SFTP Logging

By default, there are two log files for SFTP Gateway:

• /var/log/secure: This logs authentication attempts, as well as SFTP audit logging
• /var/log/movetos3/movetos3.log: This logs file events in watched directories (i.e. uploads)

You might want to log the SFTP activity, such as traversing folders, uploading files via SFTP, and recording file sizes.

To do this, edit the sshd_config file:

vi /etc/ssh/sshd_config

and change this line:

ForceCommand internal-sftp 

to this:

ForceCommand internal-sftp -l INFO 

To apply your changes, restart sshd:

service sshd restart

Now within /var/log/secure, you should see SFTP-related logging information:

Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: Accepted publickey for robtest from 71.179.98.86 port 56155 ssh2: RSA SHA256:4+Yc4RpsQuxF55NdRCGwCKHHcKqXfvKf/gm9Q89/aH8
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: pam_unix(sshd:session): session opened for user robtest by (uid=0)
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: session opened for local user robtest from [71.179.98.86] [postauth]
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: opendir "/local" [postauth]
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: closedir "/local" [postauth]
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: open "/local/Installer.pkg" flags WRITE,CREATE,TRUNCATE mode 0100644 [postauth]
Mar 20 21:07:42 ip-172-31-0-92 sshd[27990]: close "/local/Installer.pkg" bytes read 0 written 17844019 [postauth]
Mar 20 21:07:43 ip-172-31-0-92 sshd[27990]: opendir "/local" [postauth]
Mar 20 21:07:43 ip-172-31-0-92 sshd[27990]: closedir "/local" [postauth]

Here, you can see that robtest logged in, and any actions logged by process 27990 are tied to this user.

Chroot and imuxsock

For logging in a chroot environment, you might see a lot of articles requiring that you create a socket for each user. While this approach also works, this level of complexity isn't required for every scenario. This is because Red Hat (SFTP Gateway is based on Amazon Linux) supports logging with chroot. See here.