Analyzing proftpd xferlog file

Recently I've had to research on some missing files of a website.

When looking through the proftpd xferlog files, it was clear that the files were deleted by a user having ftp access.

The xferlog file is usually located at "/var/log/xferlog". However, since this was a plesk server, it was located at:
"/var/www/vhosts/{DOMAIN}/statistics/logs/xferlog_regular*"

A quick grep produced the files that were deleted out and could easily be recovered from a previous backup. Also, discovered the time and offending IP address of the person that did the deletes.

Full listing:

$ grep "_ d" /path/to/xferlog

Listing of just the deleted files:

$ awk '/_ d/ {print $9}' /path/to/xferlog

Below are some additional notes on xferlog anlysis:

The last character in each row shows the completion status of the transfer. This should be "c" for complete and "i" for incomplete transfer.

Return all incomplete transfers:

$ egrep "i$" /path/to/xferlog

The three characters following the file name represent the transfer-type (ascii or binary), any special actions (usually _ meaning none) and the direction (outgoing, incoming or deleted).

  1. ascii format:
    • a _ i (uploaded)
    • a _ o (downloaded)
    • a _ d (deleted)
  2. binary format:
    • b _ i (uploaded)
    • b _ o (downloaded)
    • b _ d (deleted)

Examples:

  1. To extract a list of all successfully uploaded files:
    $ awk '($12 ~ /^i$/ && $NF ~ /^c$/){print $9}' /path/to/xferlog
  2. Extract list of uploads that were unsuccessful:
    awk '($12 ~ /^i$/ && $NF ~ /^i$/){print $9}' /path/to/xferlog

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
On point

Wizap, this URL (http://www.linuxweblog.com/blogs/wizap/20080129/analyzing-proftpd-xferlog-file) should at the top of Google's results when one searches for ProFTPd log file format.

Saved my Monday morning.

Thanks a lot.

You saved my ass..

Thanks a million man

Comment