105

I'm wondering if there is a way to log commands received by the server. It can be all SSH commands, as long as it includes information on commands related to file transfer.

I'm having issues with an SFTP client and the creator is asking for logs, but I am unable to find any existing logs.

I'm looking to log on both or either CentOS or OS X (although I suspect if it's possible, it'd be similar on both).

Darryl Hein
  • 1,662
  • 2
  • 19
  • 21

3 Answers3

113

OpenSSH versions 4.4p1 and up (which should include the latest version with CentOS 5) have SFTP logging capability built in - you just need to configure it.

Find this in your sshd_config (in centos, file /etc/ssh/sshd_config):

Subsystem       sftp    /usr/libexec/openssh/sftp-server

and change it to:

Subsystem       sftp    /usr/libexec/openssh/sftp-server -l INFO

INFO is just one level of detail over what you're seeing by default - it provides detailed information regarding file transfers, permission changes, etc. If you need more info, you can adjust the log level accordingly. The various levels (in order of detail) are:

QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3

Anything over VERBOSE is probably more information than you're looking for, but it might be useful.

Finally restart the SSH service to update the changes (centos):

systemctl restart sshd
Community
  • 1
rvf
  • 1,435
  • 1
  • 13
  • 9
  • 2
    I didn't know you could log SFTP like that, that's what I need. Where does it store the logs? /var/log/auth.log ? – Amandasaurus Jan 22 '10 at 15:17
  • 5
    It depends on your syslog configuration. Using the INFO loglevel, most default syslog.conf's place those entries in /var/log/messages. – rvf Feb 02 '10 at 20:02
  • 4
    Is it possible to do this using the internal sftp server? – Cian Feb 22 '11 at 16:40
  • this works perfectly for SFTP, but what about SCP? I didn't find any entries in the log for a file copied with the scp command, although the log was successful for sftp – Ale Oct 03 '16 at 19:24
  • 4
    On Ubuntu, these logs default to `/var/log/auth.log`. Add `-f USER` to that `Subsystem` config line to send them to `/var/log/syslog`. – Throw Away Account May 04 '17 at 22:23
  • When using the systemd journal, as the messages got to the AUTH log (i.e. the one marked with id 4, and this even if sshd_config says `SyslogFacility LOCAL2` or something), you get the messages by `journalctl SYSLOG_FACILITY=4 -e`. – David Tonhofer Nov 29 '17 at 10:38
  • hey guys i have ubuntu 18.04 server and i just noticed the log socket is redirecting to journalctl: see: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1761630 – Andre Leon Rangel Nov 14 '19 at 04:49
50

The same switches around logging for sftp-server also work for internal-sftp. Here's an example from my /etc/ssh/sshd_config:

Subsystem   sftp    internal-sftp -f AUTH -l INFO

With INFO level logging enabled messages will start showing up under /var/log/messages (at least under Red Hat based Distros):

May 27 05:58:16 test-server sshd[20044]: User child is on pid 20049
May 27 05:58:16 test-server sshd[20049]: subsystem request for sftp by user test-user
May 27 05:58:16 test-server internal-sftp[20050]: session opened for local user test-user from [192.168.1.1]
May 27 05:58:16 test-server internal-sftp[20050]: received client version 3
May 27 05:58:16 test-server internal-sftp[20050]: realpath "."
May 27 05:58:21 test-server internal-sftp[20050]: opendir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: closedir "/home/test-user/"
May 27 05:58:21 test-server internal-sftp[20050]: lstat name "/home/test-user/upload"
May 27 05:58:21 test-server internal-sftp[20050]: realpath "/home/test-user/upload/"
May 27 05:58:21 test-server internal-sftp[20050]: stat name "/home/test-user/upload"
May 27 05:58:24 test-server internal-sftp[20050]: open "/home/test-user/upload/test-file.pdf" flags WRITE,CREATE,TRUNCATE mode 0664
May 27 05:58:25 test-server internal-sftp[20050]: close "/home/test-user/upload/test-file.pdf" bytes read 0 written 1282941
slm
  • 7,355
  • 16
  • 54
  • 72
  • 3
    I discovered, that in my case it only logs sftp sessions for root but not for my chrooted user test. I don't understand why, do you have any ideas? – JohnnyFromBF Jul 04 '12 at 13:46
  • 5
    It looks like you need `/dev/log` in your chroot area. Something like `sudo mkdir /chrooted/area/dev`, `sudo touch /chrooted/area/dev/log`, `sudo chmod 511 /chrooted/area/dev`, `sudo chattr +i /chrooted/area/dev`, `sudo mount --bind /dev/log /chrooted/area/dev/log`. Users will still have write access to that /dev/log, but as it's a socket, they can't do much harm if all they have access to is `sftp`. – sch Feb 05 '13 at 10:29
  • 1
    Thanks for the hint. I can't seem to make it work, however. Could you be a bit more specific? – user1092608 Mar 15 '13 at 11:52
  • 4
    FWIW: In the ArchLinux Wiki there is a good description on how to enable logging in the chroot environment: https://wiki.archlinux.org/index.php/SFTP_chroot#Logging – Kaii Sep 09 '15 at 14:36
  • Hi @slm, I'm facing the issue and binded the socket. However I still can't see the users. Can you help me to fix the issue? https://serverfault.com/questions/1090038/finding-deleted-imported-files-in-sftp-server-using-logs – Matrix Jan 17 '22 at 14:46
  • This helped me: https://www.the-art-of-web.com/system/sftp-logging-chroot/ – Eaten by a Grue Apr 14 '22 at 20:10
6

In order to clearify the comments above:

If you have sftp configured using a jail (chroot environment), you cannot log without additional configuration effort. The log cannot be written in the chroot environment, you need to create a mount bind or a socket. I would recommend using a socket, as it is a feature delivered by syslog-ng as well as rsyslog (and maybe many more).

For those who are using syslog-ng, have a look at this link. For those who are using rsyslog; Hope that helps.

Swisstone
  • 6,357
  • 7
  • 21
  • 32
Phil
  • 213
  • 2
  • 6