sebastianwebber/ftpd.mtail

## ftpd.mtail
hidden text FILENAME

counter log_ftp_files_processed_count by username, remote_host, transfer_type, direction
counter log_ftp_files_deleted_count by username, remote_host, transfer_type
counter log_ftp_files_incomplete_transfers_count by username, remote_host, transfer_type

FILENAME = getfilename()

## example file
### Fri Jan  4 12:55:27 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
### Fri Jan  4 12:55:29 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
### Fri Jan  4 12:55:31 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
### Fri Jan  4 12:55:32 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c

## full regex: /(?P<date>\w+ \w+ [0-9 ]{2} \d{2}\:\d{2}\:\d{2} \d{4}) (?P<transfer_time>\d) (?P<remote_host>[0-9\.]{1,}) (?P<file_size_bytes>\d+) (?P<filename>[\.\_\/a-zA-Z0-9]{1,}) (?P<transfer_type>\w) (?P<special_action_flag>\w) (?P<direction>\w) (?P<access_mode>\w) (?P<username>[\w\.]{1,}) (?P<service_name>\w+) (?P<auth_method>\w) (?P<auth_user_id>[\w\*]{1}) (?P<completion_status>\w)/
#### DOC: http://www.castaglia.org/proftpd/doc/xferlog.html
#### DEBUG: https://regex101.com/r/2tfCbZ/3

## force check if it the log file is /var/log/vsftpd.log
FILENAME == "/var/log/vsftpd.log" {
    /(?P<date>\w+ \w+ [0-9 ]{2} \d{2}\:\d{2}\:\d{2} \d{4}) \d+ (?P<remote_host>[0-9\.]{1,}) \d+ [\.\_\/a-zA-Z0-9]{1,} (?P<transfer_type>\w) \w (?P<direction>\w) \w (?P<username>[\w\.]{1,}) \w+ \w [\w\*]{1} (?P<completion_status>\w)/ {
        strptime($date, "Mon Jan _2 15:04:05 2006")

        log_ftp_files_processed_count[$username][$remote_host][$transfer_type][$direction]++


        $direction == "d" {
            log_ftp_files_deleted_count[$username][$remote_host][$transfer_type]++
        }

        $completion_status == "i" {
            log_ftp_files_incomplete_transfers_count[$username][$remote_host][$transfer_type]++
        }

    }
}
	hidden text FILENAME

	counter log_ftp_files_processed_count by username, remote_host, transfer_type, direction
	counter log_ftp_files_deleted_count by username, remote_host, transfer_type
	counter log_ftp_files_incomplete_transfers_count by username, remote_host, transfer_type

	FILENAME = getfilename()

	## example file
	### Fri Jan 4 12:55:27 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
	### Fri Jan 4 12:55:29 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
	### Fri Jan 4 12:55:31 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c
	### Fri Jan 4 12:55:32 2019 1 1.2.3.4 224 /path/to/file.CSV b _ o r user_name ftp 0 * c

	## full regex: /(?P<date>\w+ \w+ [0-9 ]{2} \d{2}\:\d{2}\:\d{2} \d{4}) (?P<transfer_time>\d) (?P<remote_host>[0-9\.]{1,}) (?P<file_size_bytes>\d+) (?P<filename>[\.\_\/a-zA-Z0-9]{1,}) (?P<transfer_type>\w) (?P<special_action_flag>\w) (?P<direction>\w) (?P<access_mode>\w) (?P<username>[\w\.]{1,}) (?P<service_name>\w+) (?P<auth_method>\w) (?P<auth_user_id>[\w\*]{1}) (?P<completion_status>\w)/
	#### DOC: http://www.castaglia.org/proftpd/doc/xferlog.html
	#### DEBUG: https://regex101.com/r/2tfCbZ/3

	## force check if it the log file is /var/log/vsftpd.log
	FILENAME == "/var/log/vsftpd.log" {
	/(?P<date>\w+ \w+ [0-9 ]{2} \d{2}\:\d{2}\:\d{2} \d{4}) \d+ (?P<remote_host>[0-9\.]{1,}) \d+ [\.\_\/a-zA-Z0-9]{1,} (?P<transfer_type>\w) \w (?P<direction>\w) \w (?P<username>[\w\.]{1,}) \w+ \w [\w\*]{1} (?P<completion_status>\w)/ {
	strptime($date, "Mon Jan _2 15:04:05 2006")

	log_ftp_files_processed_count[$username][$remote_host][$transfer_type][$direction]++


	$direction == "d" {
	log_ftp_files_deleted_count[$username][$remote_host][$transfer_type]++
	}

	$completion_status == "i" {
	log_ftp_files_incomplete_transfers_count[$username][$remote_host][$transfer_type]++
	}

	}
	}