Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

FTP Session Logging

Problem this snippet solves:

This iRule logs FTP connections and username information. By default connection mapping from client through BIG-IP to server is logged as well as the username entered by the client. Optionally you can log the entire FTP session by uncommenting the log message in CLIENT_DATA.

Comments on this Snippet
Comment made 29-Jul-2016 by Pierrejn 72

I'm not good with TCL, is there a way to change the way the logging is done? I want to send it through HSL like I do for HTTP?

Comment made 2 months ago by kokushibyou 0

The regex doesn't work to capture a username with a dot or other special characters in it. And, regex can be expensive cpu wise.

This irule seems to work well by just matching on the payload containing USER and printing that, then you don't even need the regex. Also lets you capture if someone is trying to brute force with other special characters.

Rule /Common/log_ftp_sessions : FTP collected payload (30): USER S:LDEFJ:SLDFJS:DLFJ@#@%

# check if payload contains the string we want to log
if { [TCP::payload] contains "USER" } {
    log local0. "FTP Client IP [IP::client_addr]:[TCP::client_port]: ([TCP::payload length]): [TCP::payload]"

Although of course, if the user's password is USER, it'll capture the password.. but you're using stricter password requirements than that, right? ;)

Comment made 6 days ago by Petak 71

Hello there,

I'm used this Irule to log every ftp session. At the moment works perfectly for me, but i realized that some things are not being logged. For example:

When a client get a file from the ftp behind the F5, last log shows " RETR filename ", that is ok, but I would like to add when the transfer has been completed and finally when the client disconnect.

Could be possible? Regards