Overview of VSFTP Logging in CentOS
VSFTP (Very Secure FTP Daemon) is a widely used FTP server on CentOS, and its logs are critical for monitoring user activity, troubleshooting issues, and ensuring security. By default, VSFTP logs are stored in /var/log/vsftpd.log, but this can be customized in the configuration file (/etc/vsftpd/vsftpd.conf). Key parameters to configure logging include:
xferlog_enable=YES: Enables logging of file transfers.xferlog_file=/var/log/vsftpd/xferlog: Specifies the path for transfer logs (alternative to vsftpd.log).xferlog_std_format=YES: Uses a standard log format for easier parsing.log_ftp_protocol=YES: Logs detailed FTP protocol interactions (useful for debugging).Basic Log Analysis Techniques
Once logs are enabled, you can use command-line tools to analyze them:
tail -f /var/log/vsftpd.log to view the latest log entries in real time. This is helpful for tracking active connections or troubleshooting immediate issues.grep to filter logs by keywords. For example, grep 'user login attempt' /var/log/vsftpd.log shows all login attempts, while grep 'FAILED' /var/log/vsftpd.log highlights failed logins.less /var/log/vsftpd.log to navigate through logs page by page. Press q to exit.awk to extract fields. For example, awk '/error/ {print $1, $2}' /var/log/vsftpd.log extracts the timestamp and error message from lines containing “error”.grep and wc -l to count occurrences. For example, grep "RETR" /var/log/vsftpd.log | wc -l counts the number of file downloads (RETR commands).Advanced Log Analysis with ELK Stack
For large-scale or complex environments, the ELK (Elasticsearch, Logstash, Kibana) Stack provides powerful log collection, processing, and visualization capabilities:
sudo yum install elasticsearch), Logstash (sudo yum install logstash), and Kibana (sudo yum install kibana) on your CentOS server. Start and enable each service (sudo systemctl start <service> && sudo systemctl enable <service>)./etc/logstash/conf.d/vsftpd.conf) to parse VSFTP logs. A sample configuration includes:input {
file {
path => "/var/log/vsftpd.log"
start_position => "beginning"
}
}
filter {
grok { match => { "message" => "%{COMBINEDAPACHELOG}" } }
date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] }
}
output {
elasticsearch { hosts => ["localhost:9200"] index => "vsftpd-logs-%{+YYYY.MM.dd}" }
stdout { codec => rubydebug }
}
grok filter (to extract structured data), and send the parsed data to Elasticsearch (with daily indexes).http://localhost:5601), create an index pattern for “vsftpd-logs-*”, and use the Discover, Visualize, and Dashboard features to analyze logs. For example, you can create visualizations to show login trends over time, top users by connection count, or failed login attempts by IP address.Log Rotation for VSFTP Logs
To prevent log files from growing indefinitely and consuming disk space, configure log rotation using logrotate (pre-installed on CentOS):
/etc/logrotate.d/vsftpd with the following content:/var/log/vsftpd/*.log {
daily
missingok
rotate 7
compress
notifempty
create 640 ftp adm
}
sudo logrotate -f /etc/logrotate.d/vsftpd to force an immediate rotation and verify the configuration works as expected.Common Log Analysis Examples
grep "sshd.*Failed password for" /var/log/auth.log (for SSH login attempts) or grep "user login attempt" /var/log/vsftpd.log (for VSFTP-specific attempts).grep "sshd.*Accepted password for" /var/log/auth.log (SSH) or grep "LOGIN successful" /var/log/vsftpd.log (VSFTP).grep "sshd.*Failed password for" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr (lists IPs with the most failed attempts).awk '/$(date "+%b %d")/ {count++} END {print count}' /var/log/vsftpd.log (counts total transfers for the current day).
