Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: s-chilly
s-chilly Author
User level: Level 1
0 points

Log SFTP file transfers?

Hi,


I was finally able to set up a Chrooted SFTP server on 10.6 server. I'm just trying to figure out how to log the transfers?


Here is my logging info in sshd_config:


# Logging

# obsoletes QuietMode and FascistLogging

SyslogFacility AUTHPRIV

LogLevel INFO


which is current putting login info in the secure.log but nothing about file transfers. I tried going down to DEBUG mode but it was just lower level login info. I also see a sftp-server.log in the console but there is nothing in it.


Is there any way to log file transfers?

Posted on Jul 13, 2011 11:18 AM

Reply
Question marked as Best reply
User profile for user: Camelot
Camelot
User level: Level 9
54,333 points

Posted on Jul 13, 2011 12:38 PM

What you're looking at is the sshd logging, not the sftp-server logging.


If you look further down /etc/sshd_config you'll find where the sftp daemon is configured:


Subsystem sftp /usr/libexec/sftp-server

You need to change this line to include the logging directive for sftp-server:


Subsystem sftp /usr/libexec/sftp-server -l INFO
View in context
9 replies
Question marked as Best reply
User profile for user: Camelot
Camelot
User level: Level 9
54,333 points

Jul 13, 2011 12:38 PM in response to s-chilly

What you're looking at is the sshd logging, not the sftp-server logging.


If you look further down /etc/sshd_config you'll find where the sftp daemon is configured:


Subsystem sftp /usr/libexec/sftp-server

You need to change this line to include the logging directive for sftp-server:


Subsystem sftp /usr/libexec/sftp-server -l INFO
Reply
User profile for user: s-chilly
s-chilly Author
User level: Level 1
0 points

Jul 13, 2011 3:04 PM in response to Camelot

Thanks Camelot. Got me on the right track.


I'm using

Subsystem sftp internal-sftp

as part of the chroot set up. I tried

Subsystem sftp internal-sftp -l INFO

but I'm getting nothing in the sftp-server.log


Here is my sshd_config

# override default of no subsystems

#Subsystem sftp /usr/libexec/sftp-server

Subsystem sftp internal-sftp -l VERBOSE



# Example of overriding settings on a per-user basis

#Match User anoncvs

# X11Forwarding no

# AllowTcpForwarding no

# ForceCommand cvs server



Match Group admin

X11Forwarding no

AllowTCPForwarding no

ChrootDirectory /Volumes/Server/User

ForceCommand internal-sftp -l VERBOSE



Match Group users

X11Forwarding no

AllowTCPForwarding no

ChrootDirectory /Volumes/Server/User/%u

ForceCommand internal-sftp



I tried VERBOSE and INFO with no luck.

Reply
User profile for user: s-chilly
s-chilly Author
User level: Level 1
0 points

Jul 13, 2011 3:35 PM in response to s-chilly

Ok it looks like it's logging to the secure.log

Jul 13 15:28:05 comp internal-sftp[59696]: session opened for local user s-chilly from [xxx.xxx.xxx.xxx]

Jul 13 15:28:05 comp internal-sftp[59696]: received client version 3

Jul 13 15:28:05 comp internal-sftp[59696]: realpath "."

Jul 13 15:28:05 comp internal-sftp[59696]: realpath "/uploads"

Jul 13 15:28:05 comp internal-sftp[59696]: stat name "/uploads"

Jul 13 15:28:05 comp internal-sftp[59696]: open "/uploads/Screen shot 2011-04-08 at 11.04.28 AM.png" flags WRITE,CREATE,TRUNCATE mode 0644

Jul 13 15:28:05 comp internal-sftp[59696]: close "/uploads/Screen shot 2011-04-08 at 11.04.28 AM.png" bytes read 0 written 15383




so does that mean it's logging as authpriv? as here is my syslog.conf:

cat /etc/syslog.conf*.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail. crit /dev/console

*.notice;kern,authpriv,remoteauth,ftp,install.none;mail.crit /var/log/system.log

kern.* /var/log/kernel.log



# Send messages normally sent to the console also to the serial port.

# To stop messages from being sent out the serial port, comment out this line.

#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial



# The authpriv log file should be restricted access; these

# messages shouldn't go to terminals or publically-readable

# files.

auth.info;authpriv.*;remoteauth.crit /var/log/secure.log



# used for the adaptive firewall: man emlog.pl

auth.info;authpriv.* @127.0.0.1:60762



lpr.info /var/log/lpr.log

mail.crit /var/log/mail.log

ftp.* /var/log/ftp.log

install.* /var/log/install.log

install.* @127.0.0.1:32376

local0.* /var/log/appfirewall.log

local1.* /var/log/ipfw.log



*.emerg *

LOCAL4.*;LOCAL4.debug /var/log/slapd.log

local6.crit /var/log/mailaccess.log

local5.crit /var/log/securityproxy/mail_error.log

local3.crit /var/log/securityproxy/mail_access.log

sftp-server.* /var/log/sftp-server.log



# SFTP LOGGING

sftp_server.* /var/log/sftp-server.log



I tried setting

ForceCommand internal-sftp -l VERBOSE -f sftp-server


but that kept giving me

internal-sftp[59204]: error: Invalid log facility "sftp-server"


From the syslog you can also see I tried to create my own "sftp_server" but it returned the same error as well.


Getting there.

Reply
User profile for user: Camelot
Camelot
User level: Level 9
54,333 points

Jul 13, 2011 9:31 PM in response to s-chilly

You're on the right track - you're using the -f switch to set the log facility. The problem is that there are predefined facilities available in syslog - you can't just make up your own.


man sftp-server shows you the options:


-f log_facility

Specifies the facility code that is used when logging messages

from sftp-server. The possible values are: DAEMON, USER, AUTH,

LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.

The default is AUTH.

So:

Subsystem sftp /usr/libexec/sftp-server -l VERBOSE -f LOCAL5

(or whatever facility you prefer) should be more like what you're looking for.

You can edit syslog.conf to direct whichever facility you choose to a specific location, you just can't make new facilities.

Reply
User profile for user: Alfista_SK
Alfista_SK
User level: Level 1
4 points

Nov 15, 2013 6:15 AM in response to Camelot

Hi,


I have this read and try to set le loging. I have Mac OS X10.8. It make me the logs but it is done to the system.log and I try to set the facilities in syslog.conf but wiyhou any change.

When I give -l after ForceCommand too, the sFTP won't work.


sshd_config:


# override default of no subsystems

Subsystem sftp internal-sftp -l INFO -f LOCAL5


Match Group ftpgroup

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

ChrootDirectory /FTP



syslog.conf:


# Note that flat file logs are now configured in /etc/asl.conf



install.* @127.0.0.1:32376

local6.warn /Library/Logs/Mail/mailaccess.log

LOCAL4.*;LOCAL4.debug /var/log/slapd.log

LOCAL5.* /var/log/sftp.log



I have added in syslog.conf the LOCAL5 line.


Please can you better explain how can I do that?

Thanks.

Reply

Log SFTP file transfers?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up