EFT Client Activity Log

To monitor EFT client activity, you can reference EFT’s log files, including registration state of modules, server/site functions, SFTP, SSL/TLS connections, and of course, errors and warnings.

• The EFT client activity log, also known as "TED6" logs, is used to log client connection information (event rules and outbound transfers), client commands/requests, remote server responses, and status messages.

• EFT client log files are saved in the C:\ProgramData\Globalscape\EFT Server\Logs\ folder.

The EFT client activity (TED6) logs are available as W3C, Microsoft IIS, and NCSA log file formats. Depending on the log file format selected in administration interface Server > Logs tab, a 2-letter abbreviation is prepended to the filename, as described in the table below. The information in the file is the same; it's just in a different file format to accommodate different (external) log readers. Server events are logged to a file named [log file format]yymmdd.log, where YY, MM, and DD indicate the numeric year, month, and day respectively.

For example, a log file in the Microsoft IIS format created on August 22, 2024 is named in240822.log.

Log File Format	Abbreviation
W3C	ex
NCSA	nc
Microsoft IIS	in

When using HA, you need to specify a unique location (local) on each node for the log files. This is for troubleshooting purposes (to know on which node an issue occurred). Also, having two nodes write to the same file causes issues with file locking, which will cause data in the logs to be lost.

To specify EFT activity log settings

1. In the administration interface, connect to EFT and click the Server tab.

2. On the Server tab, click the Server node.

3. In the right pane, click the Logs tab.

   

4. In the Log File Settings area, in the Folder in which to save log files box, type the path to the directory in which to save this Server's log files. To browse for a path, click the folder icon .

5. In the Log file format list, click W3C Extended, Microsoft IIS, NCSA Common, or No Logging. Changing the log file format disconnects all active users. It is recommended to stop all Sites or wait until all users are inactive before changing the log file format. The W3C format records all times in GMT (Greenwich Mean Time).

6. Clear the Encode logs in UTF-8 check box if you do not want to encode logs in UTF-8 format. When the check box is cleared, the u_ex*.log file is named ex*.log.

   From Microsoft TechNet:

   When using the UTF-8 logging feature, note the following:

   • A log file logged in UTF-8 does not contain a Byte Order Mark (BOM). File editors use this mark to identify text as UTF-8 text. Therefore, if you attempt to open a log file that is logged in UTF-8 in Notepad by double-clicking the file or by using the Open With option, the file might not display correctly. To open the file in a way that displays it correctly, use the Open command on the File menu and then select UTF-8 in the Encoding box.

   • UTF-8 is a double-byte character-set standard. ASCII is a single-byte character-set standard. Because of this disparity, logging UTF-8 information to an ASCII file causes a ? to be logged for the characters that cannot be converted to the code page of the server.

7. In the Log type list, click Standard or Verbose. (Verbose provides more details, but makes larger files.)

8. In the Rotate Log File area, specify Never, Daily, Weekly, or Monthly.

9. Click Apply to save the changes on EFT.

10. Stop and restart EFT.

Log Example

Below is an example of an ex-formatted log:

