0

I am trying to collect additional operation logging from my sftp server. I have added the following lines to /etc/ssh/sshd_config, as instructed by many posts on the internet:

Subsystem sftp internal-sftp -l VERBOSE -f LOCAL6

Match Group sftponly
    ChrootDirectory /data/%u
    ForceCommand internal-sftp -l VERBOSE -f LOCAL6
    X11Forwarding no
    AllowTcpForwarding no

Then I created /etc/rsyslog.d/60-sftp.conf with the following lines to collect the logging info:

# Parse the data logged at level INFO and facility LOCAL6 into /var/log/sftp
local6.* /var/log/sftp

# Report logins and logoffs
:syslogtag,startswith,"internal-sftp" /var/log/sftp

# Log internal-sftp in a separate file
:programname, isequal, "internal-sftp" -/var/log/sftp

At this point I can't seem to get any logging to make it to /var/log/sftp, it is all continuing to go to /var/log/messages and does not seem to be verbose at all. Here is a snippet of all I am getting:

Sep 28 16:46:11 ftp sshd[10060]: Accepted publickey for root from 172.25.50.117 port 54836 ssh2
Sep 28 16:46:11 ftp sshd[10060]: Received disconnect from 172.25.50.117: 11: disconnected by user
Sep 28 16:46:16 ftp sshd[10109]: Accepted keyboard-interactive/pam for account1000002664 from 172.25.50.86 port 34255 ssh2

I have verified that the system is running rsyslogd by running:

ftp:~ # ps ax | grep syslog
 9205 ?        Sl     0:00 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf

So, as far as I can tell, I am editing the correct files. I figure the next step is ensuring that the expected logs are being sent to local6. The goal here is to get the data necessary to output a log similar, if not exactly like the xferlog created by vsftpd.

Anyone out there have any thoughts about how to proceed? As a side note, this is running on OpenSuse 12.1.

Shiquemano
  • 31
  • 3
  • Just to cover the obvious, you did bounce (restart) service rsyslog after editting config, or at least HUP a version that supports it, right? Try `logger -p local6.info anytext` and see if (and where) that comes out. – dave_thompson_085 Sep 29 '15 at 06:29
  • Yes, I did do all the restarts necessary (rsyslogd, sshd). I ran `logger -p local6.info anytext` and, interestingly, that did properly make it to /var/log/sftp and nowhere else – Shiquemano Sep 29 '15 at 16:09
  • I was wrong, the logger call created output in /var/log/messages as well – Shiquemano Sep 29 '15 at 16:17

1 Answers1

1

You need to have the logging socket (/dev/log) in chroot, if you want to log through it, or you need to implement a way of persisting file descriptor over the internal-sftp execution.

It should work on current RHEL (at least we tested it and it is documented), but I don't have knowledge about suse.

Maybe this feature is not completely implemented there, but if you can always create the socket in chroot and set up rsyslog to accept messages on this socket. You can test it with logger as proposed in comments.

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • I tried to follow the doc you referenced to create that logging socket. Is it just adding `input(type="imuxsock" Socket="/chroots/user/dev/log" CreatePath="on")` to my /etc/rsyslog.d/60-sftp.conf? If so, that does not seem to be working or I am doing it wrong. – Shiquemano Sep 29 '15 at 16:20
  • I'm still at a loss as to why I don't seem to be seeing any verbose information in /var/log/messages, at least. – Shiquemano Sep 29 '15 at 16:22
  • certainly you need to change at least the paths to the socket according to your setup, so no `/chroots/`, but you have `/data/`. Then you need to make sure if the socket is really created after `rsyslog` restart and if so, you should try the `logger` thing. – Jakuje Sep 29 '15 at 16:57
  • Do I need to have a socket for each user directory? I would prefer not to have to do that, if possible. Or, is this a global socket, like /data/dev/log? – Shiquemano Sep 29 '15 at 17:09
  • It depends if you have one chroot or more chroots for each user. There is also described the possibility without log sockets, but it doesn't have to work in every environment. – Jakuje Sep 29 '15 at 17:11
  • I ended up building a new FTP server. The logging of operations over sftp is still crap, but with a bit of post-processing I was able to get the data I needed in a decent format. It looks like the server I was trying to get the logging out of was just on too old a version. – Shiquemano Oct 02 '15 at 20:42