# sftpd logs not appearing

## ultrachrome

Found lots of sftpd logging how-tos for chrooted users but I'm just trying to enable it for normal users. I see sshd events in the log but no sftpd.

Thought issue might be metalog so I switched to syslog-ng. Same problem.

```
Subsystem       sftp    /usr/lib/misc/sftp-server -f AUTH -l INFO
```

Flailing at this point, I tried -f USER. I even commented out SyslogFacility and LogLevel lines but sshd events still appear in /var/log/messages while sftpd do not.

syslog-ng.conf

```
@version: 3.7

# $Id$

#

# Syslog-ng default configuration file for Gentoo Linux

# https://bugs.gentoo.org/show_bug.cgi?id=426814

@include "scl.conf"

options {

        threaded(yes);

        chain_hostnames(no);

        # The default action of syslog-ng is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats_freq(43200);

        # The default action of syslog-ng is to log a MARK line

        # to the file every 20 minutes.  That's seems high for most

        # people so turn it down to once an hour.  Set it to zero

        # if you don't want the functionality at all.

        mark_freq(3600);

};

source src { system(); internal(); };

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

log { source(src); destination(messages); };

log { source(src); destination(console_all); };
```

----------

## miroR

 *ultrachrome wrote:*   

> Found lots of sftpd logging how-tos for chrooted users but I'm just trying to enable it for normal users. I see sshd events in the log but no sftpd.
> 
> Thought issue might be metalog so I switched to syslog-ng. Same problem.
> 
> ```
> ...

 

I use, from my syslog-ng, only basic functionality (and surely I don't deploy sftpd), and if you don't have a grsec-hardened kernel, maybe this has no relation with your issue, but still, you check up the stuff in my topic:

Syslog-ng from Delay Logging to BrokenPipe/no Logging

https://forums.gentoo.org/viewtopic-t-1001994-highlight-.html

as none, I repeat none version of syslog-ng has worked for me with my, also worth stressing grsec-hardened kernel machines, after:

```

app-admin/syslog-ng-3.4.8

```

See the topic backward, maybe best:

https://forums.gentoo.org/viewtopic-t-1001994.html#7838704

Cheers!

----------

## ultrachrome

Thanks. Not sure what happened but it suddenly started working. Today, I got logging working for chrooted users as well. So all is good.

----------

## kikko

Hi ultrachrome

using default syslog-ng configuration, you can get messages from sftp-server subsystem

imho, INFO level is too low, that's why you don't get anything in your messages

I've set 

```
Subsystem       sftp    /usr/lib64/misc/sftp-server -l DEBUG

```

(-f AUTH is the default value, thus it's redundant)

and something more verbose appear in /var/log/messages:

```
Nov 24 23:15:00 seireitei sshd[32385]: Accepted publickey for kikko from ::1 port 35642 ssh2: my key is not the point

Nov 24 23:15:00 seireitei sshd[32385]: pam_unix(sshd:session): session opened for user kikko by (uid=0)

Nov 24 23:15:00 seireitei sftp-server[32390]: session opened for local user kikko from [::1]

Nov 24 23:15:00 seireitei sftp-server[32390]: received client version 3

Nov 24 23:15:00 seireitei sftp-server[32390]: realpath "."

Nov 24 23:15:00 seireitei sftp-server[32390]: debug1: request 1: sent names count 1

Nov 24 23:15:12 seireitei sftp-server[32390]: opendir "/home/kikko"

Nov 24 23:15:12 seireitei sftp-server[32390]: debug1: request 2: sent handle handle 0

Nov 24 23:15:12 seireitei sftp-server[32390]: debug1: request 3: readdir "/home/kikko" (handle 0)

Nov 24 23:15:12 seireitei sftp-server[32390]: debug1: request 3: sent names count 54

Nov 24 23:15:12 seireitei sftp-server[32390]: debug1: request 4: readdir "/home/kikko" (handle 0)

Nov 24 23:15:12 seireitei sftp-server[32390]: sent status End of file

Nov 24 23:15:12 seireitei sftp-server[32390]: closedir "/home/kikko"

Nov 24 23:15:12 seireitei sftp-server[32390]: sent status Success
```

As you see, authentication is done by sshd (which binds the port 22, btw) and "hands over" sftp requests to the sftp-server process

Regards

----------

