I am currently using auditd to log TTY activity for users that are SSH'd into my system. However, SFTP sessions are not logged in this way. Is there a way to log them using auditd or will I need to use a separate logger for SFTP?
Asked
Active
Viewed 1,097 times
1 Answers
1
You can log SFTP sessions / activity (example below), but the log messages will be written to /var/log/messages.
I don't know if you can configure auditd to "scan" the /var/log/messages file after that, but here it goes:
vi /etc/ssh/sshd_conf
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Change this to
Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTH -l INFO
service sshd restart
INFO logging level provides detailed information regarding file transfers, permission changes, etc. If you need more info, you can use: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3
MTIhai
- 206
- 1
- 3
-
I've found the logging from SFTP to be a little lackluster but if this is the best way I'll work with it. – Davis Yoshida Nov 20 '14 at 17:12