Cerberus FTP Server Version 11 added the IP address and username to every log statement that originates from a client connection. See how to enable this feature.

Until now however, the Apache Log4cxx framework has lacked the ability to filter based on these fields. In this release, we have added a new filter that will allow you to accept or deny logs based on one or more of these connection fields. For more information on the log file location, configuration file, and settings, please see Logging Settings.

A common usage for this type of filtering would be an automated system such as a heartbeat monitor that connects to the server frequently. In this case, you could remove the clutter these connections add to the log file by adding a filter in log4j.xml inside the appender tag like this:

    <filter class="MapFilter">
      <param name="client.user" value="heartbeat" />
      <param name="AcceptOnMatch" value="false" />
    </filter>

This will reject any logs from the user called heartbeat. To increase security, we could only hide the logs for a user when coming from a specific IP address:

    <filter class="MapFilter">
      <param name="client.ip" value="10.0.0.199" />
      <param name="client.user" value="heartbeat" />
      <param name="Operator" value="AND" />
      <param name="AcceptOnMatch" value="false" />
    </filter>

This filter will log entries except when the user is heartbeat and the ip address matches the internal address of 10.0.0.199. Multiple individual filters can be applied.

Currently we support the following parameters: Operator which is OR (default) or AND, AcceptOnMatch which is false (default) or true, and one or more of client.ip, client.user, and client.session.

As of Cerberus 11.3.0, we support chaining of MapFilters so you can filter multiple IP addresses. Log4cxx does not support filtering using ip address wildcards and each filter may contain at most one ip address so each individual entry would need it’s own filter. If you are rejecting logs, these can be added on their own line:

<filter class="MapFilter"><param name="client.ip" value="192.168.0.1"/></filter>
<filter class="MapFilter"><param name="client.ip" value="192.168.0.2"/></filter>

This assumes the default AcceptOnMatch value of false to reject the log. Although highly discouraged, if you needed to only accept logs from specific hosts (AcceptOnMatch=true), you would need to add a final Deny All Filter to the end. Note: you really shouldn’t be filtering this way without a very good reason.

<filter class="DenyAllFilter" />

Requirements and Support

Filtering is supported in all Editions of Cerberus FTP Server. Please let us know how you use this feature and if any additional options would be helpful.