Finding deleted/imported files in SFTP server using logs

logging sftp

We have an SFTP server, I am trying to find out if some specific files have been deleted from the server or if they have even imported to the server or not. I'm going through the log files under /var/log but coudn't find out relevant logs so far.

I'm wondering in which log file I can find such infomation?

Any help would be appreciated.

Updated:

Based on the answer and the link: enter link description here I have modified config file which parts of it looks like below:

Subsystem sftp internal-sftp -f AUTH -l INFO

# Force sftp and chroot jail for members of sftp group
Match group sftp
ForceCommand internal-sftp
ChrootDirectory /sftp/%u

# Members of sftp-glob have access to all user folders
Match group sftp-glob
ForceCommand internal-sftp
ChrootDirectory /sftp


# Enable this for more logs
LogLevel VERBOSE

Then restarted sshd:

sudo systemctl restart sshd

In this case I can only see the logs created by admin user(me) under /var/log/auth.log

Jan 17 12:57:50 ios-sftp internal-sftp[5262]: remove name "/tmp/test.txt"

For logging the chrooted users actions I have done this:

cd /sftp 
sudo mkdir dev
sudo chmod 755 dev
sudo touch dev/log
sudo mount --bind /dev/log dev/log

However I still can't see the other users logs in /var/log/auth.log if they upload or delete files.

It started to work after fixing config file by changing ForceCommand internal-sftp to ForceCommand internal-sftp -f AUTH -l INFO

Subsystem sftp internal-sftp -f AUTH -l INFO

# Force sftp and chroot jail for members of sftp group
Match group sftp
ForceCommand internal-sftp -f AUTH -l INFO
ChrootDirectory /sftp/%u

# Members of sftp-glob have access to all user folders
Match group sftp-glob
ForceCommand internal-sftp -f AUTH -l INFO
ChrootDirectory /sftp


# Enable this for more logs
LogLevel VERBOSE

now I can see the logs under /var/log/auth.log:

Jan 18 10:13:02 user-sftp internal-sftp[7466]: set "/folder1/folder2/myfile.xml" modtime 20210106-10:32:58

By default transferred files is not logged by sftp in system logs, only connection-disconnection.

It can be enabled for future transactions, but that probably won't help you solving your problem at hand - but it may solve it for the future.

Related

mysql: set default charset to utf8
Load Balance Web Farm on EC2 [closed]
How do I fix the built-in Windows Firewall which is blocking packets despite a configured exception?
Remote Desktop to Vista Home Premium PCs
Does anyone have Experience with LeftHand's VSA SAN? [closed]
Allow files to be listed when viewing a directory but protected (via HTTP authentication) when accessed directly
Apache Rewrite rules - remove '/'s in URL
Puppet 5.5.22, dnfmodule reset
How to connect RDS from a different account with allowed IP in AWS?
adb devices command not working
How to implement ngModel on custom elements?
Umbraco, is it just me or is it really hard to use? [closed]