Activity Logging Level in SFTP

logs sftp sshd logrotate
37,143

Here's some sample log file output:

Feb 26 23:04:55 pegasus internal-sftp[32524]: session opened for local user joeuser from [123.123.123.123]
Feb 26 23:04:57 pegasus internal-sftp[32524]: opendir "/home/joeuser"
Feb 26 23:04:58 pegasus internal-sftp[32524]: closedir "/home/joeuser"
Feb 26 23:05:01 pegasus internal-sftp[32524]: opendir "/home/joeuser/"
Feb 26 23:05:01 pegasus internal-sftp[32524]: closedir "/home/joeuser/"
Feb 26 23:05:02 pegasus internal-sftp[32524]: opendir "/home/joeuser/upload"
Feb 26 23:05:02 pegasus internal-sftp[32524]: closedir "/home/joeuser/upload"
Feb 26 23:05:07 pegasus internal-sftp[32524]: opendir "/home/joeuser/upload"
Feb 26 23:05:07 pegasus internal-sftp[32524]: closedir "/home/joeuser/upload"
Feb 26 23:05:09 pegasus internal-sftp[32524]: session closed for local user joeuser from [123.123.123.123]

Which user is which?

If you take notice of the output above there is a number between square brackets , internal-sftp[32524]. The number is 32524. This represents the session ID for user joeuser, so you can use this string together which messages relate to which user's login.

Rotating the logs

You can modify the log rotation schedule for various logs under /etc/logrotate.d/*. Each log file typically has a corresponding file in this directory. So you could change the syslog file there, for example or create your own for your sftp.log logfile.

Also logrotate has a configuration file, /etc/logrotate.conf which contains these lines:

# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

These are what the files in the /etc/logrotate.d directory use, if they don't have a setting of their own. So most files are rotated weekly and 4 of them are kept. If you wanted to keep 6 months it would be 4*6 = 24 for the rotate option to keep 6 months, roughly.

Example

Given you're logging to /var/log/sftp.log via syslog you'll need to make your changes in this file, /etc/logrotate.d/syslog. Your file will look like this after making the required changes:

/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
/var/log/sftp.log
{
    rotate 24
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

Since you're using syslog you'll have to rotate all these log files as well, keep 24 weeks worth of these as well. If this is unacceptable then your only other course of action would be to create a separate section in this file, syslog like so:

/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

/var/log/sftp.log
{
    rotate 24
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

This has some side-effects, one being that you'll be restarting the syslog daemon 2 times each week instead of once. But the logroate syntax does not allow for fine granular control of the rotation schedule for certain logfiles while not rotating others, when the log files are being generated by the same service, i.e. syslog.

References

Share:
37,143

Related videos on Youtube

夏期劇場
Author by

夏期劇場

Updated on September 18, 2022

Comments

  • 夏期劇場
    夏期劇場 over 1 year

    I'm using CentOS, i have already figured out how to enable the SFTP Logging. After that when i test it by using FileZilla (from User-end) and tail -f /var/log/sftp.log from the Server, all the activities from the Users are surely logged. Working great!

    But i still have some important questions related to this, as below:

    • In the log file, nothing is mentioned about the USERNAME. The USERNAMES are not logged / mentioned anywhere in the LOGS for every single activities (Only the FTP Login / Logout activities are logged, as a single line among millions of lines. But it is not effective if i have more then 1 user)

    For example:

    Feb 27 02:59:31 myhostname sftp-server[13307]: session opened for local user michael from [10.xxx.xxx.xxx]
Feb 27 03:01:00 myhostname sftp-server[13312]: session opened for local user jimmy from [10.xxx.xxx.xxx]
...
...
Feb 27 04:00:34 myhostname sftp-server[13307]: mkdir name "/var/www/html/nnnnn" mode 0777
...
Feb 27 04:01:30 myhostname sftp-server[13307]: rmdir name "/var/www/html/nnnnn"
Feb 27 04:01:30 myhostname sftp-server[13307]: opendir "/var/www/html"
Feb 27 04:01:30 myhostname sftp-server[13307]: closedir "/var/www/html"

    There is NO USERNAME mentioned in the lines itself. (Except for the login/logout actions)
    And the another question is:

    • How long can i keep this logs for? I mean, is it possible if i want the LOG FILE to always keep the lines inside up to the last 6 months?

    Any idea please?

    • Admin
      Admin about 10 years
      I guess because you login as guest account?
    • Admin
      Admin about 10 years
      No. It is a CREATED USER by root useradd xxxxx (as you can see session opened for local user). I'll change the username in the question, which is seems confusing.
  • cuonglm
    cuonglm about 10 years
    Maybe I have some misunderstand about @夏期劇場's question. he want username before any user's activity, not log in and log out event.
  • 夏期劇場
    夏期劇場 about 10 years
    Omg! I think i know!! The brackets [] are the session numbers for each users!!!
  • 夏期劇場
    夏期劇場 about 10 years
    So ok! i think we got it. But isn't there a way to change the number to username properly? if possible, as an advantage.
  • slm
    slm about 10 years
    @夏期劇場 - look here, practicingtechie.com/2012/09/16/…. There is a wrapper script which you can use as a hook for session starts and ends. I'm thinking you could modify that to print a custom begin/end message (for starters) the other idea would be to funnel the output from sftp-server and do the re-write yourself on the fly.
  • 夏期劇場
    夏期劇場 about 10 years
    Hi slm, thank you so much. create your own for your sftp.log logfile means, i should edit the /etc/logrotate.d/syslog and then put one new set, like: /var/log/sftp.log { 24 weeks } ? I'm sorry to unable to fully understand it :(
  • slm
    slm about 10 years
    @夏期劇場 - I said it that way because I wasn't sure where you were actually logging. Are you using /var/log/messages or /var/log/sftp.log? If it's messages then yes you'd change the syslog file. If you're logging to sftp.log then you probably don't have any log rotation so you could make a new file and specify the rotation period in there, overriding the default.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ssh_dispatch_run_fatal no matching key exchange method found (on Zend Studio Remote Connection)
How to setup virtual users for sftp (sshd) with access to a specific sub directory?
Granting a sftp user access to a /var/www directory
Logrotate not truncating open file
Listing previous logins through sftp
How to make sendmail write to new maillog
Log rotation in Linux
logrotate log file with enging date issue
Can use Password authentication with SFTP even though "PasswordAuthentication no" in /etc/ssh/sshd_config
How to access to specified folder via SSH/SFTP?