Logging what users do with the FTP server in Mac OS X (client).
A tutorial for OS X novices.
Perhaps you have a design agency and always leave an ftp server running so clients can upload or download artwork, concepts or other files.
Perhaps you have a server running at home so you can access your files at work.
Perhaps you have a machine that's hosting the websites of some of your friends.
Whatever the reason the built-in ftp server in Mac OS X is quite capable. Turn the ftp server on with the System Preferences item Sharing if it's not already running.
By default the ftp server in Mac OS X doesn't log a lot of information however. While this might be a fair privacy measure (our lives are already logged to death by webservers and the like), sometimes you'd like to see a bit more about what people do. Luckily logging some extra information isn't that hard, it's just a matter of adding an extra letter to a configuration file and restarting the ftp server. We'll be using the Terminal to issue some commands so go to Applications/Utilities and start the Terminal application. You'll be greeted and see something like the following:
What's happening here? Well, angua is my computers' name (and a lovely iBook she is...), after the computername is some variable gobblydygook which tells unix geeks where they are, after that is your short username and a percent sign, this construct is called the prompt. All our commands will be typed in after this prompt. You'll need to issue some commands with an administrative account. Note that in some version of OS X this prompt can look a bit different, the percent sign might be a dollar sign for example, don't worry if your Terminal looks a bit different.
First we'll edit the configuration file. Type in the following after the prompt:
sudo pico ftp;
If you are prompted for a password type in your administrative password.
Note: the ; is there to seperate different commands from each other, handy if you're cut and pasting. If you're just typing the commands you can leave them off as longs as you seperate commands by hitting the enter key.
Pico is a small unix text-editor. You can't use the mouse but you can navigate with the arrow keys. Another issue is that command key shortcuts like Command+S don't work and won't save a file, you'll need to use another method, which we'll come to in a moment. When pico opens the file the interface will change, pico is a fairly friendly editor and on the bottom of your window you'll now see some hints on how to operate the program (the caret sign means the control key, so ^O means you'll have to hit control+o).
Look for the line that says: "server_args = -l" and add an extra l (lowercase letter, not a number). Here's how the entire file should now read:
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/libexec/ftpd
server_args = -ll
groups = yes
flags = REUSE IPv6
} Here's a screenshot:
Save the file by typing control+o and then close the file by typing control+x. Pico should exit and you'll see your command line prompt again.
The modifications are now in place. All we need to do now is restart the server:
sudo service ftp stop; sudo service ftp start;.
Your changes are now in place. To see what gets logged open an ftp client (I recommend Fetch) and log in to your machine. Download a file and upload a file. Quit the ftp client.
Open the Terminal again if you've closed it. It's time to view the logfile.
Here's a sample:
Jan 14 08:01:56 localhost ftpd: connection from localhost to localhost
Jan 14 08:01:56 localhost ftpd: FTP LOGIN FROM localhost as harold (class: real, type: REAL)
Jan 14 08:02:46 localhost ftpd: get /Users/harold/Documents/WebPages/Backup/virtualpetrock.nl/virtualpetrock.nl 2003-01-06.tar.gz = 4658696 bytes in 0.865 seconds
Jan 14 08:04:00 localhost ftpd: put /Users/harold/Sites/www/virtualpetrock.nl/index.php = 10954 bytes in 0.129 seconds
Jan 14 08:04:00 localhost ftpd: put /Users/harold/Sites/www/virtualpetrock.nl/loginoutcookies.php = 717 bytes in 0.043 seconds
Jan 14 08:04:05 localhost ftpd: put /Users/harold/Sites/www/virtualpetrock.nl/links.php = 9500 bytes in 0.138 seconds
Jan 14 08:04:05 localhost ftpd: put /Users/harold/Sites/www/virtualpetrock.nl/login.php = 10247 bytes in 0.043 seconds
Jan 14 08:04:18 localhost ftpd: Data traffic: 4690114 bytes in 5 files
Jan 14 08:04:18 localhost ftpd: Total traffic: 4710440 bytes in 17 transfers
The tail command means that we want to view the last few lines of the filename we entered.
If you prefer to use the Terminal as little as possible the new Console application in Mac OS X 10.3 (Panther) will allow you to view logfiles in a more friendly environment. Console can also be found in the Utilities folder. Click the Logs toolbar item and expand the /var/log item. Click on ftp.log and marvel. Here's a screenshot of my machine at home (oook.xs4all.nl) showing some downloads and some uploads from when I was at work and needed some files from home.
Still have questions?
Found an inaccuracy?
Point it out using the comment system: http://www.haroldbakker.com/index.php?action=comment&id=131