LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   SFTP logging for Chroot on CentOS 6.2 with openssh-5.3 not working (internal-sftp) (http://www.linuxquestions.org/questions/linux-server-73/sftp-logging-for-chroot-on-centos-6-2-with-openssh-5-3-not-working-internal-sftp-4175424596/)

RatherBFishin 08-29-2012 09:37 AM

SFTP logging for Chroot on CentOS 6.2 with openssh-5.3 not working (internal-sftp)
 
Hello all, and, thanks in advance for any replies.

I did search for this topic on this forum, and with google. I found some promising information, but, I have not been able to get this to work yet.

I'm hoping for some help getting SFTP logging detail to /var/log/sftp.log, for Chrooted users.

I've been able to get the jailed chroot working, but when I sftp a file, the only logs I see are in the /var/log/secure file, and they only include authentication information, like:

Aug 29 10:07:40 superbadjr sshd[25120]: Accepted password for ...
Aug 29 10:07:40 superbadjr sshd[25120]: pam_unix(sshd:session): session opened for user...
Aug 29 10:07:40 superbadjr sshd[25122]: subsystem request for sftp
Aug 29 10:08:40 superbadjr sshd[25120]: pam_unix(sshd:session): session closed for user...

I would like for the sftp.log file to include the open and close log entries, like:
Aug 28 11:26:20 superbadjr internal-sftp[30116]: open "/var/ftp/sftproot/wegener/status.txt" flags WRITE,CREATE,TRUNCATE mode 0666
Aug 28 11:26:20 superbadjr internal-sftp[30116]: close "/var/ftp/sftproot/wegener/status.txt" bytes read 0 written 293825

Note -- non-chrooted users log to the sftp.log file just fine.

Here's the changes I've made to the /etc/ssh/sshd_config file:
#Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH
Subsystem sftp internal-sftp -l INFO -f AUTH
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Note - the home directory I'm using for the above "%h" is /var/ftp/sftproot

Here's the changes I've made to /etc/rsyslog.conf:
auth.info /var/log/sftp.log
# Create an additional socket for some of the sshd chrooted users:
$AddUnixListenSocket /var/ftp/sftproot/dev/log

Note - I did create the /var/ftp/sftproot/dev directory, and, the "log" socket did get created upon restarting the rsyslog service.

If there is any further information I could provide to help, please let me know.

Again, thanks for any replies.

unSpawn 08-30-2012 06:45 PM

Shouldn't you set up sockets before you configure where you want to log facility / priority pairs to?


All times are GMT -5. The time now is 09:24 PM.