refirio.org

Memo

■FTPのログを解析

FTPソフトで接続して

1. ファイルを新規にアップロード
1. ファイルを上書きアップロード
2. ファイルを削除
3. ディレクトリを作成
4. ディレクトリを削除

としたときのログ /var/log/xferlog は以下のとおり
「どのディレクトリに移動した」のようなログは残らないが、アップロードや削除はログに残っている

Wed Nov 30 11:38:26 2022 [pid 91078] CONNECT: Client "203.0.113.1"                                                                                                                                                                      
Wed Nov 30 11:38:26 2022 [pid 91078] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, not reused, no cert"                                                                                     
Wed Nov 30 11:38:26 2022 [pid 91077] [refirio] OK LOGIN: Client "203.0.113.1"                                                                                                                                                  
Wed Nov 30 11:38:27 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, reused, no cert"                                                                      
Wed Nov 30 11:38:27 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: SSL_RECEIVED_SHUTDOWN"                                                                                                     
Wed Nov 30 11:38:27 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: 3"                                                                                                                         
Wed Nov 30 11:38:27 2022 [pid 91079] [refirio] OK UPLOAD: Client "203.0.113.1", "/html/test.txt", 0.00Kbyte/sec                                                                                                    
Wed Nov 30 11:38:27 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, reused, no cert"                                                                      
Wed Nov 30 11:38:27 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: NONE"                                                                                                                      
Wed Nov 30 11:38:27 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Nov 30 11:38:27 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: 3"
Wed Nov 30 11:38:32 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, reused, no cert"
Wed Nov 30 11:38:32 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: SSL_RECEIVED_SHUTDOWN"
Wed Nov 30 11:38:32 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: 3"
Wed Nov 30 11:38:32 2022 [pid 91079] [refirio] OK UPLOAD: Client "203.0.113.1", "/html/test.txt", 0.00Kbyte/sec
Wed Nov 30 11:38:32 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, reused, no cert"
Wed Nov 30 11:38:32 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: NONE"
Wed Nov 30 11:38:32 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Nov 30 11:38:33 2022 [pid 91078] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: 3"
Wed Nov 30 11:38:37 2022 [pid 91072] [refirio] OK DELETE: Client "203.0.113.1", "/html/test.txt"
Wed Nov 30 11:38:42 2022 [pid 91072] [refirio] OK MKDIR: Client "203.0.113.1", "/html/test"
Wed Nov 30 11:38:45 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, reused, no cert"
Wed Nov 30 11:38:45 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: NONE"
Wed Nov 30 11:38:45 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Nov 30 11:38:45 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: 3"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, reused, no cert"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: NONE"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: 3"
Wed Nov 30 11:38:48 2022 [pid 91072] [refirio] OK RMDIR: Client "203.0.113.1", "/html/test"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, reused, no cert"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: NONE"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Nov 30 11:38:49 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: 3"
Wed Nov 30 11:38:50 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, reused, no cert"
Wed Nov 30 11:38:50 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: NONE"
Wed Nov 30 11:38:50 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Nov 30 11:38:50 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: 3"
Wed Nov 30 11:38:53 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "Connection terminated without SSL shutdown - buggy client?"


FTPソフトで「最新の情報に更新」をすると、以下が記録された

Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES128-SHA, reused, no cert"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: NONE"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Nov 30 11:38:48 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "SSL shutdown state is: 3"


上記に関する部分を除外すると、以下のようになる
作業内容と一致している

Wed Nov 30 11:38:26 2022 [pid 91078] CONNECT: Client "203.0.113.1"                                                                                                                                                                      
Wed Nov 30 11:38:26 2022 [pid 91077] [refirio] OK LOGIN: Client "203.0.113.1"                                                                                                                                                  
Wed Nov 30 11:38:27 2022 [pid 91079] [refirio] OK UPLOAD: Client "203.0.113.1", "/html/test.txt", 0.00Kbyte/sec                                                                                                    
Wed Nov 30 11:38:32 2022 [pid 91079] [refirio] OK UPLOAD: Client "203.0.113.1", "/html/test.txt", 0.00Kbyte/sec
Wed Nov 30 11:38:37 2022 [pid 91072] [refirio] OK DELETE: Client "203.0.113.1", "/html/test.txt"
Wed Nov 30 11:38:42 2022 [pid 91072] [refirio] OK MKDIR: Client "203.0.113.1", "/html/test"
Wed Nov 30 11:38:48 2022 [pid 91072] [refirio] OK RMDIR: Client "203.0.113.1", "/html/test"
Wed Nov 30 11:38:53 2022 [pid 91071] [refirio] DEBUG: Client "203.0.113.1", "Connection terminated without SSL shutdown - buggy client?"


上記はFTPだが、SFTPの場合は操作ログが残らないようなので注意
設定を変更することで残すことはできるみたい（未検証）

SFTPの操作をログに残すための設定 - Qiita
https://qiita.com/Sophick12224/items/b62e5f1af335a29217e0
Memo

Advertisement
