Logging


Logging
Logging the activity of the server is an integral part of effective server administration. ProFTPD provides several different and flexing logging mechanisms. When examining the different logging mechanisms, have in mind the intended use of the logged data, the volume, any post-processing that may need to be done, etc. Log files are more useful when they contain a complete record of server activity. It is often easier to simply post-process the log files to remove requests that you do not want to consider.

Security Warning
Anyone who can write to the directory where ProFTPD is writing a log file can almost certainly gain access to the UID that the server is started under, which is normally root. Do not give people write access to the directory where the logs are stored without being aware of the consequences: if the logs directory is writable (by a non-root user), someone could replace a log file with a symlink to some other system file, and then root might overwrite that file with arbitrary data. If the log files themselves are writable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.

When opening log files, proftpd will by default log a warning if the file being opened for logging is in a directory that does not exist, or is world-writable. The log file will not be written in world-writable directories; there are no exceptions. (If you have configured log files in your proftpd.conf that are not appearing, check for the warnings about world-writable directories.) The proftpd process will also, by default, log a warning if the file given is a symlink; this symlink check can be configured via the AllowLogSymlinks directive.

In addition, log files may contain information supplied directly by the client, without escaping. Therefore, it is possible for malicious clients to insert control-characters in the log files, so care must be taken in dealing with raw logs.

syslog
By default, proftpd will log via syslog(3), using the daemon facility (auth for some logging), at various levels: err, notice, warn, info, and debug (debugging is done at this syslog level). The location of the server's log files in this case is determined by your /etc/syslog.conf configuration.

Log Files
There are three main types of logs that a proftpd daemon can generate: TransferLogs, a SystemLog, and ExtendedLogs.

A TransferLog is the most common log kept, recording file transfers. Its format is described in the xferlog(5) man page, also available here

If the site administrator wants to have proftpd log its messages to a file rather than going through syslogd, the SystemLog configuration directive is the one to use. There is only one such file kept for the entire daemon. See the ServerLog directive for keeping a similar log on a per-vhost basis.

The ExtendedLog directive is used to create log files of a very flexible and configurable format, and to have granular control over what is logged, and when. The format of an ExtendedLog is described using the LogFormat directive. Multiple ExtendedLogs can be configured, each with a different format.

Log Analysis
There are a variety of log analyzers available; these are just a few:

Log Rotation
On even a moderately busy server, the quantity of information stored in the log files is very large. It will consequently be necessary to periodically rotate the log files by moving or deleting the existing logs. This cannot be done while the server is running, because the daemon will continue writing to the old log file as long as it holds the file open. Instead, the server must be restarted after the log files are moved or deleted so that it will open new log files.

Another way to perform log rotation is using FIFOs as discussed in the next section.

FIFOs (a.k.a. named pipes)
ProFTPD is capable of writing log files to FIFOs, from which another process can read. Use of this capability dramatically increases the flexibility of logging, without adding code to the main server. In order to write logs to a pipe, simply create the FIFO at the desired path (man mkfifo(1)), and use that path in the logging configuration directive.

One important use of piped logs is to allow log rotation without having to restart the server. One such popular flexible log rotation program is cronolog; however, at present cronolog requires a small patch to enable it to read from a FIFO (by default, cronolog reads data from stdin). Please contact the author of this article for details concerning the patch.

Here's an example of FIFO-based logging script, based on one posted by Michael Renner:

  #!/usr/bin/perl

  use strict;

  use File::Basename qw(basename);
  use Sys::Syslog qw(:DEFAULT setlogsock);

  my $program = basename($0);

  my $fifo = '/var/log/proftpd-log.fifo';
  my $syslog_facility = 'daemon';
  my $syslog_level = 'info';

  open(FIFO, "< $fifo") or die "$program: unable to open $fifo: $!\n";

  setlogsock 'unix';

  openlog($program, 'pid', $syslog_facility);
  syslog($syslog_level, $_) while ();
  closelog();

  close(FIFO);
  exit 0;
More complex filtering can be added to such scripts.

If using FIFOs, there are some caveats to keep in mind. If you use in init.d script to start standalone daemons, you can add commands to start the FIFO logging programs first, before the daemon. For inetd-run servers, consider wrapping up the necessary commands for starting a FIFO reader and the server into a simple shell script, or simply run the FIFO-reading program from an init.d script, and save the overhead of starting that process, in addition to the proftpd process, for each FTP session.

FIFO-based log readers are a very powerful tool, but they should not be used where a simpler solution like off-line post-processing is available.

SQL Logging
The mod_sql module also enables some powerful and complex logging capabilities...

Pid File
On startup, proftpd saves the process ID of the parent daemon process to the file var/proftpd/proftpd.pid. This filename can be changed with the PidFile directive. The process ID (aka PID) is for use by the administrator in restarting and terminating the daemon by sending signals to the parent process. For more information see the stopping and starting page.

Scoreboard File
The last type of "logging" is done via the scoreboard file. The scoreboard is binary-formatted file the server uses to store information about each session; it is this file that is read by ftptop, ftpwho and ftpcount. The location for the scoreboard file is determined by the ScoreboardFile directive.


Last Updated: $Date: 2008/01/15 18:27:41 $