Configuring the Solaris FTP server to log extended data

I periodically use the stock Solaris FTP server on some of my servers, especially when I need to move tons of data around. Enabling the ftp service in Solaris is a snap:

$ svcadm enable network/ftp

The default ftp configuration leaves a lot to be desired, especially when you consider that nothing is logged. To configure the FTP daemon to log logins, transferred files and the commands sent to the server, you can enter the svccfg shell and add some additional options to the in.ftpd command line:

$ svccfg

svc:> select ftp

svc:/network/ftp> setprop inetd_start/exec=”/usr/sbin/in.ftpd -a -l -L -X -w”

svc:/network/ftp> listprop

The “-a” option will enable the use of the ftpaccess file, the “-l” option will log each FTP session, the “-L” option will log all commands sent to the server, the “-X” option will cause all file acesses to be logged to syslog, and the “-w” option will record the logins to the wtmpx file. Since most of this information is logged using the daemon facility and info log level, you will need to add a daemon.info entry to /etc/syslog.conf if you want the data to be logged to a file (or to a remote log server). To force the changes listed above to take effect, you will need to restart the inetd, system-log and ftp services:

$ svcadm restart inetd

$ svcadm restart network/ftp

$ svcadm restart system-log

Now each time an FTP transfer occurs, you will get entries similar to the following in the system log:

Nov 24 17:46:32 prefetch01 ftpd[9304]: [ID 716067 daemon.info] AUTH GSSAPI
Nov 24 17:46:32 prefetch01 ftpd[9304]: [ID 716067 daemon.info] AUTH KERBEROS_V4
Nov 24 17:46:32 prefetch01 ftpd[9304]: [ID 165209 daemon.info] USER prefetch
Nov 24 17:46:32 prefetch01 ftpd[9304]: [ID 125383 daemon.info] PASS password
Nov 24 17:46:32 prefetch01 ftpd[9304]: [ID 124999 daemon.info] FTP LOGIN FROM 1.2.3.4 [1.2.3.4], backup
Nov 24 17:46:32 prefetch01 ftpd[9304]: [ID 470890 daemon.info] SYST
Nov 24 17:48:42 prefetch01 ftpd[9304]: [ID 225560 daemon.info] QUIT
Nov 24 17:48:42 prefetch01 ftpd[9304]: [ID 528697 daemon.info] FTP session closed

While FTP isn’t to be relied on for 99% of what we do, it definitely still has its place.

4 thoughts on “Configuring the Solaris FTP server to log extended data”

  1. Thanks it helped me.. FYI ..use -o -i options to log file transfer details (in and out ) to /var/log/xferlog

  2. hi! In my Solaris, this steps dont work… :(
    any idea?

    0# cat /etc/release
    Oracle Solaris 10 9/10 s10s_u9wos_14a SPARC
    Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
    Assembled 11 August 2010

    # svcs |grep ftp
    online 8:37:19 svc:/network/ftp:default

    # svcs |grep system-log
    online 8:37:23 svc:/system/system-log:default

  3. 1. did you restart all above services
    2. did you add the required line to syslog.conf?
    3. if you did the above, look for other clues (i.e. error messages) and report back

  4. idk how i add the required line in syslog.conf:

    bash-3.00# cat /etc/syslog.conf
    #ident “@(#)syslog.conf 1.5 98/12/14 SMI” /* SunOS 5.0 */
    #
    # Copyright (c) 1991-1998 by Sun Microsystems, Inc.
    # All rights reserved.
    #
    # syslog configuration file.
    #
    # This file is processed by m4 so be careful to quote (`’) names
    # that match m4 reserved words. Also, within ifdef’s, arguments
    # containing commas must be quoted.
    #
    *.err;kern.notice;auth.notice /dev/sysmsg
    *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages

    *.alert;kern.err;daemon.err operator
    *.alert root

    *.emerg *

    # if a non-loghost machine chooses to have authentication messages
    # sent to the loghost machine, un-comment out the following line:
    #auth.notice ifdef(`LOGHOST’, /var/log/authlog, @loghost)

    mail.debug ifdef(`LOGHOST’, /var/log/syslog, @loghost)

    #
    # non-loghost machines will use the following lines to cause “user”
    # log messages to be logged locally.
    #
    ifdef(`LOGHOST’, ,
    user.err /dev/sysmsg
    user.err /var/adm/messages
    user.alert `root, operator’
    user.emerg *
    )
    daemon.debug /var/log/daemonlog

Leave a Reply

Your email address will not be published. Required fields are marked *