How to enable SFTP logging in Linux
Here are the steps necessary in order to have the SFTP subsystem of the SSH (secure shell) daemon log operations on disk.
1. edit /etc/ssh/sshd_confing and look for the line:
#Subsystem sftp /usr/libexec/openssh/sftp-server
Uncomment it and update it as follows:
Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f LOCAL6
-l INFO instructs the sftp server subsystem of the sshd daemon to log events, while -f LOCAL6 tells it to use the corresponding facility code
2. edit /etc/rsyslog.conf and add the following rule:
# Save sftp-server mesages to sftp.log local6.* /var/log/sftp.log
3. restart the sshd and the rsyslog demons (/etc/init.d/sshd restart and /etc/init.d/rsyslogd restart — specific command might vary based on your Linux distro, and of course you need to be root or use “su” in order to issue them)
Moving forward sftp actions will be logged in /var/log/sftp.log
For specifics on the sftp server log options and type of messages logged see the related man page.