Ftp – IIS 8 FTP – how to find out failed user authentication (and client IP) in the log

ftpiis-8windows-server-2012-r2

Hello this is a mystery for me. We have an FTP server in our company and some accounts are sometimes locked because of repeated logins with bad password. I am trying to search in the ftp logfile (u_ex160330.log) but have no idea if it is logged there at all and how do I find it. Line containing the usernam and PASS command mean user is authenticating, but how do I see when it failed? There is no "error" or "fail" in that log. I thought that successful login means next line with the same username contains SYST command, but there are hundreds of users so lines from different usernames are all over themselves so I would have to make some crazy script logic to ho through it, but anyway I have no idea what to look for. Googling took me more time then writing this so I think it would be more effective to just ask 😉 Thank you

Best Answer

I hope i understand your question correctly.

You can customize your FTP logging by selecting W3C Fields.

First of all make sure that you habe FTP Extensibility enabled either by searching it in your "Programmes & Features" or by simply running this command in elevated PowerShell:

get-windowsfeature Web-Ftp-Ext | select InstallState

if it doesn't return "Installed" use

get-windowsfeature Web-Ftp-Ext | Add-Windowsfeature

to install the feature.

Inside your IIS Manager, on your FTP-Site level, you should see an option called "FTP Logging". doubleclick that, then on "Log File Rollover" section click "select W3C Fields" and activate everything that you want to log (ip-adresses for example).

The logging information is stored in %SystemDrive%\inetpub\logs\LogFiles by default. if you changed your log path to somewhere else, you'll need to find your custom log path.

If this logging is not enough to collect the information you want to, I'd suggest collecting Traces for FTP Sessions. You'll need logman and logparser for this task. With that, you should be able to get your authentification error.

logman and logparser will tell you, when/where exactly the error occurs and give you the proper error code for this scenario.

detailed information on how to work with logman and logparser: http://blogs.iis.net/sudt/collecting-etw-traces-for-ftp-sessions

Related Topic