(All original content on this site is licensed under the Creative Commons License Attribution-Noncommercial-No Derivative Works 3.0.)
Using Log Parser to find users accounts used to log into an FTP site
The following Log Parser query can be used on FTP log files in order to determine what user names were used to login, or attempt to login, to an FTP site.
logparser "select cs-uri-stem, count(cs-method) from ex*.log where cs-method like '%USER' group by cs-uri-stem order by count(cs-method),cs-uri-stem"
This assumes that you've added Log Parser to your path, and that you're running this from your log file directory.
This query will tell you what ip addresses successfully logged into your FTP site.
logparser "select c-ip, count(sc-status) from ex*.log where sc-status = '230' group by c-ip order by count(sc-status),c-ip"
Finally, this query will show you what ip addresses attempted to log into your FTP site, and will give a count of how many times.
logparser "select c-ip, count(*) from ex*.log group by c-ip order by count(*),c-ip"
You can find other Log Parser articles on my site by viewing other items tagged with log parser (link below).