10

On Linux systems, /var/log/secure (or similar, depending on distro) shows all SSH login activity. Is there a similar log for SCP? If not, what's a good approach to enabling logging of scp activity on my servers? Is it SELinux through /var/log/audit/audit.log?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
JJC
  • 471
  • 1
  • 3
  • 8

3 Answers3

8

You need to adjust your sshd logging level to DEBUG in order to see scp client connections.

Look at the /etc/ssh/sshd_config for the "LogLevel" directive.

LogLevel DEBUG

Or the scp -o LogLevel for testing.

Shadow503
  • 103
  • 3
schroeder
  • 123,438
  • 55
  • 284
  • 319
0

SCP uses SSH connections to transfer files, so SCP logins should appear in the same logs alongside SSH logins. From the man pages:

scp copies files between hosts on a network. It uses ssh(1) for data transfer, and uses the same authentication and provides the same security as ssh(1).

Andy Smith
  • 2,742
  • 18
  • 24
  • 2
    I know it uses SSH and I thought logs would also go to the same place, but it actually doesn't show up in /var/log/secure nor /var/log/messages. The only evidence of SCP is when I have SELinux and auditd running... in which case it gets logged in /var/log/audit/audit.log. – JJC May 09 '12 at 11:13
-4
scp -o LogLevel=DEBUG <rest of parameters>

eg:

$ scp -o LogLevel=DEBUG origfile.txt userfoo@serverbar:/home/userfoo/
schroeder
  • 123,438
  • 55
  • 284
  • 319
Charles Cunningham
  • 1
  • 3
    This is already in the top-voted answer. Note that this does *not* show you the scp activity for the server but the log for that connection. Please make sure that you document your code/commands instead of just posting raw syntax without explanation. – schroeder Oct 23 '20 at 11:13