ftp logging

[Jay Culley]

Is there a log file that shows ftp logins, activity?

Thanks

 

[ColinTaylor]

I don't think it does by default. But you can enable it by creating a /jffs/scripts/vsftpd.postconf file

#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "xferlog_enable=NO" "xferlog_enable=YES" $CONFIG
pc_replace "syslog_enable=NO" "syslog_enable=YES"  $CONFIG

 

[Jay Culley]

I don't think it does by default. But you can enable it by creating a /jffs/scripts/vsftpd.postconf file

#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "xferlog_enable=NO" "xferlog_enable=YES" $CONFIG
pc_replace "syslog_enable=NO" "syslog_enable=YES"  $CONFIG

Thank you! I started reading on vsftpd and a page on Merlin's custom config files and I just made a vsftpd.conf file in /jffs/configs with all of options in the regular conf file in etc and added

xferlog_enable=YES
log_ftp_protocol=YES
xferlog_file=/jffs/vsftpd.log
syslog_enable=NO

And it did not work. I will try your script now, thanks.

 

[thelonelycoder]

Thank you! I started reading on vsftpd and a page on Merlin's custom config files and I just made a vsftpd.conf file in /jffs/configs with all of options in the regular conf file in etc and added

xferlog_enable=YES
log_ftp_protocol=YES
xferlog_file=/jffs/vsftpd.log
syslog_enable=NO

And it did not work. I will try your script now, thanks.

Note that with /jffs/configs/vsftpd.conf your replace the file /etc/vsftpd.conf
Only do this if you really know what you do!
@ColinTaylor's suggestion is the correct way to do it, it replaces or appends entries in /etc/vsftpd.conf

 

[Jay Culley]

Thanks Coder and Colin. I got it working, but will need to change it back to the script. I copied all of the original vsftpd.conf file over to /jffs/configs/vsftpd.conf I did not add the ".add" extension so i am replacing the entire file. I agree, the script Colin provided is the way to go, but here is what I added to the original file

#Enable Logging
xferlog_enable=YES
#Capture all FTP requests and responses
log_ftp_protocol=YES
#Specify stand alone log file instead of the system log. This failed in Merlin for some unknown reason
syslog_enable=NO
xferlog_file=/jffs/vsftpd.log

This creates a lot of entries in syslog.log so i was thinking about specifying
xferlog_file=/tmp/mnt/ExtHDD/logs/
That is the 1GB attached USB drive where I specified the location of the Traffic History and IPTraffic data files. One thing that worries me about doing that, what kind of damage will it cause if this drive is unmounted during router operations?

Another unexpected behavior that resulted with the addition of these directives is that the directive ftpd_banner stopped working. I replaced "Asus RT-AC5300" with "Jays" so the line now reads:

ftpd_banner=Welcome to Jays FTP Service

I used Filezilla and "Welcome to the Asus RT-AC5300 FTP Service used to show in green right before the directory listing. Strange but not a deal breaker.

 

[ColinTaylor]

This creates a lot of entries in syslog.log so i was thinking about specifying
xferlog_file=/tmp/mnt/ExtHDD/logs/
That is the 1GB attached USB drive where I specified the location of the Traffic History and IPTraffic data files. One thing that worries me about doing that, what kind of damage will it cause if this drive is unmounted during router operations?

I do something similar and store the ftp logs on the USB drive. Regarding "damage", I'm not sure I follow what you're getting at. If you un-mount the USB drive from the web interface it will try to shut down the USB-based services cleanly before un-mounting, just like any OS.

 

[thelonelycoder]

As noted, replacing the file is not recommended, but It's your call.

As for the log, worst case is if the device is not ready when vsftp starts.
It will likely not try again to log to the log location even if it becomes available later.
You'll have to test that by plugging in your device after reboot is done.

 

[Jay Culley]

I do something similar and store the ftp logs on the USB drive. Regarding "damage", I'm not sure I follow what you're getting at. If you un-mount the USB drive from the web interface it will try to shut down the USB-based services cleanly before un-mounting, just like any OS.

I didn't really mean damage, poor performance, service not running were my main concerns. Thanks!

 

[Aquillyne]

I created the `vsftpd.postconf` file as you suggested @ColinTaylor

However, after reboot and connecting to FTP, I don't see anything in the system log.

• Am I looking in the right place?
• How could I set it to log FTP access somewhere else?

Thanks

 

[ColinTaylor]

Look in /etc/vsftpd.conf and verify that your changes have been applied. If it looks OK then please post the contents of that file as the format may have changed over the years.

 

[Aquillyne]

Thanks. I had put the file in /config by accident not /scripts. Having fixed this, I can see in /etc/ that the file has been correctly updated. (And just to be clear, the lines previously were exactly the same but "=NO").

However, again, after connecting and disconnecting to my FTP, I do not see anything in particular that relates to this in the System Log – am I looking in the right place?

 

[Aquillyne]

I further updated the postconf file, and have confirmed that it successfully adds, these lines:

xferlog_enable=YES
syslog_enable=YES
log_ftp_protocol=YES
xferlog_file=/mnt/............/vsftpd.log

However I don't see any logs related to FTP access in either System Log or at the path "....." (blanked out).

What am I doing wrong?

Thanks for any help you can give.

 

[ColinTaylor]

You should be seeing the messages in the syslog.

