(CentOS) default FTP (SFTP) Log File?
Solution 1
You can log sftp
, try this:
In /etc/ssh/sshd_config
file, change this line:
Subsystem sftp /usr/libexec/openssh/sftp-server
to:
Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH
Then config syslog
log facility AUTH
to your file. In Centos 6. edit /etc/rsyslog.conf
, add this line:
auth.* /var/log/sftp.log
After making these changes reload (kill -HUP
) or restart sshd
and restart rsyslog
for them to take effect.
Solution 2
Mmmmm..but now there are another problem. /var/log/sftp.log
grows without control...
Add entry to /etc/logrotate.d/sftp
/var/log/sftp.log
{
rotate 24
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
Related videos on Youtube
夏期劇場
Updated on September 18, 2022Comments
-
夏期劇場 almost 2 years
I'm on
CentOS v6.4
and using its native FTP Server, which i suppose issftp
. (Am i right?) Now i can use FTP well. But i need to log the actions taken by Users.Logs for the actions, such us, who logged in, who modified which files, who deleted which files .. etc the basically important actions, you know.
So my simple questions would be:
- Where & how can i access/check the FTP Logs from Server, please?
- Can it even be done with default
SFTP
? (Do i needvsftpd
?)
In short words, what is the best & simplest way to get the FTP Logging, please?
-
夏期劇場 over 10 yearsOh ok, then after that, what should i do please? RESTART some services?
-
cuonglm over 10 yearsYes, restart
sshd
andrsyslog
services to make the changes. -
夏期劇場 over 10 yearsThanks so much, for the updates as well. I have ACCEPTED it already! (Since seems you have a good experience in this) Can i please add some comments to ask that, in this LOGS, (1) why can't i see the user's name, instead of just logging the activities only? (2) is there a log size or retention limit on this log-file please? (up to how long can i keep the logs in this file?) Thanks much again!!
-
夏期劇場 over 10 years
-l DEBUG
still can't help, to describe WHICH USER. And what you mean bylogrotate
please? :) -
夏期劇場 over 10 yearsHi do u mean to change to,
auth.* /var/log/sftp.log
in rsyslog? -
夏期劇場 over 10 yearsHi Gnouc, no need to restart
rsyslog
anymore? (according to your answer) -
cuonglm over 10 yearsI have updated it.
-
夏期劇場 over 10 yearsPlease kindly accept my latest edit request (changing to AUTH)
-
Елин Й. over 6 years@夏期劇場 Is it a convention to name it AUTH?
-
dstonek over 5 years/etc/logrotate.d/sftp instead of /etc/logrote.d/sftp