0

I'm trying to enable logging for SFTP file transfer (without help of any opentools) on solaris 10 using "internal-sftp" but couldn't see any info about file transfers. Please help.

**#Argument in SSHD_CONFIG**
Subsystem sftp internal-sftp -f AUTH -l DEBUG

All I can see in /var/log/sftplogging is as below

Nov 15 15:15:17 test-server sshd[6032]: [ID 800047 auth.debug] debug1: open id 8 name /home/.sh_history flags 26 mode 0600 
Nov 15 15:15:17 test-server sshd[6032]: [ID 800047 auth.debug] debug1: sent handle id 8 handle 0 
Nov 15 15:15:17 test-server sshd[6032]: [ID 800047 auth.debug] debug1: write id 9 handle 0 off 0 len 948 
Nov 15 15:15:17 test-server sshd[6032]: [ID 800047 auth.debug] debug1: sent status id 9 error 0 
Nov 15 15:15:17 test-server sshd[6032]: [ID 800047 auth.debug] debug1: close id 9 handle 0 Nov 15 15:15:17 test-server sshd[6032]: [ID 800047 auth.debug] debug1: sent status id 9 error 0

What I Need: I need to have loggers in below format

May 27 05:58:16 test-server internal-sftp[20050]: session opened for local user test-user from [192.168.1.1]
May 27 05:58:16 test-server internal-sftp[20050]: received client version 3
May 27 05:58:16 test-server internal-sftp[20050]: realpath "."
May 27 05:58:21 test-server internal-sftp[20050]: opendir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: closedir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: lstat name "/home/test-user/upload"
May 27 05:58:21 test-server internal-sftp[20050]: realpath "/home/test-user/upload/"
May 27 05:58:21 test-server internal-sftp[20050]: stat name "/home/test-user/upload"
May 27 05:58:24 test-server internal-sftp[20050]: open "/home/test-user/upload/test-file.pdf" flags WRITE,CREATE,TRUNCATE mode 0664
May 27 05:58:25 test-server internal-sftp[20050]: close "/home/test-user/upload/test

Link for Old Question : SFTP logging: is there a way?

Community
  • 1
Santhosh
  • 11
  • 1
  • 4
  • In the example you link to, `internal-sftp` has been invoked with `-l INFO`, not `-l DEBUG`. Have you tried that? – MadHatter Nov 15 '13 at 10:59
  • Yes i tried. INFO , VERBOSE , DEBUG and found nothing. of all levels DEBUG gives more information. – Santhosh Nov 15 '13 at 11:01
  • What version are you using? Maybe auth and DEBUG do not combine well? Try your own facility... – jirib Nov 15 '13 at 11:07
  • entry in /etc/syslog.conf : *.debug var/log/San2log and SSH Version : Sun_SSH_1.1.4, SSH protocols 1.5/2.0, OpenSSL 0x0090704f...May i know what you meant by own facility? – Santhosh Nov 15 '13 at 11:11
  • Hi All, I can see logs in above format for Non-Jailed Users on Solaris 11 but not for Jailed User configured using 'Chrootdirectory'. As per Man pages of Solaris 11 , one need to establish SOCKET for reading Logs under jailed users , Please let me know if it works(http://docs.oracle.com/cd/E23824_01/html/821-1462/sftp-server-1m.html#REFMAN1Msftp-server-1m ) – Santhosh Nov 19 '13 at 04:18

1 Answers1

1

SOLVED

1) Created a parent directory (virtual) and created log, conslog, null and zero files using mknod as per my system configuration (check ls -ltr /dev/log .. for all above files to get major and minor numbers).

2) Once it's done create "dev" folder for every jailed user "/chroot/dev/" and create hardlink for all files present in "/virtual/" as ln -f /virtual/* /chroot/dev/.

3) Create soft link for "/dev/log" to "/virutal/log" as ln -sf /virtual/log /dev/log

Restart the syslogd daemon and you can see all SFTP transfer logs for Jailed Users in choosen directory.

Santhosh
  • 11
  • 1
  • 4