HPE Community
Operating System - OpenVMS
1823082 Members
3443 Online
109646 Solutions
New Discussion юеВ

Re: FTP Audit Trail

 
Jack Trachtman
Super Advisor

тАО01-11-2008 11:43 AM

тАО01-11-2008 11:43 AM

FTP Audit Trail

Is there a way to get FTP to log the filename being transferred? I've looked through the manual and these forums & see where session summary activity is logged but not the actual files moved.

For security reasons, I'd like to be able to create a report containing:

username
date/time
filename
get or put

TIA
0 Kudos
Reply
4 REPLIES 4
Bill Hall
Honored Contributor

тАО01-11-2008 12:11 PM

тАО01-11-2008 12:11 PM

Re: FTP Audit Trail

Jack,

The logical TCPIP$FTPD_LOG_CLIENT_ACTIVITY activates logging of session-specific information, requests, and responses. The log file created is SYS$LOGIN:TCPIP$FTP_
SERVER.LOG. I don't remember exactly when it was introduced, post UCX->TCPIP Services name change I think.

Bill
Bill Hall
0 Kudos
Reply
Hoff
Honored Contributor

тАО01-11-2008 12:28 PM

тАО01-11-2008 12:28 PM

Re: FTP Audit Trail

Here is an earlier and similar discussion:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1153242

You can also conceivably enable security auditing using ACLs specifically for network activity. Try tossing a security ACL at the volume level, triggering an audit for any network activity, and toss an ACL onto the ftp client image to capture outbound activity. (There may well be a way to capture out-bound ftp, but IIRC you can pretty much run your own ftp client locally if you have netmbx.)

Various folks looking to track this sort of activity can tend to choose to enable auditing at a network perimeter, such as at a firewall.

And if you're interested in security, why are you using ftp and not sftp? (This asked not to be flippant, either.) ftp has more than its share of problems, and performance limits. The ftp protocol can inherently cause issues with firewall security, too.

Stephen Hoffman
HoffmanLabs LLC
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО01-14-2008 01:07 AM

тАО01-14-2008 01:07 AM

Re: FTP Audit Trail

The logical was introduced in V5.1-15D of TCPIP$FTP_CHILD.EXE.

Wim

Wim
0 Kudos
Reply
Richard W Hunt
Valued Contributor

тАО01-25-2008 10:14 AM

тАО01-25-2008 10:14 AM

Re: FTP Audit Trail

On our system, we have TCPIP services v 5.4 ECO 7. We set this logical name system-wide

TCPIP$FTP_EXTLOG "1"

The people who log in via external FTP activate FTP server task, which builds its own log files in the user directory. With that flag set to 1, you get extended logging of messages to include GET or PUT and the name supplied with the command. (Get is shown as RETR, you need to look at the RFC for FTP in order to see all the commands listed.)

Once per day I run a job that looks for all such log files (TCPIP$FTP_SERVER.LOG) with a creation date older than "0600 this morning." I copy those files to a working area tagged by the name of the user directory from which each came. Then I have a little script to parse out the stuff I wanted to see, which resembles what you wanted, plus whether it worked or not. It is not that difficult because first I don't care about all of the possible commands that are exchanged and second, there aren't that many to look for anyway.

Please note that if your users ran FTP interactively from their OpenVMS session (in other words, VMS was the CLIENT, not the server), you cannot capture that information easily or perhaps you cannot see it at all. But for FTP_SERVER, there is at least a chance.
Sr. Systems Janitor
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.