File: ftp-proxy-9.html

package info (click to toggle)
proxy-suite 1.9.2.4-1
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 1,420 kB
  • ctags: 436
  • sloc: ansic: 6,530; sh: 2,955; makefile: 341
file content (190 lines) | stat: -rw-r--r-- 6,038 bytes parent folder | download | duplicates (7)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>The FTP-Proxy White Paper: Logging and Auditing</TITLE>
 <LINK HREF="ftp-proxy-10.html" REL=next>
 <LINK HREF="ftp-proxy-8.html" REL=previous>
 <LINK HREF="ftp-proxy.html#toc9" REL=contents>
</HEAD>
<BODY>
<A HREF="ftp-proxy-10.html">Next</A>
<A HREF="ftp-proxy-8.html">Previous</A>
<A HREF="ftp-proxy.html#toc9">Contents</A>
<HR>
<H2><A NAME="logging"></A> <A NAME="s9">9. Logging and Auditing</A></H2>

<P>All possible log messages with their exact wording have been
collected and listed in the file <EM>SYSLOG</EM> which is part
of the FTP-Proxy distribution.  You can find it in the
<EM>ftp-proxy</EM> subdirectory.
<P>
<P>The FTP-Proxy logs can be sent to a file, to a pipe, or to the
<EM>syslogd(8)</EM> daemon for further evaluation and handling.
It is strongly recommended to use syslog because it is the only
way to send logging messages to another machine as they are
generated.
<P>
<P>This off shore logging is especially important for FTP-Proxy
servers located in exposed areas, like the Demilitarized Zone
of a firewall.  Anything that is stored on the computer itself
can easily be manipulated in the case of a hostile takeover.
And when the auditor stops by on his weekly audit tour, all
traces have long since been wiped out.
In order to implement remote logging the <EM>syslog.conf(5)</EM>
file has to include an entry for the selected facility using a
target starting with the letter '@' followed by the DNS name
or IP address of the external log host.  Usually this loghost
may be not part of the DMZ, but be located on the intranet or
dedicated administration network.
The UDP syslog traffic is then allowed to pass through the
internal firewall router.  Note that the syslogd on the log
host usually has to be started with the "<EM>-r</EM>" option
to enable the reception of logging information from another
machine.
<P>
<P>The FTP-Proxy syslog messages have been created in a way that
should ease the task of scanning and evaluating.  Each message
contains a tag that can easily be recognized.  It consists
of a prefix that is either <EM>TECH</EM> or <EM>USER</EM>,
followed by a hyphen and one of <EM>DBG</EM>, <EM>INF</EM>,
<EM>WRN</EM>, <EM>ERR</EM>, or <EM>FTL</EM>.
<P>
<P>Using the <CODE>LogLevel</CODE> configuration option, you can
skip message levels not interesting for you. For example,
<PRE>
LogLevel  WRN
</PRE>
 will cause skipping of all
<EM>DBG</EM> and <EM>INF</EM> messages and displaying only
the <EM>WRN</EM>, <EM>ERR</EM> and <EM>FLT</EM> level
messages. Default level is <EM>INF</EM> - no <EM>DBG</EM>
messages will get logged.
<P>
<P>The possible combinations can be interpreted as follows:
<P>
<PRE>
TECH-DBG
</PRE>

<BLOCKQUOTE>
Messages with this tag carry some technical informations usefull
for diagnostics purposes with no need to react to them.
</BLOCKQUOTE>
<P>
<PRE>
TECH-INF
</PRE>

<BLOCKQUOTE>
Messages with this tag carry some technical information with
no need to react to them.  They might display the contents of
the configuration file or the start or stop of the program.
These messages are generated with the <EM>INFO</EM> syslog
severity.
</BLOCKQUOTE>
<P>
<PRE>
TECH-WRN
</PRE>

<BLOCKQUOTE>
Messages with this tag display some mild technical problem
or inconsistency.  E.g. a configuration variable with no
value given or a temporary resource shortage would be sent
in this context.  Also if an FTP server closed a connection
without being instructed by the client or proxy would generate
this kind of message.  These messages are generated with the
<EM>WARNING</EM> syslog severity.
</BLOCKQUOTE>
<P>
<PRE>
TECH-ERR
</PRE>

<BLOCKQUOTE>
Messages with this tag usually mean a severe error condition
that will lead to the termination of the emitting process.
Problems that fall under this category include the inability
to open the configuration file, internal security handling,
network problems like ports already in use by other processes,
input/output errors or other communication faults.  It is
strongly advised that all such messages shall be investigated
and further action is taken.  These messages are generated with
the <EM>ERROR</EM> syslog severity.
</BLOCKQUOTE>
<P>
<PRE>
TECH-FTL
</PRE>

<BLOCKQUOTE>
Messages with this tag should be very rare.  They are reserved
for really weird situations which reveal bugs in the internal
FTP-Proxy programming.  Please report any such occurrance to
the Proxy-Suite development team, it requires the programmer's
attention.  These messages are generated with the <EM>CRIT</EM>
syslog severity.
</BLOCKQUOTE>
<P>
<P>
<PRE>
USER-DBG
</PRE>

<BLOCKQUOTE>
Messages with this tag are currently not being used.
</BLOCKQUOTE>
<P>
<PRE>
USER-INF
</PRE>

<BLOCKQUOTE>
Messages with this tag will be the majority of all messages.
They are generated for all regular user actions like logging
in, sending commands and transfer statistics.  Their main
purpose is to provide a complete audit trail for every user
interaction.  These messages are generated with the <EM>INFO</EM>
syslog severity.
</BLOCKQUOTE>
<P>
<PRE>
USER-WRN
</PRE>

<BLOCKQUOTE>
Messages with this tag indicate some sort of unforeseen user
action, but need not be taken too seriously.  Only if there is
a pattern of regular or frequent messages of this kind, you
might want to look a bit closer.  These messages are generated
with the <EM>WARNING</EM> syslog severity.
</BLOCKQUOTE>
<P>
<PRE>
USER-ERR
</PRE>

<BLOCKQUOTE>
Messages with this tag mean that the user has been rejected.
Currently no other message has been defined with this tag,
although this might be changed in the future. These messages
are generated with the <EM>ERROR</EM> syslog severity.
</BLOCKQUOTE>
<P>
<PRE>
USER-FTL
</PRE>

<BLOCKQUOTE>
Messages with this tag are currently not being used.
</BLOCKQUOTE>
<P>
<P>
<P>
<HR>
<A HREF="ftp-proxy-10.html">Next</A>
<A HREF="ftp-proxy-8.html">Previous</A>
<A HREF="ftp-proxy.html#toc9">Contents</A>
</BODY>
</HTML>