Pure-ftpd not logging the logins anymore

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
13,890
Location
Maastricht
I've just discovered that on all servers, my pure-ftpd is not logging to /var/log/pureftpd.log anymore.

I made the change to /etc/rsyslog.conf as described here by explosive:
http://forum.directadmin.com/showthread.php?t=43363

Code: 
#add ftp.none
*.info;mail.none;authpriv.none;cron.none;ftp.none                /var/log/messages

# add FTP
ftp.*                                                   /var/log/pureftpd.log

This never worked on a newly installed server which was installed after january 12th. And it the last log on an older server is from january 12th.
So something is changed since around january 12th which caused the logging to be stopped.

Pureftpd is working and this is the startup script I use:
LOG=/var/log/pureftpd.log
DB=/etc/pureftpd.pdb
OPTIONS="-B -A -C 15 -E -H -k 95 -L 10000:8 stats:${LOG} -l puredb:${DB} -O xferlog:/var/log/pureftp-xferlog -p 35000:35999 -u 100 -U 133:022 -w -Z"
OPTIONS="${OPTIONS} -Y 1 -J HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3"
Click to expand...

How can I get the pureftpd.log back working again?

P.s. I'm using custombuild 1.2 and no I'm not going to update to 2.0 for the time being.
 
Last edited:
Hello,

That does look like what we have here:
http://files.directadmin.com/services/custombuild/pure-ftpd
Code: 
[COLOR=#000000]LOG=/var/log/pureftpd.log
[/COLOR][COLOR=#000000]DB=/etc/pureftpd.pdb[/COLOR]OPTIONS="-B -A -C 15 -E -H -k 99 -L 10000:8 -O stats:${LOG} -l puredb:${DB} -p 35000:35999 -u 100 -U 133:022 -w -Z"
OPTIONS="${OPTIONS} -Y 1 -J HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3"

However... I have a feeling that your changes to the rsyslog would be causing the issue..

Pureftpd probably writes directly to the log.. not to syslog.
This means that pureftpd and syslogd would be fighting for write to the file.
Remove the ftp.* line from the rsyslog.conf.. or change it to use a different log, like /var/log/pureftpd.sys.log.
Restart both syslogd and pureftpd.
Then see which log is being filled for file transfers.

John
 
I don't think they are fighting. With this setup it worked fine until january 12th, then the last pureftpd.log was created.

I made the changes because I wanted to have seperate authentication and transfer logs.
The transfer log is still working. All transfers are put to /var/log/pureftp-xferlog every day.

It's only the pureftpd.log which should contain the login/logout and authentication messages, which is not logging anymore.

Remove the ftp.* line from the rsyslog.conf.. or change it to use a different log, like /var/log/pureftpd.sys.log.
Click to expand...
Definately something wrong with pure-ftpd's logfile since the 12th. When I change this, now authentication is logged to /var/log/pureftpd.sys.log but still no pureftpd.log from pure-ftpd itself present.

When I remove the ftp.* line, no authentication logging is done at all anymore, unless I also remove the ftp.none part, then authentication logs are again made to /var/log/messages instead of /var/log/pureftpd.log so there is definately something wrong since the 12th.
 
Oke I removed the change made so xfers were logged seperately.
Now pureftpd.log is created again but only xfers are logged. Strange though that it has been working without like this until the 12th.

I would like to have authentication and transfers logged seperately, so I still don't understand why the system is not using pureftpd.log anymore for this as was before, but I will change the logfile name in rsyslog.conf to get it fixed.
 
Checking the "man pure-ftpd", it reads as follow:
Code: 
       -O format:log file              Record all file transfers into a specific log file, in an alternative format. Currently, three formats are supported : CLF, Stats, W3C
              and xferlog.
              If you add
              -O clf:/var/log/pureftpd.log
              to  your  starting  options,  Pure-FTPd  will  log  transfers in /var/log/pureftpd.log in a format similar to the Apache web server in
              default configuration.
              If you add
              -O stats:/var/log/pureftpd.log
              to your starting options, Pure-FTPd will create accurate log files designed for traffic analys software like ftpStats.
              If you add
              -O w3c:/var/log/pureftpd.log
              to your starting options, Pure-FTPd will create W3C-conformant log files.
              For security purposes, the path must be absolute (eg.  /var/log/pureftpd.log, not  ../log/pureftpd.log).
and your original post, I see this line, and I didn't catch the important bits the first time round:
Code: 
[COLOR=#333333][I]OPTIONS="-B -A -C 15 -E -H -k 95 -L 10000:8 stats:${LOG} -l puredb:${DB} -O xferlog:/var/log/pureftp-xferlog -p 35000:35999 -u 100 -U 133:022 -w -Z"[/I][/COLOR]
where I'm not seeing the -O option in front of the "stats:${LOG}".. so that might be all that was missing. Try adding the -O before "stats:" to see if that does it. (not 100% sure that you can have multiple -O options, but I would certainly hope so in regards to being able to log to multiple files for various reasons.)

John
 
You are correct, I removed the -O to test if that would make any difference, but it didn't. Unfortunately I posted the line here without the -O. But in fact I've got the -O back in place already before the stats:${LOG}.

