SFTP logging: is there a way?
Solution 1:
OpenSSH versions 4.4p1 and up (which should include the latest version with CentOS 5) have SFTP logging capability built in - you just need to configure it.
Find this in your sshd_config (in centos, file /etc/ssh/sshd_config):
Subsystem sftp /usr/libexec/openssh/sftp-server
and change it to:
Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO
INFO is just one level of detail over what you're seeing by default - it provides detailed information regarding file transfers, permission changes, etc. If you need more info, you can adjust the log level accordingly. The various levels (in order of detail) are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3
Anything over VERBOSE is probably more information than you're looking for, but it might be useful.
Finally restart the SSH service to update the changes (centos):
systemctl restart sshd
Solution 2:
The same switches around logging for sftp-server also work for internal-sftp. Here's an example from my /etc/ssh/sshd_config:
Subsystem sftp internal-sftp -f AUTH -l INFO
With INFO level logging enabled messages will start showing up under /var/log/messages (at least under Red Hat based Distros):
May 27 05:58:16 test-server sshd[20044]: User child is on pid 20049
May 27 05:58:16 test-server sshd[20049]: subsystem request for sftp by user test-user
May 27 05:58:16 test-server internal-sftp[20050]: session opened for local user test-user from [192.168.1.1]
May 27 05:58:16 test-server internal-sftp[20050]: received client version 3
May 27 05:58:16 test-server internal-sftp[20050]: realpath "."
May 27 05:58:21 test-server internal-sftp[20050]: opendir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: closedir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: lstat name "/home/test-user/upload"
May 27 05:58:21 test-server internal-sftp[20050]: realpath "/home/test-user/upload/"
May 27 05:58:21 test-server internal-sftp[20050]: stat name "/home/test-user/upload"
May 27 05:58:24 test-server internal-sftp[20050]: open "/home/test-user/upload/test-file.pdf" flags WRITE,CREATE,TRUNCATE mode 0664
May 27 05:58:25 test-server internal-sftp[20050]: close "/home/test-user/upload/test-file.pdf" bytes read 0 written 1282941
Solution 3:
In order to clearify the comments above:
If you have sftp configured using a jail (chroot environment), you cannot log without additional configuration effort. The log cannot be written in the chroot environment, you need to create a mount bind or a socket. I would recommend using a socket, as it is a feature delivered by syslog-ng as well as rsyslog (and maybe many more).
For those who are using syslog-ng, have a look at this link. For those who are using rsyslog; Hope that helps.