# openssh sftp session logging? [SOLVED]

## RaceTM

Hey all,

I'd like to know if there is a way to log sftp sessions.  specifically, I'm trying to find out how to log which files are downloaded the most often, etc.

I read about a patch for openssh version 3.x which enabled session logging, but apparantly this patch isnt available for 4.x.  Does anybody have any ideas as to whats available?

***** SOLUTION *****

I was able to get this resolved using syslog as the system logger.  I was not able to duplicate my success using metalog, and since ssh logging is high priority, I simply switched to syslog on this system.

Anyways, syslog uses a file on the filesystem as a fifo to write data to temporarily.  The issue is that when a user is chrooted to a jail, it no longer has access to the fifo it normally uses, which is located in /dev/log.  So, what needs to be done is to give syslog a fifo inside the jail, and tel syslog to use it. This is done with the following steps:

1) make a directory in your jail where you want to create the fifo, then use mknod to create it

```
mknod /path/to/jail/dev/log p
```

2) Tell syslog to use this fifo in addition to the one it normally uses, by starting it with the following parameters:

```
/usr/sbin/syslogd -a /path/to/jail/dev/log
```

As a note, you can also modify the script in init.d to automatically do this whenever you use the scriot.  In the file /etc/init.d/sysklogd, find the following line in the start_daemon() function:

```
          --exec /usr/sbin/${daemon} ${options} 
```

replace it with:

```
     --exec /usr/sbin/${daemon} ${options} -a /path/to/jail/dev/log
```

After doing the above steos, your session logs should start appearing in /var/log/messages. If not, you might need to change the log level of sftp-server in sshd_config.  Mine is currently set to:

```

Subsystem       sftp    /usr/lib/misc/sftp-server -l INFO -f USER

```

If this small tip helps you, please let me know!  And if you are able to figure out a way to get this to work using metalog, let me know as well.  As far as I was able to tell, the current release of metalog doesn't support user-added fifos.Last edited by RaceTM on Tue May 01, 2007 12:37 am; edited 4 times in total

----------

## timeBandit

You can set the logging level for the sftp subsystem in the SSH server config file:

```
Subsystem   sftp    /usr/lib/misc/sftp-server -l INFO
```

Restart sshd to have the change take effect. The INFO level is sufficient to log the name, size and permissions of every file transferred. Experiment with others to your taste:

 *man 8 sftp-server wrote:*   

> Command-line flags to sftp-server should be specified in the Subsystem declaration.  See sshd_config(5) for more information.
> 
> Valid options are:
> 
> ...
> ...

 

The preceding applies at least as of OpenSSH 4.5_p1.

----------

## RaceTM

Thanks for the reply!

I actually played with the logging level options quite a bit, that was one of the first things I tried.  From my results, however, it didn't look like any file data was being logged.  I will try it again and do some more testing though, its quite possible I forgot to restart the daemon or some other thing.

----------

## timeBandit

Don't forget to check your logger configuration.   :Smile:   You could have everything set up properly for ssh/sftp, only to have your logger throw the messages into the bit bucket.

----------

## RaceTM

Well i'm not sure if thats the problem or not.  I do get information from sshd, but it would seem that nothing from sftp-server is getting logged in /var/log/sshd/current, which is where the sshd messages are going.  there is also no directory in /var/log where data is getting written to after I performa  file transfer.  Does sftp logging have to be enabled somewhere else? I wasn't able to find the config file for the system log, if there is one.

I think the bit bucket is doing selective filtering   :Confused: 

----------

## RaceTM

bump!

----------

## timeBandit

 *RaceTM wrote:*   

> I wasn't able to find the config file for the system log, if there is one.
> 
> I think the bit bucket is doing selective filtering  

 

There is, somewhere, and you're right.   :Smile: 

Run emerge -s sysklogd syslog-ng metalog to find out which system logger you have installed (those are the three main alternatives), and from there we can try to configure it.

----------

## RaceTM

hey again,

thanks for the reply.  It looks like metalog is installed, so I opened up the config file and based on the syntax I saw, I creted a new entry for the sftp-server process.  Everything looks good, a new log file has been created where I specified which has all of the information I am looking for.

Thanks for your help!!

/etc/metalog.conf:

```

SFTP Server:

program = "sftp-server"

logdir = "/var/log/sftpd"
```

Last edited by RaceTM on Mon Apr 16, 2007 1:23 am; edited 1 time in total

----------

## RaceTM

ok so it looks like this issue isnt as closed as it appeared.

Logging is working, but only for one user. And the user its working for, is my regular user account. Now the only difference between my account and other accounts, is that my account is a regular one while others are chrooted in to a jail directory.

My default shell is bash, while others default 'shell' is rssh.  I created a test user, and I have been playing around with permissions and other stuff, but nothing seems to be doing any good.  Nothing is logged in the sftpd directory except for actions by my main user account..which is sort of useless to be honest!  :Very Happy: 

----------

## timeBandit

Did you try creating a /var/log/sftpd directory (based on your configuration, above) inside the jail, with appropriate permissions?

----------

## RaceTM

Yep I just gave that a try, I created the path var/log/sftpd, all with permissions 0777, with no avail.  Also, I would prefer not to have these logs available to the users  :Very Happy: 

----------

## RaceTM

Well I have been playing with this over the past few days, and I have not been able to make any progress.

Any suggestions would be very much appreciated  :Very Happy: 

----------

## RaceTM

The issue has been resolved, I will post some more information about the solution as soon as I get the chance.  Thanks for your help timebandit  :Very Happy: 

edit: first post has been appended with the solution.

----------

