The FTP log contains a record of all FTP connections but excludes any connections made via SFTP/SSH. The log itself is a plain text file which can be read with any plain text reader.
The FTP log entries
A sample entry from an FTP log is:
♦ Tue Jul 17 12:59:37 2012 0 123.456.789.000 750 /home/$USER/public_html/index.html b _ i r $USER ftp 1 * c
♦Tue Jul 17 12:59:37 2012 0 123.456.789.000 750 /home/$USER/public_html/index.html b _ o r $USER ftp 1 * c
The first part gives you:
♦ the weekday, date and time of the operation
♦ the IP address of the person connecting via FTP
♦ the file size in bytes
♦ the file path
FIRST LETTER : TRANSFER MODE
♦ a = ascii
♦ b = binary
Underscore: A letter in this position would indicate any special operations, like gzipping or tarring the data on-the-fly. “_”, meaning “no special operation”.
SECOND LETTER : TRANSFER DIRECTION
♦ i = input (= upload = FTP PUT)
♦ o = output (=download = FTP GET)
THIRD LETTER : ACCESS MODE
♦ a = anonymous
♦ g = guest user
♦ r = regular user
Followed by the username of the person performing the operation.
“ftp 1 *“: service name, authentication method and authentication user id (if applicable). This is a constant string that carries no useful information.
THE LAST LETTER : COMPLETION STATUS
♦ c = completed
♦ i = interrupted (transfer failed)