Had to do some work with ProFTPD logs today. This script was created to get the date of last login of a user, or a list of multiple users, and return that data as a .csv file. If you have customized the log formats, you may need to tweek the regex that breaks apart the line.
Several bits are incomplete, including the proper handling of timezone offsets and usage text in the help routine, but it works if you pass it a logfile and either a name or a namefile
$ get_last_login.pl --log=auth.log --namefile=username_list.txt > last_login.csv
or
$ get_last_login.pl --log=auth.log --name=am_user > last_login.csv
In doing this work, I noticed something fun, people are now trying SQL injection through FTP:
ProFTPD Default Installation [32717] ###.###.###.### [24/Feb/2013:00:16:23 -0500] "USER %')
UNION SELECT 1,concat(0x7b,0x6d,0x64,0x35,0x7d,0x78,0x4d,0x70,0x43,0x4f,0x4b,0x43,0x35,0x49,0x34,0x49,0x4e,
0x7a,0x46,0x43,0x61,0x62,0x33,0x57,0x45,0x6d,0x77,0x3d,0x3d),NULL,NULL,concat(0x2f),concat(0x2f,0x62,0x69,
0x6e,0x2f,0x73,0x68) #" 331
A