Specifying Log Format, Type, and Location

To monitor EFT Server activity, you can reference EFT Server’s log files. EFT Server supports W3C, Microsoft IIS, and NCSA log file formats. Server events are logged to a file named [log file format]yymmdd.log, where YY, MM, and DD indicate the numeric year, month, and day respectively. Depending on the log file format selected, a 2-letter abbreviation is prepended to the filename, as described in the table below. For example, a log file in the Microsoft IIS format created on August 22, 2007 is named in070822.log.  

Logs are saved by default to C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server Enterprise\Logs or C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server\Logs, but you can specify a different location on the Logs tab of the Server, as shown below. (On Windows 2008, Application Data files for all users are in a hidden folder named %systemroot%\ProgramData instead of under Documents and Settings\All Users\Application Data.)

icon_info.gif

Outbound connection information is audited in that same folder in a log named cl<date>.log.

 

Log File Format

Abbreviation

W3C

ex

NCSA

nc

Microsoft IIS

in

Log Example

Below is an example of an ex-formatted log:

#Version: 1.0

#Software: CuteLogger

#Date: 2010-04-08 20:07:50

#Fields: date time c-ip c-port cs-username cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes s-name s-port

2010-04-08 20:07:07 192.168.241.1 - test [1]user test - 331 - - - 22

2010-04-08 20:07:07 192.168.241.1 - test [1]pass ******* - 230 - - - 22

2010-04-08 20:07:16 192.168.241.1 - test [1]created /Test+File+1.txt - 226 - 54 - 22

2010-04-08 20:08:23 192.168.241.1 - test [1]rnfr /Test+File+1.txt - 350 - - - 22

2010-04-08 20:08:23 192.168.241.1 - test [1]rnto /Test+File+2.txt - 250 - - - 22

2010-04-08 20:08:26 192.168.241.1 - test [1]sent /Test+File+2.txt - 226 - 54 - 22

2010-04-08 20:10:02 192.168.241.1 - test [1]dele /Test+File+2.txt - 250 - - - 22

2010-04-08 20:10:08 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22

2010-04-08 20:10:09 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22

2010-04-08 20:11:57 192.168.241.1 - test [2]user test - 331 - - - 990

2010-04-08 20:11:57 192.168.241.1 - test [2]pass ****** - 230 - - - 990

2010-04-08 20:12:04 192.168.241.1 - test [2]created /Test+File+1.txt - 226 - 54 - 990

2010-04-08 20:12:16 192.168.241.1 - test [2]rnfr /Test+File+1.txt - 350 - - - 990

2010-04-08 20:12:16 192.168.241.1 - test [2]rnto /Test+File+2.txt - 250 - - - 990

2010-04-08 20:12:28 192.168.241.1 - test [2]rnfr /Test+File+2.txt - 350 - - - 990

2010-04-08 20:12:28 192.168.241.1 - test [2]rnto /Test+File+3.txt - 250 - - - 990

2010-04-08 20:12:31 192.168.241.1 - test [2]sent /Test+File+3.txt - 226 122 - - 990

The log can be read as described below:

Field

Description

Example

(Each field in the log has either a value (e.g., date) or a dash (-) if no value was sent for that field.)

date

Date log was recorded

2010-04-08

time

Time log was recorded

20:07:16

c-ip

Client IP address

192.168.241.1

c-port

Client port

21

cs-username

Username

test

cs-method

Method

(Command Sent)
ABOR Abort an active file transfer
ACCT Account information
ALLO Allocate sufficient disk space to receive a file
APPE Append
AUTH Authentication/Security Mechanism
CCC Clear Command Channel
CDUP Change to Parent Directory
CHANGEPASSWORD Change the password
CLIENTCERT Client SSL certificate was rejected (reason is provided in the log entry).
COMB Combines file segments into a single file on EFT Server.
CREATED File was created (uploaded).
CWD Change working directory
DELE Delete file
EPRT Specifies an extended address and port to which the server should connect
EPSV Enter extended passive mode
FEAT Get the feature list implemented by the server
HELP Display a list of all available FTP commands
KICK Client connection was closed by administrator.
LIST Returns information of a file or directory if specified, else information of the current working directory is returned
MDTM Return the last-modified time of a specified file
MKD Make directory
MLSD Lists the contents of a directory if a directory is named
MLST Provides data about exactly the object named on its command line, and no others
MODE Sets the transfer mode (Stream, Block, or Compressed)
NLIST Returns a list of file names in a specified directory
NOOP No operation (dummy packet; used mostly on keepalives)
OPTS Select options for a feature
PASS Authentication password
PASV Enter passive mode
PBSZ Protection Buffer Size
PORT Specifies the port to which the server should connect
PROT Data Channel Protection Level
PWD Print working directory Returns the current directory of the host
QUIT Disconnect
REIN Re initializes the connection
REST Restart transfer from the specified point
RETR Transfer a copy of the file
RMD Remove a directory
RNFR Rename from
RNTO Rename to
SENT File was sent (downloaded).
SITE Sends site specific commands to remote server
SIZE Return the size of a file
SMNT Mount file structure
SSCN Set secured client negotiation
SSH_DISCONNECT SFTP (SSH) client connection was closed (reason is provided in the log entry).
STAT Returns the status
STOR Accept the data and to store the data as a file at the server site
STOU Store file uniquely
STRU Set file transfer structure
SYST Return system type
TYPE Sets the transfer mode
USER Authentication username
WEBSERVICE Web Service was invoked.
XCRC Compute CRC32 checksum on specified file

cs-uri-stem

Stem portion of URI

/Test+File+1.txt

cs-uri-query

Query portion of URI

-

sc-status

Status code

226 (Closing data connection. Requested file action successful.)

sc-bytes

The number of bytes that the server sent to the client.

541

cs-bytes

The number of bytes that the client sent to the server.

54

s-name

 

-

s-port

Server port

22

 

icon_info.gif

For information about log file formatting, refer to http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/be22e074-72f8-46da-bb7e-e27877c85bca.mspx?mfr=true

To specify log settings

  1. In the administration interface, connect to EFT Server and click the Server tab.

  2. In the left pane, click the Server node.

  3. In the right pane, click the Logs tab.

    illust_logfilesettings_w3c.png

  4. In the Log File Settings area, in the Folder in which to save log files box, type the path to the directory in which to save this Server's log files. To browse for a path, click the folder icon icon_open.gif.

    icon_info.gif

    By default, log files are saved in the EFT Server data directory in the Log folder (e.g., C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server Enterprise\Logs). On Windows 2008, Application Data files for all users are in a hidden folder named %systemroot%\ProgramData instead of under Documents and Settings\All Users\Application Data.

  5. In the Log file format list, click W3C Extended, Microsoft IIS, NCSA Common, or No Logging.

    icon_info.gif

    Changing the log file format disconnects all active users. It is recommended to stop all Sites or wait until all users are inactive before changing the log file format.

    The W3C format records all times in GMT (Greenwich Mean Time).

  6. In the Log type list, click Standard or Verbose. (Verbose provides more details, but makes larger files.)

  7. In the Rotate Log File area, specify Never, Daily, Weekly, or Monthly.

  8. Click Apply to save the changes on EFT Server.

  9. Stop and restart EFT Server.

    icon_info.gif

    Logs are not written to disk in real time. As events occur, EFT Server buffers those events in real time and then flushes (writes) them to file after either a) 60 lines are available or b) 32kb of log data is received in 1 second or less.

 

icon_info.gif

For information about the Audit Database Settings, refer to Auditing Database Errors and Logging.