NAME

DESCRIPTION

The default name of the file to which all file transfers are logged is /var/log/ftpd. The name and the location of this file may be changed by the virtual hosting configuration in the /etc/ftphosts file. In case of the wu-ftpd style logging format the most common alternative for the file name is /var/log/xferlog.

The ftpd(8) utility supports next logging formats:

wu-orig

The original ‘xferlog’ format of the wu-ftpd server.

wu-ext

The extended wu-ftpd style ‘xferlog’ format.

anon

The format for logging anonymous file downloads.

Each file transfer is represented by a single line. In case of “wu-orig” and “wu-ext” formats each line contains a number of fields separated by whitespace. The “wu-orig” format uses next set of fields:

current-time transfer-time remote-host byte-count filename transfer-type special-action-flag direction access-mode username service-name authentication-method authenticated-user-id completion-status

The “wu-ext” format extends that set of fields by the new ones:

current-time transfer-time remote-host byte-count filename transfer-type special-action-flag direction access-mode username service-name authentication-method authenticated-user-id completion-status restart-point file-size cwd filename-arg protection-level

When logging to the syslog, the ‘current-time’ field is replaced by the next structure:

SYSLOG-PREFIX xferlog (CMDTYPE):

The variable fields of this structure are:

SYSLOG-PREFIX

A string that prepends to every syslog message and contains the current time, the local host name, the ident (the “ftpd” keyword for the ftpd(8) utility) and the process id. See also syslogd(8) and syslog.conf(5).

CMDTYPE

The keyword that describes the type of FTP command depending to the direction of the transfer. In case of the “wu-orig” format it is one of “send” or “recv”, depending to the outgoing or incoming direction of the transfer. In case of the “wu-ext” format, it is one of “get”, “put” or “append” keywords, those correspond to the retrieve, store and append operations, respectively.

This is a description of all fields of both wu-ftpd style formats:

current-time

The current local time in the form "DDD MMM dd hh:mm:ss YYYY", where DDD is the day of the week, MMM is the month, dd is the day of the month, hh is the hour, mm is the minutes, ss is the seconds, and YYYY is the year.

transfer-time

The total time of the transfer in seconds.

remote-host

The remote host name.

byte-count

The amount of transferred bytes.

filename

The canonicalized (all symbolic links are resolved) absolute pathname of the transferred file.

In case of the chrooted FTP session this field can be interpreted as the pathname in the chrooted environment (the default interpretation) or as the one in the real file system. The second type of interpretation can be enabled by the command-line options of the ftpd(8).

transfer-type

The single character that indicates the type of the transfer. The set of possible values is:

a

An ascii transfer.

b

A binary transfer.

special-action-flag

One or more single character flags indicating any special action taken. The set of possible values is:

_

No action was taken

C

The file was compressed (not in use).

U

The file was uncompressed (not in use).

T

The file was tar'ed (not in use).

direction

The direction of the transfer. The set of possible values is:

o

The outgoing transfer.

i

The incoming transfer.

access-mode

The method by which the user is logged in. The set of possible values is:

a (anonymous)

The anonymous guest user.

g (guest)

The real but chrooted user (this capability is guided by ftpchroot(5) file).

r (real)

The real user.

username

The user's login name in case of the real user, or the user's identification string in case of the anonymous user (by convention it is an email address of the user).

service-name

The name of the service being invoked. The ftpd(8) utility uses the “ftp” keyword.

authentication-method

The used method of the authentication. The set of possible values is:

0

None.

1

RFC931 Authentication (not in use).

authenticated-user-id

The user id returned by the authentication method. The ‘*’ symbol is used if an authenticated user id is not available.

completion-status

The single character that indicates the status of the transfer. The set of possible values is:

c

A complete transfer.

i

An incomplete transfer.

restart-point

The restart point of the transfer in bytes.

file-size

In case of the outgoing transfer it is the original size of the file in bytes. In case of the incoming transfer it is the size in bytes of the file after the completion of the transfer.

cwd

The pathname of the current working directory. In case of the chrooted FTP session this field is the pathname in the chrooted environment.

filename-arg

The filename argument of the FTP command issued by the client.

protection-level

The used type of the protection of the data connection. The following codes are assigned according to RFC2228:

C (Clear)

No protection was applied.

S (Safe)

An integrity protection was applied (not in use).

E (Confidential)

A confidentiality protection was applied (not in use).

P (Private)

Both the integrity and confidentiality protections were provided by TLS/SSL.

The usage of “restart-point” and “file-size” fields allows to identify restarted transfers in both directions (the “restart-point” field contains a non-zero value) and appends in case of incoming transfers (the “byte-count” contains the value that is lesser then the one of the “file-size” field).

The FTP-TLS security extension uses Clear (without TLS/SSL) and Private (with TLS/SSL) protection levels, in FTP-SSL compatibility mode only the Private level (with TLS/SSL) is supported.

The “anon” format is used only for logging to the file and it is supported for the backward compatibility with old versions of ftpd(8). In case of this format each line contains a number of fields separated by the `!' symbol:

current-time

The current local time in the form "MMM dd hh:mm:ss YYYY", where MMM is the month, dd is the day of the month, hh is the hour, mm is the minutes, ss is the seconds, and YYYY is the year.

ident

The user's identification string; by convention it is an email address of the user.

remote-host

The remote host name.

filename

The canonicalized (all symbolic links are resolved) absolute pathname of the transferred file.

This field can be interpreted as the pathname in the anonymous ftp area (the default interpretation) or as the one in the real file system. The second type of interpretation can be enabled by the command-line options of the ftpd(8).

byte-count

The amount of transferred bytes.

transfer-time

The total time of the transfer, in seconds.

FILES

/var/log/ftpd

Log file for all file transfers.

/var/log/xferlog

The alternative name of the log file for file transfers. It is commonly used in case of the wu-ftpd style format of logging.

/etc/ftpchroot

List of normal users who should be chroot'd.

/etc/ftphosts

Virtual hosting configuration file.

SEE ALSO

HISTORY

The “anon” format appeared in FreeBSD 2.0.5.

The “wu-ext” format appeared in BSDftpd-ssl 1.0.1; it has been modified in BSDftpd-ssl 1.1.0.