(CentOS) default FTP (SFTP) Log File?

centos logs ftp sftp audit

61,894

Solution 1

You can log sftp, try this:

In /etc/ssh/sshd_config file, change this line:

Subsystem       sftp    /usr/libexec/openssh/sftp-server

to:

Subsystem       sftp    /usr/libexec/openssh/sftp-server -l INFO -f AUTH

Then config syslog log facility AUTH to your file. In Centos 6. edit /etc/rsyslog.conf, add this line:

auth.*    /var/log/sftp.log

After making these changes reload (kill -HUP) or restart sshd and restart rsyslog for them to take effect.

Solution 2

Mmmmm..but now there are another problem. /var/log/sftp.log grows without control... Add entry to /etc/logrotate.d/sftp

/var/log/sftp.log
{
    rotate 24
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

61,894

夏期劇場

Updated on September 18, 2022

Comments

夏期劇場 almost 2 years
I'm on CentOS v6.4 and using its native FTP Server, which i suppose is sftp. (Am i right?) Now i can use FTP well. But i need to log the actions taken by Users.

Logs for the actions, such us, who logged in, who modified which files, who deleted which files .. etc the basically important actions, you know.

So my simple questions would be:
- Where & how can i access/check the FTP Logs from Server, please?
- Can it even be done with default SFTP? (Do i need vsftpd?)
In short words, what is the best & simplest way to get the FTP Logging, please?
夏期劇場 over 10 years

Oh ok, then after that, what should i do please? RESTART some services?
cuonglm over 10 years

Yes, restart sshd and rsyslog services to make the changes.
夏期劇場 over 10 years

Thanks so much, for the updates as well. I have ACCEPTED it already! (Since seems you have a good experience in this) Can i please add some comments to ask that, in this LOGS, (1) why can't i see the user's name, instead of just logging the activities only? (2) is there a log size or retention limit on this log-file please? (up to how long can i keep the logs in this file?) Thanks much again!!
夏期劇場 over 10 years

-l DEBUG still can't help, to describe WHICH USER. And what you mean by logrotate please? :)
夏期劇場 over 10 years

Hi do u mean to change to, auth.* /var/log/sftp.log in rsyslog?
夏期劇場 over 10 years

Hi Gnouc, no need to restart rsyslog anymore? (according to your answer)
cuonglm over 10 years

I have updated it.
夏期劇場 over 10 years

Please kindly accept my latest edit request (changing to AUTH)
Елин Й. over 6 years

@夏期劇場 Is it a convention to name it AUTH?
dstonek over 5 years

/etc/logrotate.d/sftp instead of /etc/logrote.d/sftp