Up
Previous Next

Sheriff CSMâ„¢

ProFTPD

When you configure ProFTPD to send log data to Sheriff CSM, you can use the ProFTPD plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor ProFTPD
Device Type FTP Server
Connection Type Syslog
Data Source Name Proftpd
Data Source ID 1888

Integrating ProFTPD

Before you configure the ProFTPD integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).

To configure ProFTPD to send Syslog messages to Sheriff CSM

By default, ProFTPD will capture FTP server log messages via syslog(3), using the daemon facility (and auth is also used for some logging). Log levels include: err, notice, warn, info, and debug. The location of the FTP server's log files is determined by your /etc/syslog.conf configuration.

Note: You can fine-tune ProFTPD syslog-based logging via the SyslogFacility and SyslogLevel directives. See the vendor log level documentation for more details on these settings.

Transfer logs (xferlogs) are not automatically sent to syslog, but you can include an ExtendedSyslog directive to include those messages. For example: 

LogFormat xfer "%h %l %u %t\"%r\" %s %b"
ExtendedLog syslog:notice xfer

You also need to tell your syslog server to send log output to Sheriff CSM; to write log output to a log file.

The normal Linux syslog command uses the /etc/syslog.conf file (or similar) to configure how syslog streams operate. Since the Apache error log uses syslog-standard severity ratings, you can specify standard syslog configuration file settings to split syslog output into separate files based on severity.

To send log entries to the Sheriff CSM Sensor, include the following configuration file statements: 

if $programname == 'proftpd' then @<Sheriff CSM_IP_address>
& stop

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

http://www.proftpd.org/docs/howto/LogLevels.html

http://www.proftpd.org/docs/howto/Logging.html

For troubleshooting, refer to the vendor documentation:

http://www.proftpd.org/docs/faq/linked/faq-ch4.html

This topic: Sheriff > UserGuides > SheriffCSMDocumentation > DeploymentGuide > PluginManagement > ConfigureLogForwardingOnCommonlyUsedDataSources > ProFTPD
Topic revision: 30 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.