Skip to main content
Hitachi Vantara Knowledge

FTP auditing

FTP audit logging is controlled on a per-EVS basis. When enabled, the system maintains an audit log which tracks user activity performed through the FTP protocol for all file systems in the EVS. Each time a user takes any of the following actions, the system records the event:

  • Logging in or out (including when a session timeout occurs).
  • Renaming or deleting a file.
  • Retrieving, appending or storing a file.

    In this case, the system records the success or otherwise of the action at both its start and end.

  • Creating or removing a directory.

Displaying FTP Audit Logs page

The FTP Audit Logs page displays the FTP audit logging status for each EVS in the server or cluster. Using this page, you can view FTP logging status, enable or disable FTP audit logging, and you can also display the FTP Audit Log Details page, which allows you to configure log file details.

Procedure

  1. Navigate to Home File Services FTP Audit Logs.

    For each EVS in the server or cluster, this page lists the status of FTP audit logging, and displays the file systems being monitored, as well as the path to the FTP audit logs for each monitored file system.

    Field/Item Description
    EVS Lists the file serving EVS in the server or cluster.
    File System Lists the file systems in the server or cluster.
    Path Displays the directory path in the file system where the FTP audit log is located.
    Status Indicates whether FTP auditing is enabled or disabled.
    details Display the FTP Audit Log Details page, which allows you to configure FTP audit logging for the file system.
    enable Select the check box for an EVS, and click enable to enable FTP auditing for the EVS.
    disable Select the check box for an EVS, and click disable to disable FTP auditing for the EVS.

Enabling or disabling FTP audit logging for an EVS

FTP Audit Logging is enabled or disabled on a per-EVS basis, meaning that is enabled or disabled for all file systems served by the EVS and accessed through the FTP protocol.

Procedure

  1. Navigate to Home File Services FTP Audit Logs

  2. Select the check box for the EVS for which you want to enable or disable FTP audit logging.

    • If FTP Audit Logging is disabled, you can enable it by clicking enable.
    • If FTP Audit Logging is enabled, you can disable it by clicking disable.

Configuring FTP audit logging

  1. Navigate to Home File Services FTP Audit Logs.

  2. Click details to display the FTP Audit Log Details page for the EVS for which you want to configure FTP audit logging.

    Field/Item Description
    EVS Lists the currently selected EVS and file system, to which the audit configuration will apply.
    Audit Logging Indicates if FTP audit logging is enabled or disabled for the EVS.
    File System Displays the name of the file system that will contain the FTP audit log files. Click change to select a different file system.
    Logging Directory Displays the directory path in the file system in which the FTP audit log files are stored. The path options allow you to select an existing directory, or to create the directory if it does not already exist.
    NoteThe browse... button only exists if the path being created is the path in a file system, not a namespace.
    NoteAutomatically created directories will be owned by the root user and group (UID:0 / GID:0) and will be accessible to all users; for example: the permissions are set to rwxrwxrwx. It is recommended that such directories are created using CIFS or NFS, or that such directories are given the desired permissions explicitly after being created using this option.
    Max. Records per Log File Specifies the maximum number of records per log file. Once the maximum number of records per file is reached, a new log file is started.

    Each log file is a tab-delimited text file containing one line per FTP event. Besides logging the date and time at which an event occurs, the system logs the user name and IP address of the client and a description of the executed command.

    Max. Number of Log Files Specifies the maximum number of log files to be kept. Once the maximum number of log files is reached, when the current log file becomes full, the oldest log file is deleted. The newest log file is called ftp.log, and the older files are called ftpn.log (the larger the value of n, the older the file).
    OK Save the configuration.
    cancel Exits without saving the configuration.
  3. In the File System field, choose a file system in which to keep the log files. Click change to see a list of file systems in the EVS.

    For optimum performance, keep the log files on a different system drive than the files that users will access over FTP
  4. Specify the logging directory.

    The logging directory specifies the location in which the FTP audit logs are kept. In the Logging Directory field, specify the directory in which to keep the log files. Click browse to choose an existing directory, or specify a path to be created. To create the path automatically when it does not already exist, select the check box Create path if it does not exist.
  5. In the Max. Number of Records per Log File field, specify the maximum number of records to store in each log file.

    For optimum performance, produce a small number of large files instead of a large number of small files.
  6. In the Max. Number of Log Files field, specify the maximum number of log files to keep.

    Once it has reached this limit, the server deletes the oldest log file each time it creates a new one.
  7. Click OK to save the FTP audit logging configuration.

Displaying FTP audit logs

FTP audit logs can be displayed with a text editor. If the logging directory is within an NFS export or a CIFS share, access the directory, and open the log file. If the logging directory is available through FTP, you can download the file, then open it with a text editor.

 

  • Was this article helpful?