DWA Emitter for XFERLOG

Prerequisites

This emitter supports XFERLOG format, which is a very common log format supported by many FTP and FTP/S servers like WU-FTPD and vsFTPd.

XFERLOG is a text file where each line contains a transfer event made up of space-separated event attributes.

DWA Emitter for XFERLOG log format expects the following fields in the input XFERLOG formatted files:

  1. Current date and time

  2. Transfer time in seconds

  3. Remote host

  4. File size

  5. Filename and path

  6. Transfer type (a for ASCII, b for binary)

  7. Special action flag

  8. Direction (i for incoming, o for outgoing)

  9. Access mode

  10. Userid

  11. Service name

  12. Authentication method

  13. Authenticated userid

  14. Completion status (c for complete, i for incomplete)

Depending on the actual FTP Server type and version, XFERLOG logging might be turned off by default. Please refer to your FTP Server specific documentation for details on how to turn on XFERLOG logging.

DWA Emitter for XFERLOG allows for limited customization of the pattern matching configuration driving XFERLOG parsing, in normal circumstances the provided defaults will just work, but if the monitored FTP Server logs to XFERLOG in non-standard way they can be adjusted to some extent.

On the other hand, major changes in the log structure cannot be covered by simply adjusting pattern matching configuration.

DWA Emitter for XFERLOG handles rolling logs, i.e. log dynamically renamed by the monitored FTP Server according to some configurable policy (for instance, log file size threshold and/or log age threshold) giving rise to current log and archived logs.

Configuration reference

DWA Emitter for XFERLOG -- Prefix emitter.xferlog[<label>].*

All pattern properties included in the configuration conform to Java Message Format syntax as defined in: https://docs.oracle.com/javase/8/docs/api/java/text/MessageFormat.html

protocolType = ftp | ftps

Hint about FTP vs FTP/S protocol given that no detection is possible by reading XFERLOG contents.

logFilePath

Name of the current log file to monitor, complete with absolute path.

The named file, plus any other file having that name plus a suffix will be processed.

For example, when this parameter is set to:

/usr/log/xferlog.log

all files like the following will be processed (if available) in the right order and in accordance with dynamic file rotation policies:

/usr/log/xferlog.log

/usr/log/xferlog.log.1

/usr/log/xferlog.log.2

/usr/log/xferlog.log.3 …

logPattern

Pattern used to parse each xferlog log file line.

The provided default value:

{0,date,E MMM d HH:mm:ss yyyy} {1,number,integer} {2} {3,number,integer} {4} {5} {6} {7} {8} {9} {10} {11} {12} {13}

successfully matches this sample log line:

'Wed Oct 24 16:34:27 2021 3 10.50.61.200 19123080 /export/home/user01/tmp/test.txt b _ i r user01 ftp 0 * c

Where:

{0} = current time

{1} = transfer time in seconds

{2} = remote host

{3} = transferred file size

{4} = transferred filename, file path is absolute

{5} = transfer type (a for ascii, b for binary)

{6} = special action flag

{7} = direction (i for incoming, o for outgoing)

{8} = access mode

{9} = username

{10} = service name

{11} = authentication method

{12} = authenticated user id

{13} = completion status (c for complete, i for incomplete)

PreviousConfiguring DWA EmittersNextDWA Emitter for OpenSSH SFTP Server

Last updated