Ok it looks like it's logging to the secure.log
Jul 13 15:28:05 comp internal-sftp[59696]: session opened for local user s-chilly from [xxx.xxx.xxx.xxx]
Jul 13 15:28:05 comp internal-sftp[59696]: received client version 3
Jul 13 15:28:05 comp internal-sftp[59696]: realpath "."
Jul 13 15:28:05 comp internal-sftp[59696]: realpath "/uploads"
Jul 13 15:28:05 comp internal-sftp[59696]: stat name "/uploads"
Jul 13 15:28:05 comp internal-sftp[59696]: open "/uploads/Screen shot 2011-04-08 at 11.04.28 AM.png" flags WRITE,CREATE,TRUNCATE mode 0644
Jul 13 15:28:05 comp internal-sftp[59696]: close "/uploads/Screen shot 2011-04-08 at 11.04.28 AM.png" bytes read 0 written 15383
so does that mean it's logging as authpriv? as here is my syslog.conf:
cat /etc/syslog.conf*.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail. crit /dev/console
*.notice;kern,authpriv,remoteauth,ftp,install.none;mail.crit /var/log/system.log
kern.* /var/log/kernel.log
# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial
# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
auth.info;authpriv.*;remoteauth.crit /var/log/secure.log
# used for the adaptive firewall: man emlog.pl
auth.info;authpriv.* @127.0.0.1:60762
lpr.info /var/log/lpr.log
mail.crit /var/log/mail.log
ftp.* /var/log/ftp.log
install.* /var/log/install.log
install.* @127.0.0.1:32376
local0.* /var/log/appfirewall.log
local1.* /var/log/ipfw.log
*.emerg *
LOCAL4.*;LOCAL4.debug /var/log/slapd.log
local6.crit /var/log/mailaccess.log
local5.crit /var/log/securityproxy/mail_error.log
local3.crit /var/log/securityproxy/mail_access.log
sftp-server.* /var/log/sftp-server.log
# SFTP LOGGING
sftp_server.* /var/log/sftp-server.log
I tried setting
ForceCommand internal-sftp -l VERBOSE -f sftp-server
but that kept giving me
internal-sftp[59204]: error: Invalid log facility "sftp-server"
From the syslog you can also see I tried to create my own "sftp_server" but it returned the same error as well.
Getting there.