HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

FTP Audit Trail

 
Jack Trachtman
Super Advisor

FTP Audit Trail

Is there a way to get FTP to log the filename being transferred? I've looked through the manual and these forums & see where session summary activity is logged but not the actual files moved.

For security reasons, I'd like to be able to create a report containing:

username
date/time
filename
get or put

TIA
4 REPLIES
Bill Hall
Honored Contributor

Re: FTP Audit Trail

Jack,

The logical TCPIP$FTPD_LOG_CLIENT_ACTIVITY activates logging of session-specific information, requests, and responses. The log file created is SYS$LOGIN:TCPIP$FTP_
SERVER.LOG. I don't remember exactly when it was introduced, post UCX->TCPIP Services name change I think.

Bill
Bill Hall
Hoff
Honored Contributor

Re: FTP Audit Trail

Here is an earlier and similar discussion:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1153242

You can also conceivably enable security auditing using ACLs specifically for network activity. Try tossing a security ACL at the volume level, triggering an audit for any network activity, and toss an ACL onto the ftp client image to capture outbound activity. (There may well be a way to capture out-bound ftp, but IIRC you can pretty much run your own ftp client locally if you have netmbx.)

Various folks looking to track this sort of activity can tend to choose to enable auditing at a network perimeter, such as at a firewall.

And if you're interested in security, why are you using ftp and not sftp? (This asked not to be flippant, either.) ftp has more than its share of problems, and performance limits. The ftp protocol can inherently cause issues with firewall security, too.

Stephen Hoffman
HoffmanLabs LLC
Wim Van den Wyngaert
Honored Contributor

Re: FTP Audit Trail

The logical was introduced in V5.1-15D of TCPIP$FTP_CHILD.EXE.

Wim

Wim
Richard W Hunt
Valued Contributor

Re: FTP Audit Trail

On our system, we have TCPIP services v 5.4 ECO 7. We set this logical name system-wide

TCPIP$FTP_EXTLOG "1"

The people who log in via external FTP activate FTP server task, which builds its own log files in the user directory. With that flag set to 1, you get extended logging of messages to include GET or PUT and the name supplied with the command. (Get is shown as RETR, you need to look at the RFC for FTP in order to see all the commands listed.)

Once per day I run a job that looks for all such log files (TCPIP$FTP_SERVER.LOG) with a creation date older than "0600 this morning." I copy those files to a working area tagged by the name of the user directory from which each came. Then I have a little script to parse out the stuff I wanted to see, which resembles what you wanted, plus whether it worked or not. It is not that difficult because first I don't care about all of the possible commands that are exchanged and second, there aren't that many to look for anyway.

Please note that if your users ran FTP interactively from their OpenVMS session (in other words, VMS was the CLIENT, not the server), you cannot capture that information easily or perhaps you cannot see it at all. But for FTP_SERVER, there is at least a chance.
Sr. Systems Janitor