Finding deleted/imported files in SFTP server using logs
We have an SFTP server, I am trying to find out if some specific files have been deleted from the server or if they have even imported to the server or not. I'm going through the log files under /var/log but coudn't find out relevant logs so far.
I'm wondering in which log file I can find such infomation?
Any help would be appreciated.
Updated:
Based on the answer and the link: enter link description here I have modified config file which parts of it looks like below:
Subsystem sftp internal-sftp -f AUTH -l INFO
# Force sftp and chroot jail for members of sftp group
Match group sftp
ForceCommand internal-sftp
ChrootDirectory /sftp/%u
# Members of sftp-glob have access to all user folders
Match group sftp-glob
ForceCommand internal-sftp
ChrootDirectory /sftp
# Enable this for more logs
LogLevel VERBOSE
Then restarted sshd:
sudo systemctl restart sshd
In this case I can only see the logs created by admin user(me) under /var/log/auth.log
Jan 17 12:57:50 ios-sftp internal-sftp[5262]: remove name "/tmp/test.txt"
For logging the chrooted users actions I have done this:
cd /sftp
sudo mkdir dev
sudo chmod 755 dev
sudo touch dev/log
sudo mount --bind /dev/log dev/log
However I still can't see the other users logs in /var/log/auth.log if they upload or delete files.
It started to work after fixing config file by changing ForceCommand internal-sftp to ForceCommand internal-sftp -f AUTH -l INFO
Subsystem sftp internal-sftp -f AUTH -l INFO
# Force sftp and chroot jail for members of sftp group
Match group sftp
ForceCommand internal-sftp -f AUTH -l INFO
ChrootDirectory /sftp/%u
# Members of sftp-glob have access to all user folders
Match group sftp-glob
ForceCommand internal-sftp -f AUTH -l INFO
ChrootDirectory /sftp
# Enable this for more logs
LogLevel VERBOSE
now I can see the logs under /var/log/auth.log:
Jan 18 10:13:02 user-sftp internal-sftp[7466]: set "/folder1/folder2/myfile.xml" modtime 20210106-10:32:58
By default transferred files is not logged by sftp in system logs, only connection-disconnection.
It can be enabled for future transactions, but that probably won't help you solving your problem at hand - but it may solve it for the future.