I am new at this forum, I have a Server with Centos

Linux Server01 2.6.32-279.1.1.el6.x86_64 #1 SMP Tue Jul 10 13:47:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

with SFTP implemented it is working fine, but I need to audit all user that will use de SFTP.
My sshd_config is like this:

# override default of no subsystems
#Subsystem sftp internal-sftp
Subsystem sftp internal-sftp -l VERBOSE

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server


Match group sftponly
ChrootDirectory /sftp/sftp
X11Forwarding no
AllowTcpForwarding no
#ForceCommand internal-sftp
ForceCommand internal-sftp -l VERBOSE


I search at internet and find some people that use the option -l VERBOSE and it start to register at the logs, but it not work, it just log when user log, logoff, password mistake, I need it show when user got inside dir, change file, delete files for exemple.
Someone ahead had this problem ?
Log I have in /var/log/secure


Aug 14 17:41:33 server01 sshd[2664]: Accepted password for mickey from xxx.xxx.xxx.xxx port 57250 ssh2
Aug 14 17:41:33 server01 sshd[2664]: pam_unix(sshd:session): session opened for user mickey by (uid=0)
Aug 14 17:41:34 server01 sshd[2666]: subsystem request for sftp
Aug 14 17:47:41 server01 sshd[2664]: pam_unix(sshd:session): session closed for user mickey

I got inside of many dir copy files and delete but it dont show at logs.

Some idea ?
Thanks for all.

Try replacing "internal-sftp" with "sftp-server" and see 'man 8 sftp-server' for logging options?

I Try replace "internal-sftp" with "sftp-server" but When I did it I have se follow Erro when try conection,

Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).

I am searching but I did not find the solution.

Thanks a lot.

So what shell does your user use?

I find a way to make logs work.

I put at /etc/rsyslog.conf

# Create an additional socket for some of the sshd chrooted users.
$AddUnixListenSocket /sftpdata/sftpdata/dev/log

# Log internal-sftp in a separate file
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~



and I creat a dir at /sftpdata/sftpdata/ named dev

# mkdir dev

I leave /etc/ssh/sshd_config the way I had post
and restart the rsyslog

# service rsyslog restart

And it start to work.

#tail -f /var/log/secure

Aug 17 10:24:51 server01 sshd[9482]: received client version 5
Aug 17 10:24:51 server01 sshd[9482]: realpath "."
Aug 17 10:24:51 server01 sshd[9482]: opendir "/"
Aug 17 10:24:51 server01 sshd[9482]: closedir "/"
Aug 17 10:24:59 server01 sshd[9482]: realpath "/files1"
Aug 17 10:24:59 server01 sshd[9482]: lstat name "/files1"
Aug 17 10:24:59 server01 sshd[9482]: opendir "/files1"
Aug 17 10:24:59 server01 sshd[9482]: closedir "/files1"
Aug 17 10:28:33 server01 sshd[9482]: realpath "/files1/Company1"
Aug 17 10:28:33 server01 sshd[9482]: lstat name "/files1/Company1"
Aug 17 10:28:33 server01 sshd[9482]: opendir "/files1/Company1"
Aug 17 10:28:33 server01 sshd[9482]: closedir "/files1/Company1"

Thanks very much !!
Thanks unSpawn

1 members found this post helpful.

Well done and thanks for posting your solution.

Since this thread showed up when I was googling the same problem, but for Debian/Ubuntu, I just wanted to share the solution that I eventually came to. I posted it over at the Ubuntu forums http://ubuntuforums.org/showthread.php?t=2081637.
Thank you for pointing me in the right direction.

1 members found this post helpful.