As from OpenSSH-4.4, we can add command-line args for the sftp-server subsystem configuration. When combined with these arguments, it allows us to log what is performing during an SFTP session. Be aware that there is a bug in enabling the logging feature if you use it with ForceCommand, and affects versions prior to 5.2.
To enable the logging feature in SFTP, we need to adjust /etc/ssh/sshd_config and /etc/syslog.conf. Below is the steps.
1. Replace the Susbsystem line in /etc/ssh/sshd_config with
Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l INFO
2. Add the following line to /etc/syslog.conf:
#sftp logging local5.* /var/log/sftpd.log
Finally restart the syslogd and sshd services, it’s done. Now try an sftp upload and check the access logs in /var/log/sftpd.log
If you are running a chrooted SFTP environment, it gets two more steps involved:
1, In each user’s limited working environment, we need to create a directory “dev” in his home directory, and link the /dev/log into this directory, so that logs generated in this environment can be caught by outside real system.
2, Then syslog needs to be adjusted to listen on this socket to catch logging info. We need to modify /etc/sysconfig/syslog, below is an example
shell$ grep SYSLOGD_OPTIONS /etc/sysconfig/syslog --color SYSLOGD_OPTIONS="-m 0 -a /export/home/sftponly/dev/log"
The -a parameter specifies which socket syslog listens to.
By default it supports up to 19 additional sockets as from syslog manual page:
-a socket Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you’re going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. An example for a chroot() daemon is described by the people from OpenBSD at http://www.psionic.com/papers/dns.html.
If you have more than 19 chrooted users want to enable SFTP logging, you have to increase MAXFUNIX in syslogd.c.
Below is an example output of SFTP logging:
May 8 10:31:15 FTP01 internal-sftp: session opened for local user joseph from [10.12.1.1] May 8 10:31:16 FTP01 internal-sftp: opendir "/joseph/" May 8 10:31:16 FTP01 internal-sftp: closedir "/joseph/" May 8 10:31:19 FTP01 internal-sftp: session closed for local user joseph from [10.12.1.1]
Furthermore, you can add a logrotate config file to handle sftp.log as other system log files, in case it grows too big.