Having a bit of an issue with CentOS 6.2. Specifically, I've set up a chroot jail which only permits sftp access to a specific home directory.
The jail works as I'd expect it to with the exception of the logging.
My changes to /etc/sshd_config were to comment out the default Subsystem entry and add the following:
Subsystem sftp internal-sftp -l VERBOSE -f LOCAL6
Match User webuser
ForceCommand internal-sftp -l VERBOSE -f LOCAL6
/etc/rsyslog.conf had the following lines added:
When accessing the server via sftp with any user but webuser, the jail is not activated and sftp logging is written to /var/log/sftp.log as expected. When logging in via sftp as webuser, the jail operates properly but only what I assume is the basic AUTHPRIV data is recorded into /var/log/secure. Specifically:
Jan 31 17:02:20 server sshd: Accepted password for webuser from 192.168.1.100 port 53361 ssh2
Jan 31 17:02:20 server sshd: pam_unix(sshd:session): session opened for user webuser by (uid=0)
Jan 31 17:02:20 server sshd: subsystem request for sftp
Jan 31 17:02:21 server sshd: pam_unix(sshd:session): session closed for user webuser
Stopping and starting the rsyslog daemon will remove and create the listen socket at /home/live/example.com/dev/log.
The installed versions of openssh and rsyslog are 5.3 and 4.6.2 respectively.