or unclear firewall events, screenshots from the web interface are often not enough. Sophos Support, Avanet or an external security partner usually needs the relevant firewall log files for proper analysis.

This guide explains how to archive Sophos Firewall logs through the Advanced Shell and provide them for analysis.

Requirements

For this guide, you need:

  • Administrative access to Sophos Firewall
  • Access to the Advanced Shell
  • A target server or another secure way to transfer the log archive
  • Enough free space on the firewall for the temporary archive

The commands are executed directly on the firewall. Work carefully and do not delete files if their purpose is not clear.

If shell access is not yet configured, the guide Connect to Sophos Firewall via SSH explains how to establish an SSH connection to the firewall.

Open Advanced Shell

Log in to Sophos Firewall and open Advanced Shell:

  1. Open Device Management.
  2. Select Advanced Shell.
  3. Confirm access if the firewall shows an additional prompt.

After login, the shell is available and the log files can be archived.

Collect targeted logs before archiving

If an issue can be reproduced, trigger it again shortly before creating the log archive. This makes sure the relevant entries are recent in the log files.

For more complex issues, normal logs may not be enough. In that case, it can be useful to enable debug logging for the affected service before archiving. The section Debug log explains how this works.

Our overview Sophos Firewall troubleshooting: services and logs summarises which log file belongs to which firewall module. This helps identify whether VPN, IPS, web, mail, GUI or system logs are relevant.

Save all log files

Before creating the archive, check whether /var has enough free space:

df -h /var

Then create a compressed archive from the /log directory:

tar -cvzf /var/Sophos-Firewall-Logs.tar.gz -C / log

The command creates:

/var/Sophos-Firewall-Logs.tar.gz

Important parts of the command:

  • tar creates an archive.
  • -c creates a new archive.
  • -v shows processed files.
  • -z compresses the archive with gzip.
  • -f defines the archive filename.
  • -C / changes to the root directory for the archive operation.
  • log is the directory containing the Sophos Firewall log files.

The advantage of -C / is that the command works regardless of the current working directory. A previous cd / is not required. If the file already exists, it is overwritten.

Depending on log size and firewall load, creating the archive may take some time. The tar output shows which files are written to the archive.

Afterwards, check the archive size:

ls -lh /var/Sophos-Firewall-Logs.tar.gz

Copy the archive to a Linux server

If a Linux server is reachable via SSH, transfer the archive with scp.

Example:

scp /var/Sophos-Firewall-Logs.tar.gz root@192.0.2.10:/root/

Adjust the IP address, user and target path to the environment.

After transfer, the archive is available on the target server:

/root/Sophos-Firewall-Logs.tar.gz

From there, it can be shared internally or provided to Sophos Support or Avanet.

Save IPsec diagnostic data separately

For VPN or IPsec issues, the IPsec connection data from /tmp/ipsec/connections/ can also be useful.

Create a separate archive:

tar -cvzf /var/Sophos-Firewall-IPsec-Connections.tar.gz -C /tmp/ipsec connections

Check the created file:

ls -lh /var/Sophos-Firewall-IPsec-Connections.tar.gz

Transfer this archive with scp as well:

scp /var/Sophos-Firewall-IPsec-Connections.tar.gz root@192.0.2.10:/root/

For IPsec errors, it is useful to provide this archive together with the normal firewall logs so that tunnel status, connection information and log entries can be analyzed together.

Security and data protection

Log files may contain sensitive information, for example:

  • Public and internal IP addresses
  • Usernames
  • Hostnames
  • VPN information
  • Error messages with technical details
  • Information about internal network structures

Transfer log archives only through secure channels and provide them only to people or organizations involved in the analysis. Before sending logs to an external partner, clarify internally whether this is allowed under your data protection and security policies.

Remove temporary archives

After the archive has been transferred successfully, remove it from the firewall to free disk space:

rm /var/Sophos-Firewall-Logs.tar.gz

If a separate IPsec archive was created, remove it too:

rm /var/Sophos-Firewall-IPsec-Connections.tar.gz

Before deleting, verify that the files arrived successfully on the target system.