Next Previous Contents

9. Logging and Auditing

All possible log messages with their exact wording have been collected and listed in the file SYSLOG which is part of the FTP-Proxy distribution. You can find it in the ftp-proxy subdirectory.

The FTP-Proxy logs can be sent to a file, to a pipe, or to the syslogd(8) daemon for further evaluation and handling. It is strongly recommended to use syslog because it is the only way to send logging messages to another machine as they are generated.

This off shore logging is especially important for FTP-Proxy servers located in exposed areas, like the Demilitarized Zone of a firewall. Anything that is stored on the computer itself can easily be manipulated in the case of a hostile takeover. And when the auditor stops by on his weekly audit tour, all traces have long since been wiped out. In order to implement remote logging the syslog.conf(5) file has to include an entry for the selected facility using a target starting with the letter '@' followed by the DNS name or IP address of the external log host. Usually this loghost may be not part of the DMZ, but be located on the intranet or dedicated administration network. The UDP syslog traffic is then allowed to pass through the internal firewall router. Note that the syslogd on the log host usually has to be started with the "-r" option to enable the reception of logging information from another machine.

The FTP-Proxy syslog messages have been created in a way that should ease the task of scanning and evaluating. Each message contains a tag that can easily be recognized. It consists of a prefix that is either TECH or USER, followed by a hyphen and one of DBG, INF, WRN, ERR, or FTL.

Using the LogLevel configuration option, you can skip message levels not interesting for you. For example,

LogLevel  WRN
will cause skipping of all DBG and INF messages and displaying only the WRN, ERR and FLT level messages. Default level is INF - no DBG messages will get logged.

The possible combinations can be interpreted as follows:

TECH-DBG
Messages with this tag carry some technical informations usefull for diagnostics purposes with no need to react to them.

TECH-INF
Messages with this tag carry some technical information with no need to react to them. They might display the contents of the configuration file or the start or stop of the program. These messages are generated with the INFO syslog severity.

TECH-WRN
Messages with this tag display some mild technical problem or inconsistency. E.g. a configuration variable with no value given or a temporary resource shortage would be sent in this context. Also if an FTP server closed a connection without being instructed by the client or proxy would generate this kind of message. These messages are generated with the WARNING syslog severity.

TECH-ERR
Messages with this tag usually mean a severe error condition that will lead to the termination of the emitting process. Problems that fall under this category include the inability to open the configuration file, internal security handling, network problems like ports already in use by other processes, input/output errors or other communication faults. It is strongly advised that all such messages shall be investigated and further action is taken. These messages are generated with the ERROR syslog severity.

TECH-FTL
Messages with this tag should be very rare. They are reserved for really weird situations which reveal bugs in the internal FTP-Proxy programming. Please report any such occurrance to the Proxy-Suite development team, it requires the programmer's attention. These messages are generated with the CRIT syslog severity.

USER-DBG
Messages with this tag are currently not being used.

USER-INF
Messages with this tag will be the majority of all messages. They are generated for all regular user actions like logging in, sending commands and transfer statistics. Their main purpose is to provide a complete audit trail for every user interaction. These messages are generated with the INFO syslog severity.

USER-WRN
Messages with this tag indicate some sort of unforeseen user action, but need not be taken too seriously. Only if there is a pattern of regular or frequent messages of this kind, you might want to look a bit closer. These messages are generated with the WARNING syslog severity.

USER-ERR
Messages with this tag mean that the user has been rejected. Currently no other message has been defined with this tag, although this might be changed in the future. These messages are generated with the ERROR syslog severity.

USER-FTL
Messages with this tag are currently not being used.


Next Previous Contents