EDIT: Maybe you need to change the "Syslog log level" (Administration - System). Mine is set to "Info".

Can you post the complete unedited contents of /etc/vsftpd.conf

 

[Aquillyne]

Hi @ColinTaylor. It's now half-working! I can see a "failed access" log entry if I attempt to log in to FTP with wrong password. However there is no entry for actual logins or activity.

Here is the whole of vsftpd.conf:

anonymous_enable=NO
nopriv_user=root
write_enable=YES
local_enable=YES
chroot_local_user=YES
local_umask=000
dirmessage_enable=NO
xferlog_enable=YES
syslog_enable=YES
log_ftp_protocol=YES
xferlog_file=/mnt/Seagate_Backup_Plus_Drive/vsftpd.log
connect_from_port_20=YES
use_localtime=YES
listen=YES
pasv_enable=YES
pasv_min_port=57530
pasv_max_port=57560
tcp_wrappers=NO
max_clients=3
ftp_username=anonymous
ftpd_banner=Welcome to ASUS RT-AX56U FTP service.
ssl_enable=YES
rsa_cert_file=/etc/cert.pem
rsa_private_key_file=/etc/key.pem

The log entry for incorrect atempts appears in the syslog. No other log file is created at /mnt/Seagate_Backup_Plus_Drive/vsftpd.log

Thanks

 

[ColinTaylor]

Strange that you only get some of the information in the log. I've just tried your configuration file on my router and it works fine with all the information appearing in the syslog.

How about trying this instead. Create a /jffs/scripts/vsftpd.postconf script exactly as follows:

#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

# Normal vsftpd logs
pc_replace "xferlog_enable=NO" "xferlog_enable=YES" $CONFIG
pc_append  "vsftpd_log_file=/mnt/Seagate_Backup_Plus_Drive/vsftpd.log" $CONFIG
pc_append  "log_ftp_protocol=YES" $CONFIG

# wu logs
pc_append  "dual_log_enable=YES" $CONFIG
pc_append  "xferlog_file=/mnt/Seagate_Backup_Plus_Drive/xfer.log" $CONFIG

Then restart it and test again.

service restart_ftpd

You should now get two different types of log file and nothing in the syslog.

 

[ColinTaylor]

@Aquillyne Can you report back on whether this worked or not?

 

[tombono]

I'll refresh the topic a bit.

I did everything as described and unfortunately it does not work for me.

I have ASUS RT-AC86U with firmware 386.5_alpha2

Here is the original vsftpd.conf file from /etc/

anonymous_enable=NO
nopriv_user=root
write_enable=YES
local_enable=YES
chroot_local_user=YES
local_umask=000
dirmessage_enable=NO
xferlog_enable=NO
syslog_enable=NO
connect_from_port_20=YES
use_localtime=YES
listen=YES
pasv_enable=YES
pasv_min_port=57530
pasv_max_port=57560
tcp_wrappers=NO
max_clients=5
ftp_username=anonymous
ftpd_banner=Welcome to ASUS RT-AC86U FTP service.
ssl_enable=NO
listen_port=874

listen_port=874 is add by /jffs/configs/vsftpd.conf.add


First I created a /jffs/scripts/vsftpd.postconf script exactly as follows:

#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

# Normal vsftpd logs
pc_replace "xferlog_enable=NO" "xferlog_enable=YES" $CONFIG
pc_append "vsftpd_log_file=/mnt/USB/vsftpd.log" $CONFIG
pc_append "log_ftp_protocol=YES" $CONFIG

# wu logs
pc_append "dual_log_enable=YES" $CONFIG
pc_append "xferlog_file=/mnt/USB/xfer.log" $CONFIG

It didn't work.

Next I delete /jffs/scripts/vsftpd.conf.add and /jffs/scripts/vsftpd.postconf and created a /jffs/configs/vsftpd.conf exactly as follows:

anonymous_enable=NO
nopriv_user=root
write_enable=YES
local_enable=YES
chroot_local_user=YES
local_umask=000
dirmessage_enable=NO
xferlog_enable=YES
syslog_enable=NO
connect_from_port_20=YES
use_localtime=YES
listen=YES
pasv_enable=YES
pasv_min_port=57530
pasv_max_port=57560
tcp_wrappers=NO
max_clients=5
ftp_username=anonymous
ftpd_banner=Welcome to ASUS RT-AC86U FTP service.
ssl_enable=NO
vsftpd_log_file=/mnt/USB/vsftpd.log
log_ftp_protocol=YES
dual_log_enable=YES
xferlog_file=/mnt/USB/xfer.log
listen_port=874

Now even FTP over port 874 doesn't work like it did before.

I don't know what to do next - most likely the vsftpd.conf replacement with / jffs / configs / does not work.

 

[ColinTaylor]

First I created a /jffs/scripts/vsftpd.postconf script exactly as follows:


It didn't work.

What do you mean by "It didn't work"? /etc/vsftpd.conf was not changed, it was changed but didn't log anything, or something else?

 

[tombono]

What do you mean by "It didn't work"? /etc/vsftpd.conf was not changed, it was changed but didn't log anything, or something else?

When I created vsftpd.postconf the /etc/vsftpd.conf was not changed.

 

[ColinTaylor]

I checked /etc/vsftpd.conf and was not changed.

The most obvious question: Did you reboot the router after creating the script?