SFTP logging: is there a way?

Solution 1:

OpenSSH versions 4.4p1 and up (which should include the latest version with CentOS 5) have SFTP logging capability built in - you just need to configure it.

Find this in your sshd_config (in centos, file /etc/ssh/sshd_config):

Subsystem       sftp    /usr/libexec/openssh/sftp-server

and change it to:

Subsystem       sftp    /usr/libexec/openssh/sftp-server -l INFO

INFO is just one level of detail over what you're seeing by default - it provides detailed information regarding file transfers, permission changes, etc. If you need more info, you can adjust the log level accordingly. The various levels (in order of detail) are:

QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3

Anything over VERBOSE is probably more information than you're looking for, but it might be useful.

Finally restart the SSH service to update the changes (centos):

systemctl restart sshd

Solution 2:

The same switches around logging for sftp-server also work for internal-sftp. Here's an example from my /etc/ssh/sshd_config:

Subsystem   sftp    internal-sftp -f AUTH -l INFO

With INFO level logging enabled messages will start showing up under /var/log/messages (at least under Red Hat based Distros):

May 27 05:58:16 test-server sshd[20044]: User child is on pid 20049
May 27 05:58:16 test-server sshd[20049]: subsystem request for sftp by user test-user
May 27 05:58:16 test-server internal-sftp[20050]: session opened for local user test-user from [192.168.1.1]
May 27 05:58:16 test-server internal-sftp[20050]: received client version 3
May 27 05:58:16 test-server internal-sftp[20050]: realpath "."
May 27 05:58:21 test-server internal-sftp[20050]: opendir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: closedir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: lstat name "/home/test-user/upload"
May 27 05:58:21 test-server internal-sftp[20050]: realpath "/home/test-user/upload/"
May 27 05:58:21 test-server internal-sftp[20050]: stat name "/home/test-user/upload"
May 27 05:58:24 test-server internal-sftp[20050]: open "/home/test-user/upload/test-file.pdf" flags WRITE,CREATE,TRUNCATE mode 0664
May 27 05:58:25 test-server internal-sftp[20050]: close "/home/test-user/upload/test-file.pdf" bytes read 0 written 1282941

Solution 3:

In order to clearify the comments above:

If you have sftp configured using a jail (chroot environment), you cannot log without additional configuration effort. The log cannot be written in the chroot environment, you need to create a mount bind or a socket. I would recommend using a socket, as it is a feature delivered by syslog-ng as well as rsyslog (and maybe many more).

For those who are using syslog-ng, have a look at this link. For those who are using rsyslog; Hope that helps.

Tags:

Sftp

Ssh