Log SFTP file transfers?

Question

Level 1

0 points

Log SFTP file transfers?

Hi,

I was finally able to set up a Chrooted SFTP server on 10.6 server. I'm just trying to figure out how to log the transfers?

Here is my logging info in sshd_config:

# Logging

# obsoletes QuietMode and FascistLogging

SyslogFacility AUTHPRIV

LogLevel INFO

which is current putting login info in the secure.log but nothing about file transfers. I tried going down to DEBUG mode but it was just lower level login info. I also see a sftp-server.log in the console but there is nothing in it.

Is there any way to log file transfers?

Posted on Jul 13, 2011 11:18 AM

Reply

Answer 1

Best reply

Camelot

Level 9

54,339 points

Jul 13, 2011 12:38 PM in response to s-chilly

What you're looking at is the sshd logging, not the sftp-server logging.

If you look further down /etc/sshd_config you'll find where the sftp daemon is configured:

Subsystem sftp /usr/libexec/sftp-server

You need to change this line to include the logging directive for sftp-server:

Subsystem sftp /usr/libexec/sftp-server -l INFO

Reply

Answer 2

s-chilly Author

Level 1

0 points

Jul 13, 2011 3:04 PM in response to Camelot

Thanks Camelot. Got me on the right track.

I'm using

Subsystem sftp internal-sftp

as part of the chroot set up. I tried

Subsystem sftp internal-sftp -l INFO

but I'm getting nothing in the sftp-server.log

Here is my sshd_config

# override default of no subsystems

#Subsystem sftp /usr/libexec/sftp-server

Subsystem sftp internal-sftp -l VERBOSE

# Example of overriding settings on a per-user basis

#Match User anoncvs

# X11Forwarding no

# AllowTcpForwarding no

# ForceCommand cvs server

Match Group admin

X11Forwarding no

AllowTCPForwarding no

ChrootDirectory /Volumes/Server/User

ForceCommand internal-sftp -l VERBOSE

Match Group users

X11Forwarding no

AllowTCPForwarding no

ChrootDirectory /Volumes/Server/User/%u

ForceCommand internal-sftp

I tried VERBOSE and INFO with no luck.

Reply

Answer 3

s-chilly Author

Level 1

0 points

Jul 13, 2011 3:35 PM in response to s-chilly

Ok it looks like it's logging to the secure.log

Jul 13 15:28:05 comp internal-sftp[59696]: session opened for local user s-chilly from [xxx.xxx.xxx.xxx]

Jul 13 15:28:05 comp internal-sftp[59696]: received client version 3

Jul 13 15:28:05 comp internal-sftp[59696]: realpath "."

Jul 13 15:28:05 comp internal-sftp[59696]: realpath "/uploads"

Jul 13 15:28:05 comp internal-sftp[59696]: stat name "/uploads"

Jul 13 15:28:05 comp internal-sftp[59696]: open "/uploads/Screen shot 2011-04-08 at 11.04.28 AM.png" flags WRITE,CREATE,TRUNCATE mode 0644

Jul 13 15:28:05 comp internal-sftp[59696]: close "/uploads/Screen shot 2011-04-08 at 11.04.28 AM.png" bytes read 0 written 15383

so does that mean it's logging as authpriv? as here is my syslog.conf:

cat /etc/syslog.conf*.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail. crit /dev/console

*.notice;kern,authpriv,remoteauth,ftp,install.none;mail.crit /var/log/system.log

kern.* /var/log/kernel.log

# Send messages normally sent to the console also to the serial port.

# To stop messages from being sent out the serial port, comment out this line.

#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial

# The authpriv log file should be restricted access; these

# messages shouldn't go to terminals or publically-readable

# files.

auth.info;authpriv.*;remoteauth.crit /var/log/secure.log

# used for the adaptive firewall: man emlog.pl

auth.info;authpriv.* @127.0.0.1:60762

lpr.info /var/log/lpr.log

mail.crit /var/log/mail.log

ftp.* /var/log/ftp.log

install.* /var/log/install.log

install.* @127.0.0.1:32376

local0.* /var/log/appfirewall.log

local1.* /var/log/ipfw.log

*.emerg *

LOCAL4.*;LOCAL4.debug /var/log/slapd.log

local6.crit /var/log/mailaccess.log

local5.crit /var/log/securityproxy/mail_error.log

local3.crit /var/log/securityproxy/mail_access.log

sftp-server.* /var/log/sftp-server.log

# SFTP LOGGING

sftp_server.* /var/log/sftp-server.log

I tried setting

ForceCommand internal-sftp -l VERBOSE -f sftp-server

but that kept giving me

internal-sftp[59204]: error: Invalid log facility "sftp-server"

From the syslog you can also see I tried to create my own "sftp_server" but it returned the same error as well.

Getting there.

Reply

Answer 4

Camelot

Level 9

54,339 points

Jul 13, 2011 9:31 PM in response to s-chilly

You're on the right track - you're using the -f switch to set the log facility. The problem is that there are predefined facilities available in syslog - you can't just make up your own.

man sftp-server shows you the options:

-f log_facility

Specifies the facility code that is used when logging messages

from sftp-server. The possible values are: DAEMON, USER, AUTH,

LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.

The default is AUTH.

So:

Subsystem sftp /usr/libexec/sftp-server -l VERBOSE -f LOCAL5

(or whatever facility you prefer) should be more like what you're looking for.

You can edit syslog.conf to direct whichever facility you choose to a specific location, you just can't make new facilities.

Reply

Answer 5

s-chilly Author

Level 1

0 points

Jul 14, 2011 2:44 PM in response to Camelot

perfect. Thanks so much Camelot. pretty sure I got this now.

Reply

Answer 6

riiidaa

Level 1

0 points

Jul 22, 2011 2:56 AM in response to s-chilly

Did you get this sorted? I am having problems knowing what to put in to my sshd_config to get sftp to log transfers too, so if you managed to get it logging - I'd be greatful if you would,post the winning formula.

Reply

Answer 7

Camelot

Level 9

54,339 points

Jul 22, 2011 1:10 PM in response to riiidaa

What part of the 'Correct Answer' isn't clear to you?

Reply

Answer 8

Nov 15, 2013 6:15 AM in response to Camelot

Hi,

I have this read and try to set le loging. I have Mac OS X10.8. It make me the logs but it is done to the system.log and I try to set the facilities in syslog.conf but wiyhou any change.

When I give -l after ForceCommand too, the sFTP won't work.

sshd_config:

# override default of no subsystems

Subsystem sftp internal-sftp -l INFO -f LOCAL5

Match Group ftpgroup

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

ChrootDirectory /FTP

syslog.conf:

# Note that flat file logs are now configured in /etc/asl.conf

install.* @127.0.0.1:32376

local6.warn /Library/Logs/Mail/mailaccess.log

LOCAL4.*;LOCAL4.debug /var/log/slapd.log

LOCAL5.* /var/log/sftp.log

I have added in syslog.conf the LOCAL5 line.

Please can you better explain how can I do that?

Thanks.

Reply

Answer 9

R111DAA

Level 1

0 points

Aug 15, 2015 12:29 PM in response to riiidaa

Hello, did you fix this riiidaa?

Reply