Log Format, Type, and Location

To monitor EFT activity, you can reference EFT’s log files. EFT supports W3C, Microsoft IIS, and NCSA log file formats. Server events are logged to a file named [log file format]yymmdd.log, where YY, MM, and DD indicate the numeric year, month, and day respectively. Depending on the log file format selected, a 2-letter abbreviation is prepended to the filename, as described in the table below. For example, a log file in the Microsoft IIS format created on August 22, 2007 is named in070822.log.

By default, log files are saved in the EFT data directory in the Log folder (for example, C:\ProgramData\Globalscape\EFT Server\Logs). Outbound connection information is audited in that same folder in a log named cl<date>.log.

When using HA, you need to specify a unique location (local) for the log files. This is for troubleshooting purposes (to know what node an issue occurred on). Also, having two nodes write to the same file causes issues with file locking, which will cause data in the logs to be lost.

To specify log settings

  1. In the administration interface, connect to EFT and click the Server tab.

  2. On the Server tab, click the Server node.

  3. In the right pane, click the Logs tab.

  4. In the Log File Settings area, in the Folder in which to save log files box, type the path to the directory in which to save this Server's log files. To browse for a path, click the folder icon .

  5. In the Log file format list, click W3C Extended, Microsoft IIS, NCSA Common, or No Logging. Changing the log file format disconnects all active users. It is recommended to stop all Sites or wait until all users are inactive before changing the log file format. The W3C format records all times in GMT (Greenwich Mean Time).

  6. Clear the Encode logs in UTF-8 check box if you do not want to encode logs in UTF-8 format. When the check box is cleared, the u_ex*.log file is named ex*.log.

    • From Microsoft TechNet:

      • When using the UTF-8 logging feature, note the following:

        • A log file logged in UTF-8 does not contain a Byte Order Mark (BOM). File editors use this mark to identify text as UTF-8 text. Therefore, if you attempt to open a log file that is logged in UTF-8 in Notepad by double-clicking the file or by using the Open With option, the file might not display correctly. To open the file in a way that displays it correctly, use the Open command on the File menu and then select UTF-8 in the Encoding box.

        • UTF-8 is a double-byte character-set standard. ASCII is a single-byte character-set standard. Because of this disparity, logging UTF-8 information to an ASCII file causes a ? to be logged for the characters that cannot be converted to the code page of the server.

  7. In the Log type list, click Standard or Verbose. (Verbose provides more details, but makes larger files.)

  8. In the Rotate Log File area, specify Never, Daily, Weekly, or Monthly.

  9. Click Apply to save the changes on EFT.

  10. Stop and restart EFT.

For information about the Audit Database Settings, refer to Auditing Database Errors and Logging.

Log File Format Abbreviation
W3C ex
NCSA nc
Microsoft IIS in

Log Example

Below is an example of an ex-formatted log:

Copy 
#Version: 1.0
#Software: CuteLogger
#Date: 2010-04-08 20:07:50
#Fields: date time c-ip c-port cs-username cs-method 
cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes s-name s-port
2010-04-08 20:07:07 192.168.241.1 - test [1]user test - 331 - - - 22
2010-04-08 20:07:07 192.168.241.1 - test [1]pass ******* - 230 - - - 22
2010-04-08 20:07:16 192.168.241.1 - test [1]created /Test+File+1.txt - 226 - 54 - 22
2010-04-08 20:08:23 192.168.241.1 - test [1]rnfr /Test+File+1.txt - 350 - - - 22
2010-04-08 20:08:23 192.168.241.1 - test [1]rnto /Test+File+2.txt - 250 - - - 22
2010-04-08 20:08:26 192.168.241.1 - test [1]sent /Test+File+2.txt - 226 - 54 - 22
2010-04-08 20:10:02 192.168.241.1 - test [1]dele /Test+File+2.txt - 250 - - - 22
2010-04-08 20:10:08 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22
2010-04-08 20:10:09 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22
2010-04-08 20:11:57 192.168.241.1 - test [2]user test - 331 - - - 990
2010-04-08 20:11:57 192.168.241.1 - test [2]pass ****** - 230 - - - 990
2010-04-08 20:12:04 192.168.241.1 - test [2]created /Test+File+1.txt - 226 - 54 - 990
2010-04-08 20:12:16 192.168.241.1 - test [2]rnfr /Test+File+1.txt - 350 - - - 990
2010-04-08 20:12:16 192.168.241.1 - test [2]rnto /Test+File+2.txt - 250 - - - 990
2010-04-08 20:12:28 192.168.241.1 - test [2]rnfr /Test+File+2.txt - 350 - - - 990
2010-04-08 20:12:28 192.168.241.1 - test [2]rnto /Test+File+3.txt - 250 - - - 990
2010-04-08 20:12:31 192.168.241.1 - test [2]sent /Test+File+3.txt - 226 122 - - 990

