0

I have a Proftpd v1.3.2 server, and I need to send every logs (system logs + auths logs + xferlogs) to a remote syslog server. It works fine for system+auth logs. But even if "TransferLog" was removed from the configuration file, Proftpd keeps opening /var/log/xferlog to log transferts (I checked with lsof), and sends nothing to syslog server (I checked with tcpdump).

How can I tell proftpd to send xferlogs to a remote syslog server ?

Castaglia
  • 3,349
  • 3
  • 21
  • 42
klipz
  • 168
  • 2
  • 8

2 Answers2

1

Ok, I found a solution : using fifo. In /etc/proftpd/proftpd.conf :

#SystemLog   /var/log/proftpd/proftpd.log
#ControlsLog /var/log/proftpd/controls.log
TransferLog /var/log/xferlog.fifo

Then :

mknod  /var/log/xferlog.fifo p
chmod 666 /var/log/xferlog.fifo

And a Perl script like that one (inspired from several ones found on the web), listening at the other side of the fifo :

#!/usr/bin/perl -w

use strict;
use File::Basename qw(basename);
use Sys::Syslog qw(:DEFAULT setlogsock);

$|=1;
my $fifo_file = "/var/log/xferlog.fifo";
my $syslog_facility = 'daemon';
my $syslog_level = 'info';
my $program = "xfer_ftp";

unless (-p $fifo_file)
{
  unlink $fifo_file;
  system('mknod', $fifo_file, 'p')  && die "can't mknod $fifo_file: $!";
  system('chmod', '666', $fifo_file)  && die "can't chown $fifo_file: $!";
}

my $fifo_fh;
open($fifo_fh, "+< $fifo_file") or die "The FIFO file \"$fifo_file\" is missing, and this program can't run without it.:$!";

setlogsock 'unix';
openlog($program, 'pid', $syslog_facility);

# just keep reading from the fifo and processing the events we read
while (<$fifo_fh>) {
    chomp;
    syslog($syslog_level, $_);
}

closelog();

# should never really come down here ...
close $fifo_fh;
exit(0);

If you have a cleaner solution... :-)

klipz
  • 168
  • 2
  • 8
  • lol, was just about to suggest that as an alternative solution. Setting SyslogFacility DAEMON should log to syslog but doesn't show what files were transferred from my long ago use of proftpd. – George Vieira Jun 18 '11 at 05:36
0

You are probably using the standard rsyslog. I would suggest looking at using syslog-ng which you can control your logs with great detail.

Here is an example I use for my remote logging. The great thing too is use can use TCP to tunnel your logs too which is a little more complicated but shows flexibility.

Filters can control what to pull out of the log if you don't want it or filter certain types to certain files. The example below logs everything normally into a dated format but sends a copy remotely.

Hope this helps.

@version: 3.0
#First, set some global options.
options {
    long_hostnames(off);
    flush_lines(0);
    use_dns(no);
    use_fqdn(no);
    owner("root");
    group("adm");
    perm(0640);
    stats_freq(0);
    bad_hostname("^gconfd$");
    keep_hostname(yes);
    check_hostname(yes);
};

source inputs {
        file("/proc/kmsg" program_override("kernel: "));
        unix-stream("/dev/log");
    internal();
        udp();
        tcp(max_connections(100));
};

destination remote {
        udp("remotesyslog.serversomewhere.com" port(514));
};

destination logpile {
        file("/var/log/eit/$YEAR-$MONTH-$DAY/$FACILITY"
        owner(root) group(root) perm(0600)
        create_dirs(yes) dir_perm(0700));
};

log {
        source(inputs);
        destination(logpile);
        destination(remote);
};
George Vieira
  • 311
  • 1
  • 4
  • Thanks for your answer. I use a local rsyslogd (with a `*.* @@remote-ip`), but the remote syslog server is a syslog-ng, listening on the network (tcp), and with customized filtering rules. The problem comes from proftpd, which writes directly to /var/log/xferlog (as lsof shows) and not to syslog – klipz May 04 '11 at 12:53