How to log the SFTP or SCP transactions on the Server Side?

Shashi Kanth · 11-26-2012, 12:50 AM

Hi friends,

I am working on a RHEL 6.2 server in a Data Centre. I have given the SFTP permissions to users and allowed users to transfer files from the Server to client and vice versa.

Here my question is can I log on the server side what files the users are moving to what location on the server? If so, how?

Thanks in advance.

Shashi

tshikose · 11-26-2012, 01:38 AM

Hi,

My first suggestion is to go to /var/log/secure. It logs every logging attempts, including SFTP that is first SSH, than underlying file manipulation commands.

That said, I do not how easily you can keep traces (kind of duplication of .history) of an SSH session.
Try to see if you can enforce more logging in /etc/sshd_config.

vishesh · 11-26-2012, 08:01 AM

In Your /etc/ssh/sshd_config, You may find a line like following

Subsystem sftp /usr/libexec/openssh/sftp-server

Edit this line with following

Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO

Above line will generate INFO level log in /var/log/secure

Thanks

Turbocapitalist · 11-26-2012, 09:35 AM

Setting the log level to INFO ought to do the trick. You might also want to modify syslog (or whatever RHEL uses) to sort the sftp log entries to their own file.