The log can be read as described below:

NOTE: Each field in the log has either a value (for example, date) or a dash (-) if no value was sent for that field.
Field Description Example
date Date log was recorded 2010-04-08
time Time log was recorded 20:07:16
c-ip Client IP address 192.168.241.1
c-port Client port 21
cs-username Username test
cs-method Method (Command Sent) (see "cs-method examples" table below)
cs-uri-stem Stem portion of URI /Test+File+1.txt
cs-uri-query Query portion of URI -
sc-status Status code 226 (Closing data connection. Requested file action successful.)
sc-bytes The number of bytes that the server sent to the client. 541
cs-bytes The number of bytes that the client sent to the server. 54
s-name   -
s-port Server port 22

CS-Method Examples:

ABOR Abort an active file transfer.
ACCT Account information.
ALLO Allocate sufficient disk space to receive a file.
APPE Append
AUTH Authentication/ Security Mechanism.
CCC Clear Command Channel.
CDUP Change to Parent Directory.
CHANGEPASSWORD Change the password.
CLIENTCERT Client SSL certificate was rejected (reason is provided in the log entry).
COMB Combines file segments into a single file on EFT.
CREATED File was created (uploaded).
CWD Change working directory.
DELE Delete file
EPRT Specifies an extended address and port to which the server should connect.
EPSV Enter extended passive mode.
FEAT Get the feature list implemented by the server.
HELP Display a list of all available FTP commands.
KICK Client connection was closed by administrator.
LIST Returns information of a file or directory if specified, else information of the current working directory is returned.
MDTM Return the last-modified time of a specified file.
MKD Make directory.
MLSD Lists the contents of a directory if a directory is named.
MLST Provides data about exactly the object named on its command line, and no others.
MODE Sets the transfer mode (Stream, Block, or Compressed).
NLIST Returns a list of file names in a specified directory.
NOOP No operation (dummy packet; used mostly on keepalives).
OPTS Select options for a feature.
PASS Authentication password.
PASV Enter passive mode.
PBSZ Protection Buffer Size.
PORT Specifies the port to which the server should connect.
PROT Data Channel Protection Level.
PWD Print working directory Returns the current directory of the host.
QUIT Disconnect
REIN Re initializes the connection.
REST Restart transfer from the specified point.
RETR Transfer a copy of the file.
RMD Remove a directory.
RNFR Rename from
RNTO Rename to
SENT File was sent (downloaded).
SITE Sends site specific commands to remote server.
SIZE Return the size of a file.
SMNT Mount file structure.
SSCN Set secured client negotiation.
SSH_DISCONNECT SFTP (SSH) client connection was closed (reason is provided in the log entry).
STAT Returns the status.
STOR Accept the data and to store the data as a file at the server site.
STOU Store file uniquely.
STRU Set file transfer structure.
SYST Return system type.
TYPE Sets the transfer mode.
USER Authentication username
WEBSERVICE Web Service was invoked.
XCRC Compute CRC32 checksum on specified file.