# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. pure_ftpd_syslog_required = { plugin_version = "1.0" # 2009-08-03 - 1.0 - KBB - Initial creation. The format is very different from stand-alone version, # which is documented on pureftd.org, but I couldn't find a sample to test backward compatibility, # so these must be separate for now. The numeric field kilobytes_per_second is so named because # there is already a kb_per_second, which may be kilobits per second. It isn't implemented yet because, # to work properly, seconds would have to be derived from bytes and kBps. # 2011-07-13 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "GNU" info.1.device = "PureFTP (Syslog)" info.1.version.1 = "" # The name of the log format log.format.format_label = "PureFTP Log Format (Syslog)" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "ftp_server" # The log is in this format if any of the first ten lines match this regular expression #Jul 26 08:02:26 ftpsrv2 pure-ftpd[23447]: (ftp@10.22.22.222) [NOTICE] 168.122.222.22://outgoing/lizard/gecko.txt uploaded (26 bytes, 0.10KB/sec) log.format.autodetect_regular_expression = "pure-ftpd(\\[[0-9]+\\])?: \\([^@]+@[0-9.]+\\) \\[[A-Z]+\\] [^ ]+ (downloaded|uploaded) +\\([0-9]+ bytes, [0-9.]+KB/sec\\)" log.format.parse_only_with_filters = "true" # Log fields log.fields = { pid = "" username = "" remote_ip.type = "host" action = "" file.type = "page" bytes = "" #kilobytes_per_second = "" # need to calculate seconds and create an average field - later } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` #Jul 26 09:08:51 ftpsrv2 pure-ftpd[26914]: (agama@65.168.255.156) [NOTICE] /usr/ftp/agama//anole.txt downloaded (560026 bytes, 623.16KB/sec) # Get common fields. Ignore level since they're all NOTICE for now. v.message = ""; if (matches_regular_expression(v.syslog_message, 'pure-ftpd(\\\\[([0-9]+)\\\\])?: \\\\(([^@]+)@([0-9.]+)\\\\) \\\\[[A-Z]+\\\\] (.*)')) then ( set_collected_field('', 'pid', $2); set_collected_field('', 'username', $3); set_collected_field('', 'remote_ip', $4); v.message = $5; ); #Jul 26 08:02:26 ftpsrv2 pure-ftpd[23447]: (ftp@10.22.22.222) [NOTICE] 168.122.222.22://outgoing/lizard/gecko.txt uploaded (26 bytes, 0.10KB/sec) #Jul 26 08:02:29 ftpsrv2 pure-ftpd[23447]: (ftp@10.22.22.222) [NOTICE] 168.122.222.22://outgoing/lizard/skink.jpg downloaded (101 bytes, 1864.41KB/sec) if (matches_regular_expression(v.message, '([^ ]+) (downloaded|uploaded) +\\\\(([0-9]+) bytes, ([0-9.]+)KB/sec\\\\)')) then ( set_collected_field('', 'file', $1); set_collected_field('', 'action', $2); set_collected_field('', 'bytes', $3); #set_collected_field('', 'kilobytes_per_second', $4); accept_collected_entry('', false); ); #Jul 26 08:06:46 ftpsrv2 pure-ftpd[23608]: (ftp@10.244.44.44) [NOTICE] Deleted agama_agama.vfb else if (matches_regular_expression(v.message, 'Deleted (.*)')) then ( set_collected_field('', 'action', 'deleted'); set_collected_field('', 'file', $1); accept_collected_entry('', false); ); ` # Database fields database.fields = { pid = "" username = "" remote_ip = "" action = "" file.suppress_bottom = 9 file_type = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events unique_remote_ips = { requires_log_field = true log_field = "remote_ip" type = "unique" display_format_type = "integer" } # unique_remote_ips bytes = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } } # create_profile_wizard_options } # pure_ftpd_syslog_required