// Services · FTP
FTP Server Logs
FTP logs record authentication events, file transfers, and connection details. Format varies by daemon but all log to syslog or dedicated files. Understanding FTP response codes is key to diagnosing transfer failures.
vsftpd Log Format
vsftpd logs to /var/log/vsftpd.log (when xferlog_enable=YES), or to syslog via /var/log/auth.log for auth events. The transfer log follows the WU-FTP xferlog format.
Thu Apr 10 17:05:33 2025
1
203.0.113.42
1048576
/home/user/upload/backup.tar.gz
b
_
i
r
alice
ftp 0 * c
Timestamp
Transfer time (sec)
Remote host
File size (bytes)
Filename
Type / Action / Direction / Access
Username
Service / Auth / Status
xferlog Field Reference (all 14 positional fields)
| Position | Field Name | Values & Meaning |
|---|---|---|
| 1 | Timestamp | Day Mon DD HH:MM:SS YYYY — local time when transfer completed. |
| 2 | Transfer time | Seconds taken for transfer. High values = network slowness or very large file. |
| 3 | Remote host | Client IP or hostname. IP preferred (no DNS dependency). |
| 4 | File size | Bytes transferred. For aborted transfers, this may be less than the full file size. |
| 5 | Filename | Full path to transferred file on server filesystem. |
| 6 | Transfer type | a = ASCII (text, line endings converted), b = binary (exact copy). Always use binary for non-text. |
| 7 | Special action | _ = none, C = compressed, U = uncompressed, T = tar'd |
| 8 | Direction | i = incoming (upload to server), o = outgoing (download from server) |
| 9 | Access mode | a = anonymous, g = guest, r = real (authenticated) user |
| 10 | Username | FTP username. Anonymous logins show anonymous or email used as password. |
| 11 | Service name | Usually ftp. Identifies the service that generated the entry. |
| 12 | Auth method | 0 = none/anonymous, 1 = RFC 931 ident |
| 13 | Auth user ID | * if not available |
| 14 | Transfer status | c = complete (success), i = incomplete (aborted mid-transfer) |
⚠ Security Warning
Plain FTP transmits credentials in cleartext. If you see FTP logs on a public interface, verify that FTPS (ssl_enable=YES in vsftpd.conf) or SFTP (SSH-based file transfer) is in use. Plain FTP should never be exposed to the internet.
ProFTPD Log Format
ProFTPD uses a more readable format and supports extensive custom logging via LogFormat directives. Default log: /var/log/proftpd/proftpd.log.
# Auth events in system log Apr 10 17:10:05 webserver proftpd[4521]: 203.0.113.42 - USER alice: Login successful. Apr 10 17:10:07 webserver proftpd[4521]: 203.0.113.42 - RETR /pub/file.zip completed. Apr 10 17:10:09 webserver proftpd[4521]: 198.51.100.7 - USER baduser (Login failed): Incorrect password.
ProFTPD LogFormat Directive Reference
| Directive | Meaning |
|---|---|
| %a | Client IP address |
| %A | Anonymous password (email address provided) |
| %b | Bytes sent to client |
| %B | Bytes received from client (upload size) |
| %D | Full directory path of last CWD command |
| %E | Session end reason: LOGOUT, TIMEOUT, CLIENT_DISCONNECT, SERVER_SHUTDOWN |
| %f | Filename from most recent transfer command |
| %F | Filename as stored locally on server |
| %h | Resolved hostname of client (slow if DNS not cached) |
| %H | Name of virtual host serving this connection |
| %I | Total bytes received this session |
| %m | FTP command issued (RETR, STOR, DELE, MKD, RMD, etc.) |
| %O | Total bytes sent this session |
| %p | Server port number |
| %r | Full FTP request line as received |
| %s | FTP reply code sent back to client |
| %S | Full response string from server |
| %T | Transfer time in seconds |
| %u | Authenticated username |
| %U | Username as submitted (before auth, may differ from %u on failure) |
| %w | RNFR path (rename-from, for RNTO operations) |
| %{TIME} | Current timestamp in strftime format |
FTP Reply Code Reference
FTP reply codes are 3-digit numbers. The first digit = category (1=positive preliminary, 2=positive completion, 3=positive intermediate, 4=transient negative, 5=permanent negative). The second groups the type; the third is specific.
| Code | Name | Meaning & Common Cause |
|---|---|---|
| 125 | Data connection open | Transfer starting. Normal for RETR/STOR in active mode. |
| 150 | File status okay | About to open data connection. Passive mode transfer starting. |
| 200 | Command okay | Generic success for administrative commands. |
| 220 | Service ready | Server greeting after connection. Contains FTP daemon banner. |
| 221 | Service closing | Clean logout (QUIT). Normal session end. |
| 226 | Transfer complete | File transfer succeeded. Closing data connection. |
| 227 | Entering Passive Mode | PASV response with IP:port for data connection (dotted quad format). |
| 230 | User logged in | Authentication successful. Session established. |
| 250 | File action okay | CWD, DELE, RMD, RNTO completed successfully. |
| 331 | Password required | Username accepted, waiting for password. Normal mid-auth. |
| 425 | Can't open data connection | Firewall blocking data port. Check passive port range and NAT settings. |
| 426 | Connection closed, transfer aborted | Network interruption during transfer. Check connectivity or firewall timeout. |
| 430 | Invalid username or password | Authentication failure. Repeated occurrences = brute force attempt. |
| 450 | File unavailable | File busy (locked by another process) or temporary unavailability. |
| 451 | Local error in processing | Server-side error during transfer. Check disk space and filesystem health. |
| 452 | Insufficient storage space | Disk full on server. Critical — check df -h immediately. |
| 500 | Syntax error | Command not recognized. May indicate non-standard client or probe attempt. |
| 530 | Not logged in | Command requires authentication. Login failed or session expired. |
| 550 | File unavailable | File not found or permission denied. Check path and user permissions. |
| 553 | File name not allowed | Filename contains disallowed characters or path traversal attempt detected. |