Analyzing proftpd xferlog file

Recently I've had to research on some missing files of a website.

When looking through the proftpd xferlog files, it was clear that the files were deleted by a user having ftp access.

The xferlog file is usually located at "/var/log/xferlog". However, since this was a plesk server, it was located at:
"/var/www/vhosts/{DOMAIN}/statistics/logs/xferlog_regular*"

A quick grep produced the files that were deleted out and could easily be recovered from a previous backup. Also, discovered the time and offending IP address of the person that did the deletes.

Full listing:

Listing of just the deleted files:

Below are some additional notes on xferlog anlysis:

The last character in each row shows the completion status of the transfer. This should be "c" for complete and "i" for incomplete transfer.

Return all incomplete transfers:

The three characters following the file name represent the transfer-type (ascii or binary), any special actions (usually _ meaning none) and the direction (outgoing, incoming or deleted).

1. ascii format:
   • a _ i (uploaded)
     
   • a _ o (downloaded)
     
   • a _ d (deleted)
2. binary format:
   • b _ i (uploaded)
     
   • b _ o (downloaded)
     
   • b _ d (deleted)

Examples:

1. To extract a list of all successfully uploaded files:
   
   $ awk '($12 ~ /^i$/ && $NF ~ /^c$/){print $9}' /path/to/xferlog
2. Extract list of uploads that were unsuccessful:
   
   awk '($12 ~ /^i$/ && $NF ~ /^i$/){print $9}' /path/to/xferlog