USM Anywhere™


When you configure ProFTPD integration to send log data to USM Anywhere, you can use the ProFTPD plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor ProFTPD
Device type FTP server
Connection type syslog
Vendor link and

Integrating ProFTPD

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

ProFTPD logs through syslog by default, using the daemon facility for most logging. However, auth is also used occasionally. The following levels can be selected:

  • err
  • notice
  • warn
  • info
  • debug (debugging occurs at the syslog level)

The location of the server's log files in this case is determined by your /etc/syslog.conf configuration.

You can fine-tune syslog-based logging by ProFTPD through the SyslogFacility and SyslogLevel directives. See the vendor's log level documentation for more details on these settings.

Transfer logs (xferlogs) do not go to syslog. An ExtendedSyslog directive can substitute for this, however:

LogFormat xfer "%h %l %u %t\"%r\" %s %b"

ExtendedLog syslog:notice xfer

You must also tell the syslog server to send this log output to another server, in this case, your USM Anywhere sensor, and to write it to a log file.

The normal Linux syslog uses a file called /etc/syslog.conf (or some variant of this) to configure how syslog streams. Because the Apache error log uses syslog-standard severity ratings, you can use normal syslog configurations to split syslog output into different files based on severity.

To send log entries to your USM Anywhere sensor, you can use this command:

if $programname == 'proftpd' then @<USM_Anywhere_Sensor_IP_address>

& stop

Plugin Enablement

The ProFTPD plugin automatically processes all messages that have proftpd as the syslog tag.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome

  • audit_reason

  • customfield_0

  • destination_address

  • destination_hostname

  • destination_username

  • event_description

  • event_name

  • file_path

  • rep_device_version

  • source_address


For troubleshooting, refer to the vendor documentation: