How to Enable logging in SFTP

As from OpenSSH-4.4, we can add command-line args for the sftp-server subsystem configuration. When combined with these arguments, it allows us to log what is performing during an SFTP session. Be aware that there is a bug in enabling the logging feature if you use it with ForceCommand, and affects versions prior to 5.2.

To enable the logging feature in SFTP, we need to adjust /etc/ssh/sshd_config and /etc/syslog.conf. Below is the steps.

1. Replace the Susbsystem line in /etc/ssh/sshd_config with

Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l INFO

2. Add the following line to /etc/syslog.conf:

#sftp logging
local5.* /var/log/sftpd.log

Finally restart the syslogd and sshd services, it’s done. Now try an sftp upload and check the access logs in /var/log/sftpd.log

If you are running a chrooted SFTP environment, it gets two more steps involved:

1, In each user’s limited working environment, we need to create a directory “dev” in his home directory, and link the /dev/log into this directory, so that logs generated in this environment can be caught by outside real system.

2, Then syslog needs to be adjusted to listen on this socket to catch logging info. We need to modify /etc/sysconfig/syslog, below is an example

shell$ grep SYSLOGD_OPTIONS /etc/sysconfig/syslog --color
SYSLOGD_OPTIONS="-m 0 -a /export/home/sftponly/dev/log"

The -a parameter specifies which socket syslog listens to.

By default it supports up to 19 additional sockets as from syslog manual page:

-a socket
       Using  this  argument  you can specify additional sockets from that syslogd has to listen to.  This is needed if you’re going to
       let some daemon run within a chroot() environment.  You can use up to 19 additional sockets.  If  your  environment  needs  even
       more,  you have to increase the symbol MAXFUNIX within the syslogd.c source file.  An example for a chroot() daemon is described
       by the people from OpenBSD at http://www.psionic.com/papers/dns.html.

If you have more than 19 chrooted users want to enable SFTP logging, you have to increase MAXFUNIX in syslogd.c.

Below is an example output of SFTP logging:

May  8 10:31:15 FTP01 internal-sftp[21575]: session opened for local user joseph from [10.12.1.1]
May  8 10:31:16 FTP01 internal-sftp[21575]: opendir "/joseph/"
May  8 10:31:16 FTP01 internal-sftp[21575]: closedir "/joseph/"
May  8 10:31:19 FTP01 internal-sftp[21575]: session closed for local user joseph from [10.12.1.1]

Furthermore, you can add a logrotate config file to handle sftp.log as other system log files, in case it grows too big.

Share Button

2 thoughts on “How to Enable logging in SFTP

  1. The various articles are much appreciated, but it appears that #2 above is a little off.

    2. Add the following line to /etc/syslog.conf:

    Should that not be referring to “rsyslog.conf”?

  2. For newer systems (CentOS 6/7), it is 🙂
    This post was created under CentOS 4/5, which uses syslog as log server. Rsyslog becomes the default log server in CentOS-6.

Leave a comment

Your email address will not be published. Required fields are marked *