FTP server logging is surprisingly less about tracking who downloaded what and more about proving when and how the server itself was accessible.
Let’s look at a typical vsftpd setup. Imagine a user trying to connect, and the server responding. Here’s a simplified log entry:
Tue Aug 15 10:00:01 2023 [pid 1234] [user1] OK UHOST:192.168.1.100
Tue Aug 15 10:00:05 2023 [pid 1234] [user1] LOGIN FROM 192.168.1.100
Tue Aug 15 10:00:10 2023 [pid 1234] [user1] GET /public/file.txt
Tue Aug 15 10:00:12 2023 [pid 1234] [user1] 226 Transfer complete.
Tue Aug 15 10:01:00 2023 [pid 1234] [user1] QUIT
This shows a successful login, a file retrieval, and a logout. But what if we need more detail for an audit, like tracking failed login attempts or specific commands?
The core problem vsftpd logging addresses is providing a tamper-evident trail of server activity. This isn’t just for security investigations; it’s crucial for regulatory compliance (e.g., PCI DSS, HIPAA) which often mandate detailed access logs. The goal is to have enough information to reconstruct events and verify that access controls were enforced.
To configure vsftpd for robust auditing, you’ll primarily modify its configuration file, usually /etc/vsftpd.conf.
1. Enabling Detailed Logging:
The xferlog_enable directive, when set to YES, activates the transfer log. This log captures successful file transfers.
# /etc/vsftpd.conf
xferlog_enable=YES
This works by having vsftpd write details about each successful RETR (download) and STOR (upload) command to a dedicated log file, typically /var/log/vsftpd.log.
2. Logging All Connections:
For a complete audit trail, you need to log all connections, not just successful transfers. The log_ftp_protocol directive, when set to YES, logs every FTP command sent by the client and the server’s response. This is invaluable for understanding the full sequence of operations, including failed commands or unexpected client behavior.
# /etc/vsftpd.conf
log_ftp_protocol=YES
This directive causes vsftpd to write each command and response pair to the main log file, providing a granular, line-by-line account of the FTP session.
3. Logging Failed Logins:
Tracking failed login attempts is critical for detecting brute-force attacks or unauthorized access. The fail_delayed_login directive, when set to NO, ensures that failed logins are logged immediately. Combined with xferlog_enable=YES, this will show up in the transfer log.
# /etc/vsftpd.conf
fail_delayed_login=NO
When a login fails, vsftpd will record an entry in /var/log/vsftpd.log indicating the username and the client IP address that attempted the login.
4. Using the xferlog_file Directive:
While xferlog_enable=YES defaults to /var/log/vsftpd.log, you can explicitly set it or change the location. This is useful for centralizing logs or for systems with specific disk space management requirements.
# /etc/vsftpd.conf
xferlog_file=/var/log/my_ftp_audit.log
This directive simply tells vsftpd where to write its transfer log entries, allowing for better organization and management of audit data.
5. Enabling User List Logging:
If you use userlist_enable=YES, you might want to log which users are allowed or denied access based on this list. While vsftpd doesn’t have a direct directive for just userlist logging, log_ftp_protocol=YES will show the client attempting to connect and the subsequent authentication responses, which implicitly involves the user list checks.
6. Rotating Logs:
Log files can grow very large. For long-term auditing and compliance, you’ll need to implement log rotation. Tools like logrotate are designed for this. A typical logrotate configuration for vsftpd might look like this:
/var/log/vsftpd.log
/var/log/vsftpd.log.anon
{
daily
rotate 7
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/vsftpd.pid 2> /dev/null || true`
endscript
}
This configuration tells logrotate to rotate the vsftpd logs daily, keep 7 old logs, compress them, and importantly, to signal the vsftpd process (kill -HUP) after rotation so it reopens its log files. This ensures no log data is lost during the rotation process.
7. Checking the Logs:
Once configured, you can inspect the logs using standard Linux tools. For example, to see all login attempts (successful and failed) from a specific IP address:
grep 'LOGIN FROM 192.168.1.100' /var/log/vsftpd.log
Or to see all successful file transfers:
grep 'Transfer complete' /var/log/vsftpd.log
The most surprising aspect of vsftpd logging, especially with log_ftp_protocol=YES, is the sheer volume of data it generates. It’s not just a summary; it’s a transcript of the entire FTP conversation, command by command. This level of detail is often overlooked but is precisely what auditors and compliance officers need to verify access and activity.
After ensuring your vsftpd logs are correctly configured and rotating, the next hurdle is often integrating these logs with a centralized logging system like Splunk or the ELK stack for long-term storage, analysis, and alerting.