Hello,
I'm trying to debug an issue with an FTP service. I'd like to know that which users are using 'active data connection', where the connecting point would only be the sessionID. I have already extracted sessionID and userID as fields.
The logs for the sessions are varying between 150-3000 lines of events, and I don't know how to match my search criteria, to extract a userID connected to the sessionID that my search result is returning.
index=p_ftp sourcetype=debug "active data connection" | stats values(sessionID)
This is giving me the sessionIDs properly, I just need the userIDs from the session it logged usually plenty of lines before.
Can you please help me?
Thanks a lot in advance
If I remember correctly, it's not a session ID as such, but a process idientifier for a particular process spawned from the main proftpd daemon to serve this client.
Anyway, it's easiest to correlate such sequences of events with a transaction.
You do
| transaction SessionID
And you get events groupped into transactions. From those you can
| search "active connection or whatever you need"
And finally get your userid field from matching transactions by means of "fields" or "table" commands.
Show us a bit of your data. For now it's not obvious what's the relation (in your raw events) between UserID and SessionID.
If you have events matching UserID and SessionID - that's great, the possible solution has already been posted. But if you have distinct events - one specifying SessionID and another one with UserID - that won't be that easy. You'll need something to connect the events on.
ah yea sorry it would be much easier of course.
This is an example, where you can see the session number is 3082, user is ftptest_user, and I'm looking for the user of the session where my search matches 'active data connection opened'
2021-10-22 14:22:06,261 proftpd[3082] ftp.ip (client.ip[client.ip]): USER ftptest_user: Login successful.
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_core
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_core
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_vroot
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_vroot
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_auth
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_xfer
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): in dir_check_full(): path = '/monitor.txt', fullpath = '/monitor.txt'
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching CMD command 'RETR monitor.txt' to mod_vroot
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching CMD command 'RETR monitor.txt' to mod_xfer
2021-10-22 14:22:06,311 proftpd[3082] ftp.ip (client.ip[client.ip]): active data connection opened - local : ftp.ip:46490
2021-10-22 14:22:06,311 proftpd[3082] ftp.ip (client.ip[client.ip]): active data connection opened - remote : client.ip:9288
If I remember correctly, it's not a session ID as such, but a process idientifier for a particular process spawned from the main proftpd daemon to serve this client.
Anyway, it's easiest to correlate such sequences of events with a transaction.
You do
| transaction SessionID
And you get events groupped into transactions. From those you can
| search "active connection or whatever you need"
And finally get your userid field from matching transactions by means of "fields" or "table" commands.
wow thanks it worked like a charm 🙂
One more thing - as I said earlier - since your sessionID is actually a pid of proftpd process and might roll-over and repeat, you might tweak the transaction parameters a little (especially the duration and/or events triggering start/end of transaction). But if you don't have many clients, it might not be necessary.
Hi @pbabos,
did you tried something like this:
index=p_ftp sourcetype=debug "active data connection"
| stats values(userID) AS userID BY sessionID
?
Ciao.
Giuseppe