How to read FTP operations logs in XFERLOG format?

       The  xferlog  file  contains logging information from the FTP server daemon, proftpd(8).  This file usually is found in /var/log but can be located anywhere by using a proftpd(8) configuration
       directive.  Each server entry is composed of a single line of the following form, with all fields being separated by spaces.

              current-time   transfer-time   remote-host   file-size   filename   transfer-type   special-action-flag   direction    access-mode    username    service-name    authentication-method
              authenticated-user-id  completion-status

       current-time        is  the current local time in the form "DDD MMM dd hh:mm:ss YYYY". Where DDD is the day of the week, MMM is the month, dd is the day of the month, hh is the hour, mm is the
                           minutes, ss is the seconds, and YYYY is the year.

       transfer-time       is the total time in seconds for the transfer.

       remote-host         is the remote host name.

       file-size           is the size of the transferred file in bytes.

       filename            is the name of the transferred file.  If the filename contains any spaces or control characters, each such character is replaced by an underscore ('_') character.

       transfer-type       is a single character indicating the type of transfer. Can be one of:
                                  a         for an ascii transfer
                                  b         for a binary transfer

       special-action-flag is one or more single character flags indicating any special action taken.  Can be one or more of:
                                  C         file was compressed
                                  U         file was uncompressed
                                  T         file was tar'ed
                                  _         no action was taken

       direction           is the direction of the transfer. Can be one of:
                                  o         outgoing
                                  i         incoming
                                  d         deleted

       access-mode         is the method by which the user is logged in. Can be one of:
                                  a         (anonymous) is for an anonymous guest user.
                                  r         (real) is for a local authenticated user.

       username            is the local username, or if guest, the ID string given.

       service-name        is the name of the service being invoked, usually FTP.

                           is the method of authentication used. Can be one of:
                                  0         none
                                  1         RFC931 Authentication

                           is the user id returned by the authentication method.  A * is used if an authenticated user id is not available.

       completion-status   is a single character indicating the status of the transfer.  Can be one of:
                                  c         complete transfer
                                  i         incomplete transfer

       ProFTPD is written and maintained by a number of people, full credits can be found on http://www.proftpd.org/credits.html

Source: man xferlog


Contact with us


Despite the best efforts for this site to be up-to-date, some of the information in the FAQ may be outdated. If you have and doubts or questions feel free to contact us by mail or by the phone.