SFTP logging: is there a way?

ssh sftp

I'm wondering if there is a way to log commands received by the server. It can be all SSH commands, as long as it includes information on commands related to file transfer.

I'm having issues with an SFTP client and the creator is asking for logs, but I am unable to find any existing logs.

I'm looking to log on both or either CentOS or OS X (although I suspect if it's possible, it'd be similar on both).


Solution 1:

OpenSSH versions 4.4p1 and up (which should include the latest version with CentOS 5) have SFTP logging capability built in - you just need to configure it.

Find this in your sshd_config (in centos, file /etc/ssh/sshd_config):

Subsystem       sftp    /usr/libexec/openssh/sftp-server

and change it to:

Subsystem       sftp    /usr/libexec/openssh/sftp-server -l INFO

INFO is just one level of detail over what you're seeing by default - it provides detailed information regarding file transfers, permission changes, etc. If you need more info, you can adjust the log level accordingly. The various levels (in order of detail) are:

QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3

Anything over VERBOSE is probably more information than you're looking for, but it might be useful.

Finally restart the SSH service to update the changes (centos):

systemctl restart sshd

Solution 2:

The same switches around logging for sftp-server also work for internal-sftp. Here's an example from my /etc/ssh/sshd_config:

Subsystem   sftp    internal-sftp -f AUTH -l INFO

With INFO level logging enabled messages will start showing up under /var/log/messages (at least under Red Hat based Distros):

May 27 05:58:16 test-server sshd[20044]: User child is on pid 20049
May 27 05:58:16 test-server sshd[20049]: subsystem request for sftp by user test-user
May 27 05:58:16 test-server internal-sftp[20050]: session opened for local user test-user from [192.168.1.1]
May 27 05:58:16 test-server internal-sftp[20050]: received client version 3
May 27 05:58:16 test-server internal-sftp[20050]: realpath "."
May 27 05:58:21 test-server internal-sftp[20050]: opendir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: closedir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: lstat name "/home/test-user/upload"
May 27 05:58:21 test-server internal-sftp[20050]: realpath "/home/test-user/upload/"
May 27 05:58:21 test-server internal-sftp[20050]: stat name "/home/test-user/upload"
May 27 05:58:24 test-server internal-sftp[20050]: open "/home/test-user/upload/test-file.pdf" flags WRITE,CREATE,TRUNCATE mode 0664
May 27 05:58:25 test-server internal-sftp[20050]: close "/home/test-user/upload/test-file.pdf" bytes read 0 written 1282941

Solution 3:

In order to clearify the comments above:

If you have sftp configured using a jail (chroot environment), you cannot log without additional configuration effort. The log cannot be written in the chroot environment, you need to create a mount bind or a socket. I would recommend using a socket, as it is a feature delivered by syslog-ng as well as rsyslog (and maybe many more).

For those who are using syslog-ng, have a look at this link. For those who are using rsyslog; Hope that helps.

Related

How do I redirect subdomains to a different port on the same server?
What solutions exist to allow the use of revision control for server configuration files? [closed]
What is a good SSH server to use on Windows? [closed]
Non-volatile cache RAID controllers: what kind of protection is there against NVCACHE failure?
Set root domain record to be a CNAME
In DNS can an IN NS point to a CNAME?
Is there a big difference between CentOS 6.4 to 6.2 and should I up/down-grade?
Why multiple PTR records in DNS is not recommended?
DNS just started resolving my server.prod addresses to 127.0.53.53
FTP and Apache permission issues
`sudo echo "bla" >> /etc/sysctl.conf` permission denied
Should I use IPv6 only or both IPv4 and IPv6 in my web server?