topic Re: interpreting vsftpd logs in Operating System - Linux

interpreting vsftpd logs

nanoux — Wed, 12 Nov 2008 07:08:07 GMT

Hi , I would like to understand how to interpret the vsftpd logs (red hat)-->

a _ i r ftp 0 * c

b _ o r ftp 0 * c

Re: interpreting vsftpd logs

Ivan Krastev — Wed, 12 Nov 2008 07:24:49 GMT

See the answers here - http://www.experts-exchange.com/OS/Linux/Q_23054941.html

regards,
ivan

Re: interpreting vsftpd logs

nanoux — Wed, 12 Nov 2008 08:01:48 GMT

thanks. will try the link though its having membership .

Re: interpreting vsftpd logs

Ivan Krastev — Wed, 12 Nov 2008 08:12:04 GMT

Scroll down and you will the answers without membership.

regards,
ivan

Re: interpreting vsftpd logs

Matti_Kurkela — Wed, 12 Nov 2008 11:12:45 GMT

Maybe it's browser-dependent or whatever, but I cannot see the solution on experts-exchange either.

Anyway:

According to vsftpd source code, the vsftpd can use the same log format as wuftpd... and the posted example looks like it.

(If vsftpd is configured to use its own log format, the log will be much clearer, but more voluminous, which may be a problem in a high-traffic FTP server. Also, you may prefer wuftpd log format if you already have tools designed to process that format.)

First letter: transfer mode
a = ascii
b = binary

Underscore:
A letter in this position would indicate any special operations, like gzipping or tarring the data on-the-fly. vsftpd never does that, so this is always "_", meaning "no special operation".

Second letter: transfer direction
i = input (= upload = FTP PUT)
o = output (FTP GET)

Third letter: access mode
a = anonymous
g = guest user
r = regular user

After this letter, there should be the username (or if the connection is anonymous, whatever the user specified to the password prompt). I assume that nanoux has already identified this part and omitted it from his example.

"ftp 0 *": service name, authentication method and authentication user id (if applicable). These are not configurable in vsftpd, so this is a constant string that carries no useful information. It is there only to match wuftpd log format.

The last letter: completion status
c = completed
i = interrupted (transfer failed)

Source of this information:
ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.7/logging.c

The relevant function vsf_log_do_log_wuftpd_format() begins on line 174.

MK

Re: interpreting vsftpd logs

nanoux — Thu, 25 Dec 2008 07:47:15 GMT

Thanks for all the replies.

Now this is what I was looking for Matti ,such a vivid explanation.I have assigned points.

Just one minor clarification on the second letter:transfer direction

Are the i & O DIRECTIONS from my server to the target server?
i = input (= upload = FTP PUT)
o = output (FTP GET)

meaning i= uploading to the target server.
and o= getting from the target server

pls clarify

Re: interpreting vsftpd logs

Matti_Kurkela — Thu, 25 Dec 2008 11:39:47 GMT

The log is written from the viewpoint of your FTP server. Usually, the other endpoint is a client. The use of FXP (= using two parallel FTP command connections to make two servers transfer files directly between each other, without going through the client) is rather rare.

So "i" means the client is running a FTP PUT command to send data to you, and your server is receiving the data (=input). The data might be coming from the client or from another FTP server (if FXP is enabled and used); the log just documents the fact that data is coming _in_.

Correspondingly, "o" is output: this server is sending data _out_ to the other endpoint, to fulfill the client's FTP GET command.

MK

Re: interpreting vsftpd logs

nanoux — Thu, 25 Dec 2008 12:11:22 GMT

Thanks again for the clarifications.