how to log ftp commands

if you need to see FTP users log, and what they do on your system, just do the following commands ( this article doesn’t useful for past commands, it will be useful to get commands in the future after you do these steps):

1 – open file ” /etc/inetd.conf” and add option “-d” on the end on FTP Line, like the following :

ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd         ftpd -d

2- refresh inetd service like that”

# refresh -s inetd
0513-095 The request for subsystem refresh was completed successfully.

3- open syslog.conf file and add the following line:

daemon.debug /tmp/daemon.log

4- refresh syslog daemon like this :

 # refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.

and this is sample of log :

Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 220
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: localhost FTP server (Version 4.2 Mon Sep 10 15:04:59 CDT 2012) ready.
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: command: USER root^M
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 331
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: Password required for root.
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: command: PASS
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 230-
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: Last unsuccessful login: Mon Oct 21 11:58:41 EGYPT 2013 on ssh from 10.10.10.10
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 230-
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: Last login: Tue Oct 22 12:07:07 EGYPT 2013 on ftp from 10.10.10.10
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 230
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: User root logged in.
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: command: SYST^M
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 215
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: UNIX Type: L8 Version: BSD-44
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: command: FEAT^M
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 500
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: 'FEAT': command not understood.
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: command: PWD^M
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 257
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: "/" is current directory.
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: command: TYPE A^M
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 200
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: Type set to A; form set to N.
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: command: PORT 10.10.10.10,204,219^M
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 200
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: PORT command successful.
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: command: LIST -a^M
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 150
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: Opening data connection for /bin/ls.
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: <--- 226
Oct 22 12:19:09 localhost daemon:debug ftpd[18219568]: Transfer complete.
Oct 22 12:19:15 localhost daemon:debug ftpd[18219568]: <--- 221
Oct 22 12:19:15 localhost daemon:debug ftpd[18219568]: You could at least say goodbye.