How can I control the size of the SAV.txt log file?

  • Article ID: 56016
  • Updated: 09 Jan 2014

This article provides information on changing the default rotation behavior of the Sophos Anti-Virus on-access scanner log file SAV.txt.  If the log file size grows too large before rotation occurs you can use the information below to alter the default setting.

Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+

Where is the log file saved?

SAV.txt is located in the following folder:

  • Vista+ C:\ProgramData\Sophos\Sophos Anti-Virus\logs\
  • 2000/XP/2003 C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\

How can I configure the log file?

There is no configuration option for this setting from the Enterprise Console.  Therefore you must editing the 'Logging' section of the Endpoint application.

  1. Open the main application (i.e., right-click the Sophos shield in the system tray).
  2. From the drop down menu select: Configure | Anti-Virus | Logging.

How does the log options work?

The default logging endpoint logging settings are:

  • Log events to sav.txt for a period of 1 month.
  • After one month, sav.txt is compressed and timestamped in the same directory, and a new SAV.txt file is created.
  • By default, there is a backlog of 4 archived logs in the same directory, after which point the oldest archive gets overwritten.

Note: The rotation and archiving is a function of time rather than log file data size.  In the scenario where many errors are being logged in a short period of time, there is a possibility that the sav.txt file will grow to a large size and will not be rotated or archived until the month is up.

Where are the settings saved to?

The log rotation settings are saved in 'Machine.xml' which is located in the following folder:

  • Vista+ C:\ProgramData\Sophos\Sophos Anti-Virus\config\
  • 2000/XP/2003 C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\

By default there is no data specified. If you change the options from the UI a <rotation> tag appears:


The whole section of the log looks like this:

<item itemName="FileLog">
<filtering><item itemName="Virus">70</item><item itemName="Configuration">60</item><item itemName="Scanning">70</item><item itemName="Update">60</item><item itemName="OnAccess">70</item
<item itemName="Pua">70</item></filtering>

Is there anything else I need to know before editing the machine.xml?

There are a few other settings which are not displayed, and are defaults. One of them is the rotation interval, which by default is once a month.  Although there are no settings to specify how often a log is to be rotated, it can be done either in days, weeks or months.

The intervals are specified in decimal (but represent HEX values), and a number is added to them to specify how many of those intervals to do before a rotation.


  • days = 65536
  • weeks = 131072
  • months = 196608

So the default is every 1 month, which gives us: 1 + 196608 = 196609 (which is actually the default found in factory.xml)

If we wanted every week, or 7 days, we could do it 2 ways:

  • 7 + 65536 = 65543
  • 1 + 131072 = 131072

If we want every day: 1 + 65536 = 65537.

Now that we have our interval, we must insert it into our <rotation> tag.  In this case, we want daily rotation, with a 6 day archive:


Putting this all together what are the steps to change the log rotation of the SAV.txt log file?

  1. Open the Endpoint main application and change the logging defaults to get the <rotation> tag to appear with non-default options in machine.xml.
  2. Stop the Sophos Antivirus service through services manager (Start | Run | Type: services.msc | Press return).
  3. Go to the Config folder (see Where are the settings saved to? above) and make a backup copy of the machine.xml file (e.g., save a copy as 'machine.xml.orig').
  4. Using a text editor open machine.xml and find your corresponding rotation tag. (there will be multiple <rotation/> close tags, the first one should be the sav.txt on-access log).
    Note: Make sure that the settings in there match the settings you set in the UI, you dont want to be editing the wrong section.
  5. Insert your custom interval as specified above ie: <rotation><enabled>true</enabled><interval>65537</interval><oldlogs>6</oldlogs></rotation>
  6. Save your machine.xml
  7. Start the Sophos Anti-virus service.
    Note: If you have made an error in machine.xml formatting, the service will not start and throw a generic error.
  8. If you need to re-enable SAV quickly, restore the machine.xml.orig file.
  9. Make sure that your rotation interval works as desired.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent