I am setting up an SFTP service with multiple EC2 instances for High Availability on AWS with a common EFS Share (mounted at /efs/sftp).
,--------,
| |
| SFTP |-------,
----- |________| | ,-----------------,
| NLB | | | |
----- |----| EFS (/efs/sftp) |
,--------, | |_________________|
| | |
| SFTP |-------'
|________|
I am using chroot with SFTP to force users to only have access to /efs/sftp. For the chroot'ed activities to be logged I have created /efs/sftp/dev and inside that I have configured rsyslog socket using imuxsock (/efs/sftp/dev/log).
I am mostly following this blog to configure my SFTP server. (https://www.the-art-of-web.com/system/sftp-logging-chroot/).
One problem with the setup is since both servers have identical configuration (for rsyslog, sftp) both the rsyslogs instances would get logs from the rsyslog instance in which the socket was created is the only one able to log the activities in chroot./efs/sftp/dev/log. Wouldn't both the servers write same logs into /var/log/sftp.log?
The logs from these instances (/var/log/sftp.log) are streamed to centralised logging servers (Splunk) and would eventually have duplicates.
Whats the best option to avoid this duplication? What is the best way to get logs from chroot SFTP activity on both the servers?
Edit: I tried this today and found that only one server is able to get the logs. Updated the question.
