Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
mtail prog to parse vsftpd logs in xferlog format
hidden text FILENAME
counter log_ftp_files_processed_count by username, remote_host, transfer_type, direction
counter log_ftp_files_deleted_count by username, remote_host, transfer_type
counter log_ftp_files_incomplete_transfers_count by username, remote_host, transfer_type
FILENAME = getfilename()
## example file
### Fri Jan 4 12:55:27 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
### Fri Jan 4 12:55:29 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
### Fri Jan 4 12:55:31 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
### Fri Jan 4 12:55:32 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
## full regex: /(?P<date>\w+ \w+ [0-9 ]{2} \d{2}\:\d{2}\:\d{2} \d{4}) (?P<transfer_time>\d) (?P<remote_host>[0-9\.]{1,}) (?P<file_size_bytes>\d+) (?P<filename>[\.\_\/a-zA-Z0-9]{1,}) (?P<transfer_type>\w) (?P<special_action_flag>\w) (?P<direction>\w) (?P<access_mode>\w) (?P<username>[\w\.]{1,}) (?P<service_name>\w+) (?P<auth_method>\w) (?P<auth_user_id>[\w\*]{1}) (?P<completion_status>\w)/
#### DOC: http://www.castaglia.org/proftpd/doc/xferlog.html
#### DEBUG: https://regex101.com/r/2tfCbZ/3
## force check if it the log file is /var/log/vsftpd.log
FILENAME == "/var/log/vsftpd.log" {
/(?P<date>\w+ \w+ [0-9 ]{2} \d{2}\:\d{2}\:\d{2} \d{4}) \d+ (?P<remote_host>[0-9\.]{1,}) \d+ [\.\_\/a-zA-Z0-9]{1,} (?P<transfer_type>\w) \w (?P<direction>\w) \w (?P<username>[\w\.]{1,}) \w+ \w [\w\*]{1} (?P<completion_status>\w)/ {
strptime($date, "Mon Jan _2 15:04:05 2006")
log_ftp_files_processed_count[$username][$remote_host][$transfer_type][$direction]++
$direction == "d" {
log_ftp_files_deleted_count[$username][$remote_host][$transfer_type]++
}
$completion_status == "i" {
log_ftp_files_incomplete_transfers_count[$username][$remote_host][$transfer_type]++
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.