System: xferlog - ProFTPD server logfile
The xferlog Format
The default format of the xferlog for ProFTP contains the following information on each line:
- current-time
- Sun December 22 02:59:44 2024
- transfer-time
- whole seconds
- remote-host
- file-size
- size of transferred file in bytes
- file-name
- transfer-type
- a = ascii; b = binary
- special-action-flag
- C = compressed; U = uncompressed; T = tar'ed; _ = no action was taken
- direction
- o = outgoing; i = incoming; d = deleted
- access-mode
- a = anonymous; r = real
- username
- service-name
- usually ftp
- authentication-method
- 0 = none; 1 = RFC931 Authentication
- authenticated-user-id
- user id or '*'
- completion-status
- c = complete; i = incomplete
Analysing the xferlog
When analysing the xferlog file, the first thing to look at is the completion-status - the last character in each row. This should always be c (complete) and not i (incomplete) as that indicates a problem with the transfer. This command will return all incomplete transfers:
egrep "i$" xferlog
Note: The xferlog file is normall located at /var/log/xferlog
Then look at the three characters following the file name. They represent the transfer-type (ascii or binary), any special actions (usually _ meaning none) and the direction (outgoing, incoming or deleted). Typical examples are:
- ascii format:
- a _ i (uploaded)
- a _ o (downloaded)
- a _ d (deleted)
- binary format:
- b _ i (uploaded)
- b _ o (downloaded)
- b _ d (deleted)
Now, to extract a list of all successfully uploaded files:
awk '($12 ~ /^i$/ && $NF ~ /^c$/){print $9}' xferlog
and uploads that were unsuccessful:
awk '($12 ~ /^i$/ && $NF ~ /^i$/){print $9}' xferlog