The strange thing though is that it worked before. As you can see from the first link I posted, that advise was given by Explosive and I used for a longer period.
Next to that, the -O flag is used for the alt-log and pureftpd isn't even compiled with the --with-altlog flag by default.
Because I got the tip for using --with-altlog during compilation from you here:
http://forum.directadmin.com/showthread.php?t=43663
So it's already funny that the -O stats:${LOG} could be used because that is an altlog.:) Maye that's a pure-ftpd bug.

However I know how I can fix this now.
I'm still going the use the rsyslog but just use a different filename for authentication and have CSF/LFD look in there and let pure-ftpd use /var/log/pureftpd.log for transfers so DA can doe the bandwith couting again.
 
For anyone reading this thread searching for a way to find out how to get transfers and logins from PureFTPD split into two different files: please ignore most of what is mentioned in this, and linked threads. It will save you a lot of time, because there's a lot of misinformation here.

The topic starter shows an init script with two -O options in it (well, in fact he accidentally left out one -O, but he clears that up later). Two -O options will not work. The reason he initially got split log files working is not because of the two -O options.

As the PureFTPD docs mention, all messages go to the default syslog daemon, and (by default) will log all messages to the default system log file (e.g. for CentOS: /var/log/messages). This is not what you'd generally want. The PureFTPD FAQ mentions how to easily change that:

Code: 
Log messages are sent to the syslog daemon. The syslog daemon is often
called syslogd or syslog-ng. He's in charge of dispatching logging events
from various programs to log files, according to a "facility" (category) and
a "priority" (urgency: debug, info, warning, error, critical...) .

Pure-FTPd logging messages are send with the "ftp" facility by default (or
"local2" on some older systems without the "ftp" facility) . Unless you told
the syslogd to redirect messages with the "ftp" facility to a specific file,
the messages will be merged into /var/adm/messages, /var/log/messages,
/var/adm/syslog or /var/log/syslog.

Check /etc/syslogd.conf. You should have a line like:

*.*;mail.none;news.none -/var/log/messages

just add ftp.none:

*.*;ftp.none;mail.none.news.none -/var/log/messages

And if you want FTP info go in a specific file, just add:

ftp.* /var/log/ftp

and all FTP messages will go in /var/log/ftp . And only there.

So that's step one, PureFTPD messages go into their own file now. But now you want to split out the transfers. This requires two things:

1. PureFTPD must be compiled with the --with-altlog option (/usr/local/directadmin/custombuild/configure/pureftpd/configure.pureftpd)

2. You must specify an alt log location in the PureFTPD init script
(/etc/rc.d/init.d/pure-ftpd)​


John makes things more complicated when he advises to use an option in configure.pureftpd that simply doesn't exist. Granted, he warns that he's not 100% sure about the syntax. Well, the syntax is much simpler than what John suggests: it's just --with-altlog, with no extra's (really, there are no extra's for this option).

To filter out the transfers from all other FTP messages, PureFTPD has the -O initialization option, (which, as I just explained, requires the binary to be compiled with --with-altlog).

The PureFTPD docs say:

Code: 
- '-O <format>:<log file>': Record all file transfers into a specific log
file, in an alternative format.

The emphasis here, is on all file transfers. The topic starter seems to have misunderstood this, he tried to log authentication messages with the -O option. That will never work.

Now, at the time I'm writing this (July 2015), most of the settings I mention were already in place in Custombuild 2.0. But they're set up a bit strange: the -O option uses /var/log/pureftpd.log, which suggests a "main" FTP log location, not a transfer log. I changed that to /var/log/pureftpd-transfer.log. And it's not working out of the box, because what was missing was the rsyslog redirection from the default syslog to a specific ftp log. Without that, the seperate transfer-logging will not work.

Pro tip: make sure you add the log file in which you log authentications to CSF&LFD to scan for failed logins.

UPDATE August 3 2015: Although things work perfectly after making the changes I've listed above, and after restarting rsyslogd, there does seem to be a problem when the logs get rotated. When running some tests: logging in and logging out over FTP, transferring some files, deleting some, I see two files appear: my transfer log and my regular log in which (mostly) the logins are kept. But after a while, the pureftpd.log goes missing and doesn't return anymore. I'm not sure why, but I assume it has to do with log rotation. Strangely enough, /etc/logrotate.d/pure-ftpd neatly lists the pureftpd.log file. It doesn't list the transferlog, so you may want to add it for rotation there too. Restarting rsyslog and forcing a logrotate through

Code: 
logrotate -f /etc/logrotate.conf

...shows the rotated and newly created transfer and main pureftpd.log files. This is what I'd expect, so hopefully it's working now, but it doesn't explain why the log file went missing earlier. I do notice that in the /etc/logrotate/.d/pure-ftpd configuration file, there are commands for restarting pure-ftpd after a logrotate, but they're commented out. I'm not sure why the commands are there (although I see cPanel-related articles mentioning adding those lines), and I'm not sure why they are commented out by default. I'll report back if strange things start to occur.
 
Last edited:
You must log in or register to reply here.
Back
Top