1

We have an SFTP server, I am trying to find out if some specific files have been deleted from the server or if they have even imported to the server or not. I'm going through the log files under /var/log but coudn't find out relevant logs so far.

I'm wondering in which log file I can find such infomation?

Any help would be appreciated.

Updated:

Based on the answer and the link: enter link description here I have modified config file which parts of it looks like below:

Subsystem sftp internal-sftp -f AUTH -l INFO

# Force sftp and chroot jail for members of sftp group
Match group sftp
ForceCommand internal-sftp
ChrootDirectory /sftp/%u

# Members of sftp-glob have access to all user folders
Match group sftp-glob
ForceCommand internal-sftp
ChrootDirectory /sftp


# Enable this for more logs
LogLevel VERBOSE

Then restarted sshd:

sudo systemctl restart sshd

In this case I can only see the logs created by admin user(me) under /var/log/auth.log

Jan 17 12:57:50 ios-sftp internal-sftp[5262]: remove name "/tmp/test.txt"

For logging the chrooted users actions I have done this:

cd /sftp 
sudo mkdir dev
sudo chmod 755 dev
sudo touch dev/log
sudo mount --bind /dev/log dev/log

However I still can't see the other users logs in /var/log/auth.log if they upload or delete files.

It started to work after fixing config file by changing ForceCommand internal-sftp to ForceCommand internal-sftp -f AUTH -l INFO

Subsystem sftp internal-sftp -f AUTH -l INFO

# Force sftp and chroot jail for members of sftp group
Match group sftp
ForceCommand internal-sftp -f AUTH -l INFO
ChrootDirectory /sftp/%u

# Members of sftp-glob have access to all user folders
Match group sftp-glob
ForceCommand internal-sftp -f AUTH -l INFO
ChrootDirectory /sftp


# Enable this for more logs
LogLevel VERBOSE

now I can see the logs under /var/log/auth.log:

Jan 18 10:13:02 user-sftp internal-sftp[7466]: set "/folder1/folder2/myfile.xml" modtime 20210106-10:32:58
Matrix
  • 241
  • 1
  • 5
  • 15

1 Answers1

3

By default transferred files is not logged by sftp in system logs, only connection-disconnection.

It can be enabled for future transactions, but that probably won't help you solving your problem at hand - but it may solve it for the future.

vidarlo
  • 3,775
  • 1
  • 12
  • 25
  • Thanks for swift reply. After adding it to sshd_config file, I can only see the logs of admin user in /var/log/auth.log. However I'm more intrested in the other chrooted users. My chroot directory is in /sftp so based on the link, I have created a dev folder under /sftp folder and a log file(touch dev/log) also mounted /dev/log to /sftp/dev/log. but I still can't see the user's log under /dev/log/auth.log. Is there another directory that I should check ? or is there another setup that I'm missing? – Matrix Jan 17 '22 at 13:49
  • I think messages is probably more appropriate than auth.log – vidarlo Jan 17 '22 at 13:52
  • I don't have messages file in that directory – Matrix Jan 17 '22 at 14:03
  • I don't know how your environment is configured wrt. logging. – vidarlo Jan 17 '22 at 14:53
  • it has default setup as I know. As I can see the logs that comes from admin user under /var/log/auth.log so I assume the logs of chrooted users should come in the same place, shouldn't it? I have updated my question with more info. – Matrix Jan 17 '22 at 14:58
  • 1
    It is fixed, I missed some config in sshd_config file, now it is working fine :) thanks for the helpful answer. – Matrix Jan 18 '22 at 10:31