shanetexas
asked on
How to enable SFTP logging in AIX?
I need to be able to log sftp commands with the same level of verbosity I log ftp commands. That is, what file a user if ftp'ng, did they delete and files during their sftp session, and so on. Any help would be appreciated, thanks!
File levels below:
openssh.base.client 5.0.0.5301 COMMITTED Open Secure Shell Commands
openssh.base.client 5.0.0.5301 COMMITTED Open Secure Shell Commands
openssh.base.server 5.0.0.5301 COMMITTED Open Secure Shell Server
openssh.base.server 5.0.0.5301 COMMITTED Open Secure Shell Server
openssh.license 5.0.0.5301 COMMITTED Open Secure Shell License
openssh.man.en_US 5.0.0.5301 COMMITTED Open Secure Shell
openssl.base 0.9.8.802 COMMITTED Open Secure Socket Layer
openssl.base 0.9.8.802 COMMITTED Open Secure Socket Layer
openssl.license 0.9.8.802 COMMITTED Open Secure Socket License
openssl.man.en_US 0.9.8.802 COMMITTED Open Secure Socket Layer
File levels below:
openssh.base.client 5.0.0.5301 COMMITTED Open Secure Shell Commands
openssh.base.client 5.0.0.5301 COMMITTED Open Secure Shell Commands
openssh.base.server 5.0.0.5301 COMMITTED Open Secure Shell Server
openssh.base.server 5.0.0.5301 COMMITTED Open Secure Shell Server
openssh.license 5.0.0.5301 COMMITTED Open Secure Shell License
openssh.man.en_US 5.0.0.5301 COMMITTED Open Secure Shell
openssl.base 0.9.8.802 COMMITTED Open Secure Socket Layer
openssl.base 0.9.8.802 COMMITTED Open Secure Socket Layer
openssl.license 0.9.8.802 COMMITTED Open Secure Socket License
openssl.man.en_US 0.9.8.802 COMMITTED Open Secure Socket Layer
ASKER
I did everything you said but now I cant connect via sftp.
I get SFTP Connection Error.
When I remove the additional -f INFO -l AUTH from the
Subsystem sftp /usr/sbin/sftp-server
entry in /etc/ssh/sshd_config it connects?
Shane
I get SFTP Connection Error.
When I remove the additional -f INFO -l AUTH from the
Subsystem sftp /usr/sbin/sftp-server
entry in /etc/ssh/sshd_config it connects?
Shane
Well,
it's -l INFO -f AUTH
it's -l INFO -f AUTH
ASKER
Ok, I've got it logging but the detail is nothing more than showing I logged in:
Apr 15 13:44:08 tech9 auth|security:info sshd[380998]: Accepted password for root from 10.150.71.15 port 2732 ssh2
Apr 15 13:44:08 tech9 auth|security:info sshd[380998]: subsystem request for sftp
Is there a way I can capture the names of the files the users are sftp'ng?
Shane
Apr 15 13:44:08 tech9 auth|security:info sshd[380998]: Accepted password for root from 10.150.71.15 port 2732 ssh2
Apr 15 13:44:08 tech9 auth|security:info sshd[380998]: subsystem request for sftp
Is there a way I can capture the names of the files the users are sftp'ng?
Shane
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
/etc/ssh/sshd_config
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
&
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server -l INFO -f AUTH
/etc/syslog.conf
auth.info /var/log/auth.log
ls -l /var/log/auth.log
-rw-rw-rw- 1 root system 0 Apr 15 14:53 /var/log/auth.log
#refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.
#stopsrc -s sshd ; sleep 5 ; startsrc -s sshd ; lssrc -g ssh
0513-044 The sshd Subsystem was requested to stop.
0513-059 The sshd Subsystem has been started. Subsystem PID is 377040.
Subsystem Group PID Status
sshd ssh 377040 active
For some reason it works now!!!
