proftp log XFERLOG 格式與分析

星期四, 18th 六月 2009

當要查閱proftp的log時必看 

The xferlog file contains logging information from the FTP server daemon, proftpd(8).

This file usually is found in /var/log, but can be located anywhere by using a proftpd(8) configuration directive. Each server entry is composed of a single line of the following form, with all fields being separated by spaces.

current-time   transfer-time   remote-host   file-size   filename   transfer-type   special-action-flag   direction   access-mode   username   service-name   authentication-method   authenticated-user-id  completion-status
current-time
is the current local time in the form "DDD MMM dd hh:mm:ss YYYY". Where DDD is the day of the week, MMM is the month, dd is the day of the month, hh is the hour, mm is the minutes, ss is the seconds, and YYYY is the year.
transfer-time
is the total time in seconds for the transfer.
remote-host
is the remote host name.
file-size
is the size of the transferred file in bytes.
filename
is the name of the transferred file.
transfer-type
is a single character indicating the type of transfer. Can be one of:
a
for an ascii transfer
b
for a binary transfer
special-action-flag
is one or more single character flags indicating any special action taken. Can be one or more of:
C
file was compressed
U
file was uncompressed
T
file was tar'ed
_
no action was taken
direction
is the direction of the transfer. Can be one of:
o
outgoing
i
incoming
d
deleted
access-mode
is the method by which the user is logged in. Can be one of:
a
(anonymous) is for an anonymous guest user.
g
(guest) is for an passworded guest user (see the guestgroup command in ftpaccess(5)).
r
(real) is for a local authenticated user.
username
is the local username, or if guest, the ID string given.
service-name
is the name of the service being invoked, usually FTP.
authentication-method
is the method of authentication used. Can be one of:
0
none
1
RFC931 Authentication
authenticated-user-id
is the user id returned by the authentication method. A * is used if an authenticated user id is not available.
completion-status
is a single character indicating the status of the transfer. Can be one of:
c
complete transfer
i
incomplete transfer