Adriano Chiaretta

How to enable SFTP logging in Linux

Here are the steps necessary in order to have the SFTP subsystem of the SSH (secure shell) daemon log operations on disk.

1. edit /etc/ssh/sshd_confing and look for the line:

#Subsystem     sftp     /usr/libexec/openssh/sftp-server

Uncomment it and update it as follows:

Subsystem     sftp     /usr/libexec/openssh/sftp-server -l INFO -f LOCAL6

-l INFO instructs the sftp server subsystem of the sshd daemon to log events, while -f LOCAL6 tells it to use the corresponding facility code

2. edit /etc/rsyslog.conf and add the following rule:

# Save sftp-server mesages to sftp.log
local6.*                                                /var/log/sftp.log

3. restart the sshd and the rsyslog demons (/etc/init.d/sshd restart and /etc/init.d/rsyslogd restart — specific command might vary based on your Linux distro, and of course you need to be root or use “su” in order to issue them)

Moving forward sftp actions will be logged in /var/log/sftp.log

For specifics on the sftp server log options and type of messages logged see the related man page.

Leave a Comment