Analyzing xferlog file
I wanted to write a few sentences on the xferlog, since I know that not many people pay attention to it, but it really can be useful.
For example, you have an ftp user who does some actions, deletes files, writes file, reads, etc. All these actions are stored with timestamp in xferlog.
System administrator can find out specifically what happened with the files, that are stored or delete, who deleted them, and when.
It is usually located in /var/log/xferlog
It stores a format that will give you as follows, current-time, transfer-time, remote-host, full-size, file-name, transfer-type (binary/ascii), special-action-flag (compressed/uncompressed), direction (outgoing/incoming), access-mode, username, service-name, authentication method and completion-status (complete/incomplete).
So basically, all the information is there for the system admin who wants to analyze the ftp actions.
My current use was to find successfully uploaded files. One command:
awk '($12 ~ /^i$/ && $NF ~ /^c$/){print $9}' xferlog
and I got them all.
So I wanted to share this with you as you might find it useful in some situation. Drop a comment if you want to ask me something, or if you have a problem with an investigation of a specific case.