Log Format, Type, and Location

To monitor EFT activity, you can reference EFT’s log files. EFT supports W3C, Microsoft IIS, and NCSA log file formats. Server events are logged to a file named [log file format]yymmdd.log, where YY, MM, and DD indicate the numeric year, month, and day respectively. Depending on the log file format selected, a 2-letter abbreviation is prepended to the filename, as described in the table below. For example, a log file in the Microsoft IIS format created on August 22, 2007 is named in070822.log.

By default, log files are saved in the EFT data directory in the Log folder (e.g., C:\ProgramData\Globalscape\EFT Server Enterprise\Logs). Outbound connection information is audited in that same folder in a log named cl<date>.log.

When using HA, you need to specify a unique location (local) for the log files. This is for troubleshooting purposes (to know what node an issue occurred on). Also, having two nodes write to the same file causes issues with file locking, which will cause data in the logs to be lost.

To specify log settings

  1. In the administration interface, connect to EFT and click the Server tab.

  2. On the Server tab, click the Server node.

  3. In the right pane, click the Logs tab.

  4. In the Log File Settings area, in the Folder in which to save log files box, type the path to the directory in which to save this Server's log files. To browse for a path, click the folder icon .

  5. In the Log file format list, click W3C Extended, Microsoft IIS, NCSA Common, or No Logging.

    Changing the log file format disconnects all active users. It is recommended to stop all Sites or wait until all users are inactive before changing the log file format.

    The W3C format records all times in GMT (Greenwich Mean Time).

  6. Clear the Encode logs in UTF-8 check box if you do not want to encode logs in UTF-8 format. When the check box is cleared, the u_ex*.log file is named ex*.log.

    From Microsoft TechNet:

    When using the UTF-8 logging feature, note the following:

  7. In the Log type list, click Standard or Verbose. (Verbose provides more details, but makes larger files.)

  8. In the Rotate Log File area, specify Never, Daily, Weekly, or Monthly.

  9. Click Apply to save the changes on EFT.

  10. Stop and restart EFT.

 

For information about the Audit Database Settings, refer to Auditing Database Errors and Logging.

 

Log File Format

Abbreviation

W3C

ex

NCSA

nc

Microsoft IIS

in

Log Example

Below is an example of an ex-formatted log:

#Version: 1.0

#Software: CuteLogger

#Date: 2010-04-08 20:07:50

#Fields: date time c-ip c-port cs-username cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes s-name s-port

2010-04-08 20:07:07 192.168.241.1 - test [1]user test - 331 - - - 22

2010-04-08 20:07:07 192.168.241.1 - test [1]pass ******* - 230 - - - 22

2010-04-08 20:07:16 192.168.241.1 - test [1]created /Test+File+1.txt - 226 - 54 - 22

2010-04-08 20:08:23 192.168.241.1 - test [1]rnfr /Test+File+1.txt - 350 - - - 22

2010-04-08 20:08:23 192.168.241.1 - test [1]rnto /Test+File+2.txt - 250 - - - 22

2010-04-08 20:08:26 192.168.241.1 - test [1]sent /Test+File+2.txt - 226 - 54 - 22

2010-04-08 20:10:02 192.168.241.1 - test [1]dele /Test+File+2.txt - 250 - - - 22

2010-04-08 20:10:08 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22

2010-04-08 20:10:09 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22

2010-04-08 20:11:57 192.168.241.1 - test [2]user test - 331 - - - 990

2010-04-08 20:11:57 192.168.241.1 - test [2]pass ****** - 230 - - - 990

2010-04-08 20:12:04 192.168.241.1 - test [2]created /Test+File+1.txt - 226 - 54 - 990

2010-04-08 20:12:16 192.168.241.1 - test [2]rnfr /Test+File+1.txt - 350 - - - 990

2010-04-08 20:12:16 192.168.241.1 - test [2]rnto /Test+File+2.txt - 250 - - - 990

2010-04-08 20:12:28 192.168.241.1 - test [2]rnfr /Test+File+2.txt - 350 - - - 990

2010-04-08 20:12:28 192.168.241.1 - test [2]rnto /Test+File+3.txt - 250 - - - 990

2010-04-08 20:12:31 192.168.241.1 - test [2]sent /Test+File+3.txt - 226 122 - - 990

The log can be read as described below:

Field

Description

Example

(Each field in the log has either a value (e.g., date) or a dash (-) if no value was sent for that field.)

date

Date log was recorded

2010-04-08

time

Time log was recorded

20:07:16

c-ip

Client IP address

192.168.241.1

c-port

Client port

21

cs-username

Username

test

cs-method

Method

(Command Sent)

ABOR

Abort an active file transfer

ACCT

Account information

ALLO

Allocate sufficient disk space to receive a file

APPE

Append

AUTH

Authentication/Security Mechanism

CCC

Clear Command Channel

CDUP

Change to Parent Directory

CHANGEPASSWORD

Change the password

CLIENTCERT

Client SSL certificate was rejected (reason is provided in the log entry).

COMB

Combines file segments into a single file on EFT.

CREATED

File was created (uploaded).

CWD

Change working directory

DELE

Delete file

EPRT

Specifies an extended address and port to which the server should connect

EPSV

Enter extended passive mode

FEAT

Get the feature list implemented by the server

HELP

Display a list of all available FTP commands

KICK

Client connection was closed by administrator.

LIST

Returns information of a file or directory if specified, else information of the current working directory is returned

MDTM

Return the last-modified time of a specified file

MKD

Make directory

MLSD

Lists the contents of a directory if a directory is named

MLST

Provides data about exactly the object named on its command line, and no others

MODE

Sets the transfer mode (Stream, Block, or Compressed)

NLIST

Returns a list of file names in a specified directory

NOOP

No operation (dummy packet; used mostly on keepalives)

OPTS

Select options for a feature

PASS

Authentication password

PASV

Enter passive mode

PBSZ

Protection Buffer Size

PORT

Specifies the port to which the server should connect

PROT

Data Channel Protection Level

PWD

Print working directory Returns the current directory of the host

QUIT

Disconnect

REIN

Re initializes the connection

REST

Restart transfer from the specified point

RETR

Transfer a copy of the file

RMD

Remove a directory

RNFR

Rename from

RNTO

Rename to

SENT

File was sent (downloaded).

SITE

Sends site specific commands to remote server

SIZE

Return the size of a file

SMNT

Mount file structure

SSCN

Set secured client negotiation

SSH_DISCONNECT

SFTP (SSH) client connection was closed (reason is provided in the log entry).

STAT

Returns the status

STOR

Accept the data and to store the data as a file at the server site

STOU

Store file uniquely

STRU

Set file transfer structure

SYST

Return system type

TYPE

Sets the transfer mode

USER

Authentication username

WEBSERVICE

Web Service was invoked.

XCRC

Compute CRC32 checksum on specified file

cs-uri-stem

Stem portion of URI

/Test+File+1.txt

cs-uri-query

Query portion of URI

-

sc-status

Status code

226 (Closing data connection. Requested file action successful.)

sc-bytes

The number of bytes that the server sent to the client.

541

cs-bytes

The number of bytes that the client sent to the server.

54

s-name

 

-

s-port

Server port

22

 

For information about log file formatting, refer to http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/be22e074-72f8-46da-bb7e-e27877c85bca.mspx?mfr=true.