For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > rsyslog > chroot sftp logging

chroot sftp logging

Created by dave. Last edited by dave, 282 days ago. Viewed 374 times. #3
[diff] [history] [edit] [rdf]
labels
attachments
(2017-10-10)

Problem

Need to log sftp traffic in my chroot'd user directories.

Solution

in /etc/ssh/sshd_config:

# override default of no subsystems
Subsystem       sftp    internal-sftp -f LOCAL7 -l INFO

Be sure that all instances of your internal-sftp in sshd_config are similarly modified.

in rsyslogd.conf:

$AddUnixListenSocket /var/spool/rsyslog/rsyslog-sftp
# Parse the data logged at level INFO and facility LOCAL7 into /var/log/sftp.log
local7.info /var/log/sftp.log

# Report logins and logoffs :syslogtag,startswith,"sftp-server" /var/log/sftp.log

...and restart rsyslog

In each chroot home directory:

# ln /var/spool/rsyslog/rsyslog-sftp dev/log

(>>Source)

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt