rugmonster.org sys admin guides, tips and one-liners

Simple activity report from FTP xferlog

UPDATE: I found that what I originally posted was wrong and didn't work at all. I don't know how I managed to do that, but I've fixed it and it's verified as working now.

I was asked if there was a way to extract the FTP activity to be emailed to someone. The server had a typical xferlog, but the box was being used for shared hosting and the reports didn't need to include results for all of the other sites.

I put together the following script to extract the activity and transpose it to a more friendlier output.

#!/bin/bash
 
if [[ -z $1 || -z $2 ]]
then
        echo "Usage: $0 <PATTERN> <XFERLOG>"
        exit 1
fi
 
if [ ! -f $2 ]
then
        echo "Log file does not exist"
        exit 1
fi
 
awk "/$1/"' {
        gsub(" d "," deleted ");
        gsub(" o "," downloaded ");
        gsub(" i "," uploaded ");
        printf("%s %s %s %s: %s@%s - %s %s\n",$1,$2,$3,$4,$14,$7,$12,$9);
     }' "$2"

Feel free to download it here. Make sure you chmod +x xfer-report.sh before you try to use it.

The first argument, PATTERN, is for the regex that awk will use to isolate the appropriate entries. The second argument, XFERLOG, is the path to the xferlog to be processed. For example, the following would match any entries containing "rugmonster.org" from the log at /var/log/xferlog.1:

./xfer-report.sh 'rugmonster\.org' /var/log/xferlog.1

The resulting output would then give you something like:

Fri Feb 27 20:23:00: user@12.34.56.78 - downloaded /path/to/file
|-------DATE------|       |SOURCE IP|   |-ACTION-| |----FILE---|

The results can be pretty long if there's been a lot of FTP activity, but this was prompted as a result of some files be deleted by someone that shouldn't have been only to be discovered too late to be restored from backup. The bigger lesson, of course, is that you should ensure only those that need access to your server have it and measure twice, cut once.