#Version: 1.0
#Software: CuteLogger
#Date: 2010-04-08 20:07:50
#Fields: date time c-ip c-port cs-username cs-method 
cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes s-name s-port
2010-04-08 20:07:07 192.168.241.1 - test [1]user test - 331 - - - 22
2010-04-08 20:07:07 192.168.241.1 - test [1]pass ******* - 230 - - - 22
2010-04-08 20:07:16 192.168.241.1 - test [1]created /Test+File+1.txt - 226 - 54 - 22
2010-04-08 20:08:23 192.168.241.1 - test [1]rnfr /Test+File+1.txt - 350 - - - 22
2010-04-08 20:08:23 192.168.241.1 - test [1]rnto /Test+File+2.txt - 250 - - - 22
2010-04-08 20:08:26 192.168.241.1 - test [1]sent /Test+File+2.txt - 226 - 54 - 22
2010-04-08 20:10:02 192.168.241.1 - test [1]dele /Test+File+2.txt - 250 - - - 22
2010-04-08 20:10:08 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22
2010-04-08 20:10:09 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22
2010-04-08 20:11:57 192.168.241.1 - test [2]user test - 331 - - - 990
2010-04-08 20:11:57 192.168.241.1 - test [2]pass ****** - 230 - - - 990
2010-04-08 20:12:04 192.168.241.1 - test [2]created /Test+File+1.txt - 226 - 54 - 990
2010-04-08 20:12:16 192.168.241.1 - test [2]rnfr /Test+File+1.txt - 350 - - - 990
2010-04-08 20:12:16 192.168.241.1 - test [2]rnto /Test+File+2.txt - 250 - - - 990
2010-04-08 20:12:28 192.168.241.1 - test [2]rnfr /Test+File+2.txt - 350 - - - 990
2010-04-08 20:12:28 192.168.241.1 - test [2]rnto /Test+File+3.txt - 250 - - - 990
2010-04-08 20:12:31 192.168.241.1 - test [2]sent /Test+File+3.txt - 226 122 - - 990

The log can be read as described below:

Field	Description	Example
(Each field in the log has either a value (for example, date) or a dash (-) if no value was sent for that field.)
date	Date log was recorded	2010-04-08
time	Time log was recorded	20:07:16
c-ip	Client IP address	192.168.241.1
c-port	Client port	21
cs-username	Username	test
cs-method	Method (Command Sent)	ABOR Abort an active file transfer ACCT Account information ALLO Allocate sufficient disk space to receive a file APPE Append AUTH Authentication/Security Mechanism CCC Clear Command Channel CDUP Change to Parent Directory CHANGEPASSWORD Change the password CLIENTCERT Client SSL certificate was rejected (reason is provided in the log entry). COMB Combines file segments into a single file on EFT. CREATED File was created (uploaded). CWD Change working directory DELE Delete file EPRT Specifies an extended address and port to which the server should connect EPSV Enter extended passive mode FEAT Get the feature list implemented by the server HELP Display a list of all available FTP commands KICK Client connection was closed by administrator. LIST Returns information of a file or directory if specified, else information of the current working directory is returned MDTM Return the last-modified time of a specified file MKD Make directory MLSD Lists the contents of a directory if a directory is named MLST Provides data about exactly the object named on its command line, and no others MODE Sets the transfer mode (Stream, Block, or Compressed) NLIST Returns a list of file names in a specified directory NOOP No operation (dummy packet; used mostly on keepalives) OPTS Select options for a feature PASS Authentication password PASV Enter passive mode PBSZ Protection Buffer Size PORT Specifies the port to which the server should connect PROT Data Channel Protection Level PWD Print working directory Returns the current directory of the host QUIT Disconnect REIN Re initializes the connection REST Restart transfer from the specified point RETR Transfer a copy of the file RMD Remove a directory RNFR Rename from RNTO Rename to SENT File was sent (downloaded). SITE Sends site specific commands to remote server SIZE Return the size of a file SMNT Mount file structure SSCN Set secured client negotiation SSH_DISCONNECT SFTP (SSH) client connection was closed (reason is provided in the log entry). STAT Returns the status STOR Accept the data and to store the data as a file at the server site STOU Store file uniquely STRU Set file transfer structure SYST Return system type TYPE Sets the transfer mode USER Authentication username WEBSERVICE Web Service was invoked. XCRC Compute CRC32 checksum on specified file
cs-uri-stem	Stem portion of URI	/Test+File+1.txt
cs-uri-query	Query portion of URI	-
sc-status	Status code	226 (Closing data connection. Requested file action successful.)
sc-bytes	The number of bytes that the server sent to the client.	541
cs-bytes	The number of bytes that the client sent to the server.	54
s-name		-
s-port	Server port	22