UpPrevious Next
Sheriff CSMâ„¢
ProFTPD
When you configure ProFTPD to send log data to Sheriff CSM, you can use the ProFTPD plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
Plugin Information
Device | Details |
Vendor | ProFTPD |
Device Type | FTP Server |
Connection Type | Syslog |
Data Source Name | Proftpd |
Data Source ID | 1888 |
Integrating ProFTPD
Before you configure the ProFTPD integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).
To configure ProFTPD to send Syslog messages to Sheriff CSM
By default,
ProFTPD
will capture FTP server log messages via
syslog(3)
, using the
daemon
facility (and
auth
is also used for some logging). Log levels include:
err
,
notice
,
warn
,
info
, and
debug
. The location of the FTP server's log files is determined by your
/etc/syslog.conf
configuration.
Note: You can fine-tune ProFTPD
syslog-based logging via the SyslogFacility
and SyslogLevel
directives. See the vendor log level documentation for more details on these settings.
Transfer logs (xferlogs) are not automatically sent to
syslog
, but you can include an
ExtendedSyslog
directive to include those messages. For example:
LogFormat xfer "%h %l %u %t\"%r\" %s %b"
ExtendedLog syslog:notice xfer
You also need to tell your syslog server to send log output to Sheriff CSM; to write log output to a log file.
The normal Linux
syslog
command uses the
/etc/syslog.conf
file (or similar) to configure how syslog streams operate. Since the Apache error log uses syslog-standard severity ratings, you can specify standard syslog configuration file settings to split
syslog
output into separate files based on severity.
To send log entries to the Sheriff CSM Sensor, include the following configuration file statements:
if $programname == 'proftpd' then @<Sheriff CSM_IP_address>
& stop
Plugin Enablement
For plugin enablement information, see
Enable Plugins.
Additional Resources and Troubleshooting
http://www.proftpd.org/docs/howto/LogLevels.html
http://www.proftpd.org/docs/howto/Logging.html
For troubleshooting, refer to the vendor documentation:
http://www.proftpd.org/docs/faq/linked/faq-ch4.html