Where would you find SCP logs?
Solution 1
scp
is executed internally just as ssh
command and transferred files are not logged. You have only authentication logs in /var/log/auth.log or somewhere like this.
Solution 2
I studied this once when I had to come up with a way to monitor SCP transfers. The OpenSSH scp
utility doesn't log anything. It supports debugging output for the underlying SSH session, but that won't log the actual file transfers which are taking place.
Similarly, the OpenSSH server can be set to log detail about what it's doing, and it can be set to log the fact that a user connected and ran scp
, but it won't log the actual file transfers which are taking place.
If you can't get these users to use SFTP instead, there are three approaches available to you:
Investigate commercial SSH/SFTP/SCP servers. They should generally support logging file transfers.
Replace the
scp
utility on the server with one that logs the data you want. OpenSSH is open source. Someone who knows how to program in C for Unix could download the source and modify it.Replace the
scp
utility with a "wrapper" that launches the original scp program and monitors what it does. There are debugging tools for Unix which can monitor what another process is doing.
We took the third approach. We wrote a Perl script which launched the original scp program under strace. Strace would output the names of files being opened and closed by the scp process. The Perl script read the strace output and converted it to log entries.
Related videos on Youtube
rew
Updated on September 18, 2022Comments
-
rew over 1 year
I can't seem to get SCP logs (on the server) to show up anywhere. I've searched through quite a few pages, including:
http://ubuntuforums.org/showthread.php?t=1789437
http://ubuntuforums.org/showthread.php?t=851891
I've tried on 10.04 (yes, EOL, etc.) with OpenSSH 5.3 and 12.04 with OpenSSH 5.9, I've enabled all levels of logging including
DEBUG3
in/etc/ssh/sshd_config
, and tried regular users and root, but nothing about the file that was transferred (or even that a file was transferred) shows up in any log forSCP
.SFTP
logs show up in auth.log even without cranking up theLogLevel
toVERBOSE
.Is there anything I'm missing? Can anyone confirm they are able to get SCP logs to show up somewhere?
Thanks
-
Rinzwind over 8 years"incron" would be #4 and probably easier than your 3 ;)
-
Kenster over 8 years@Rinzwind I don't see a way to limit incron to trigger on events from a specific program (like scp), or to tell what process triggered an event.
-
Fabby over 8 yearsI would have upvoted if 1 and 3 were reversed...
-
Scott Prive about 5 yearsThis was downvoted to zero, and not only is it 100% correct -- it's the simplest answer.
-
CoolKoon almost 3 years@ScottPrive I think the reason it was downvoted is because simply saying "there are no logs" isn't really useful to someone who stumbles upon this answer after feverishly searching for ways of logging such traffic.