SFTP transfer logging

Message

Ph0eniX · Post by **Ph0eniX** » Wed Dec 15, 2010 3:34 pm

I'm running OpenSSH 5.2p1. I have configured chroot'ed SFTP and set the logging level to VERBOSE and I'm getting a lot of useful info in the logs but file transfer info isn't being logged. I want to be able to track uploaded, downloaded files as well folder creations/deletions, etc. A client is telling me that they've been uploading files to my server but I can't find them so I want to be able to see exactly what they're doing. How do I accomplish this?

Thanks!

J.

ferreirafm · Post by **ferreirafm** » Wed Dec 15, 2010 7:12 pm

Hi Ph0eniX,
The sshd_config has several keywords for you to modify. For instance, LogLevel VERBOSE will give you things like IP, logging time, transfered files, file size and so on. Have a look at the sshd_config manual to see which keyword best fit your needs. Hope it helps.
G'Luck,
ferreirafm

Ph0eniX · Post by **Ph0eniX** » Thu Dec 16, 2010 3:38 pm

ferreirafm wrote:Hi Ph0eniX,
The sshd_config has several keywords for you to modify. For instance, LogLevel VERBOSE will give you things like IP, logging time, transfered files, file size and so on. Have a look at the sshd_config manual to see which keyword best fit your needs. Hope it helps.
G'Luck,
ferreirafm

Hi ferreirafm,
Thank you for the suggestion. I had my logging level set to DEBUG3 (the most info) and I switched to VERBOSE per your recommendation but I can't figure out where the actual file transfers are getting logged. I don't see them in any of my log files. I must be doing something wrong.

ferreirafm · Post by **ferreirafm** » Fri Dec 17, 2010 1:42 pm

Hi Ph0eniX,
Have a look in your file /var/log/messages. There you should have sshd issues like this:

Code: Select all

Dec 14 02:50:50 mephistp sshd[21483]: Connection closed by 172.24.36.51
Dec 14 02:50:50 mephistp sshd[21483]: pam_unix(sshd:session): session closed for user root
Dec 14 02:50:50 mephistp sshd[21483]: Transferred: sent 1929636744, received 434144 bytes
Dec 14 02:50:50 mephistp sshd[21483]: Closing connection to 172.24.36.51 port 52092

You might want to use logrotate to manage your messages file. Take a look in the sshd manual to figure out how to redirect the sshd issues to a separate file. If you mean the name of each transferred file. Basically, you need to add the -l and -f options (verify!) to the sftp-server line in sshd_config to specify the appropriate syslog level and restart sshd to pick up the changes. See sftp-server man pages for details. Syslog will also need to be configured appropriately. I particularly don't track file transfers at this level.
G'Luck
ferreirafm