Apr 15 15:00:54 tech9 auth|security:info sshd[385140]: Accepted password for root from 10.150.71.15 port 2947 ssh2
Apr 15 15:00:54 tech9 auth|security:info sshd[385140]: subsystem request for sftp
Apr 15 15:00:54 tech9 auth|security:info sftp-server[372900]: session opened for local user root from [10.150.71.15]
Apr 15 15:00:54 tech9 auth|security:info sftp-server[372900]: opendir "/home/root"
Apr 15 15:00:54 tech9 auth|security:info sftp-server[372900]: closedir "/home/root"
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: sent status No such file
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: sent status No such file
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: open "/home/root/shane.txt" flags WRITE,CREATE,TRUNCATE mode 0666
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: close "/home/root/shane.txt" bytes read 0 written 179
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: set "/home/root/shane.txt" modtime 20090414-10:57:24
Apr 15 15:01:29 tech9 auth|security:info sftp-server[372900]: rename old "/home/root/shane.txt" new "/home/root/asdfshane.txt"
Apr 15 15:01:38 tech9 auth|security:info sftp-server[372900]: remove name "/home/root/asdfshane.txt"
Apr 15 15:01:38 tech9 auth|security:info sftp-server[372900]: opendir "/home/root/"
Apr 15 15:01:39 tech9 auth|security:info sftp-server[372900]: closedir "/home/root/"
Apr 15 15:01:47 tech9 auth|security:info sftp-server[372900]: session closed for local user root from [10.150.71.15]
Thank you very much!!!
Shane
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
&
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server -l INFO -f AUTH
/etc/syslog.conf
auth.info /var/log/auth.log
ls -l /var/log/auth.log
-rw-rw-rw- 1 root system 0 Apr 15 14:53 /var/log/auth.log
#refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.
#stopsrc -s sshd ; sleep 5 ; startsrc -s sshd ; lssrc -g ssh
0513-044 The sshd Subsystem was requested to stop.
0513-059 The sshd Subsystem has been started. Subsystem PID is 377040.
Subsystem Group PID Status
sshd ssh 377040 active
For some reason it works now!!!
Apr 15 15:00:54 tech9 auth|security:info sshd[385140]: Accepted password for root from 10.150.71.15 port 2947 ssh2
Apr 15 15:00:54 tech9 auth|security:info sshd[385140]: subsystem request for sftp
Apr 15 15:00:54 tech9 auth|security:info sftp-server[372900]: session opened for local user root from [10.150.71.15]
Apr 15 15:00:54 tech9 auth|security:info sftp-server[372900]: opendir "/home/root"
Apr 15 15:00:54 tech9 auth|security:info sftp-server[372900]: closedir "/home/root"
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: sent status No such file
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: sent status No such file
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: open "/home/root/shane.txt" flags WRITE,CREATE,TRUNCATE mode 0666
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: close "/home/root/shane.txt" bytes read 0 written 179
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: set "/home/root/shane.txt" modtime 20090414-10:57:24
Apr 15 15:01:29 tech9 auth|security:info sftp-server[372900]: rename old "/home/root/shane.txt" new "/home/root/asdfshane.txt"
Apr 15 15:01:38 tech9 auth|security:info sftp-server[372900]: remove name "/home/root/asdfshane.txt"
Apr 15 15:01:38 tech9 auth|security:info sftp-server[372900]: opendir "/home/root/"
Apr 15 15:01:39 tech9 auth|security:info sftp-server[372900]: closedir "/home/root/"
Apr 15 15:01:47 tech9 auth|security:info sftp-server[372900]: session closed for local user root from [10.150.71.15]
Thank you very much!!!
Shane
ASKER
Thank you for your time and help!
You're very welcome! Thx for the points. I think the clue was the refresh of syslogd!
Cheers and good luck,
Wmp
Cheers and good luck,
Wmp
in /etc/ssh/sshd_config uncomment the 'Subsystem' line, and
change '/usr/sbin/sftp-server' to '/usr/sbin/sftp-server -l [loglevel] -f [log-facility]'
where [loglevel] is the setting you made in sshd_config for LogLevel (default: INFO)
and [log-facility] is the setting you made in sshd_config for SyslogFacility (default: AUTH). e.g.
Subsystem sftp /usr/sbin/sftp-server -l info -f auth
Next, edit /etc/syslog.conf (if you didn't do that already) and add a line
auth.info /path/to/logfile
e.g.
auth.info /var/log/auth.log
Now issue 'touch /path/to/logfile', e.g. 'touch /var/log/auth.log' and
restart sshd and syslogd by issuing
refresh -s syslogd
and
stopsrc -s sshd ; startsrc -s sshd
Take care that /usr/sbin/sftp-server is executable (I saw systems where it wasn't by default) by issuing
chmod +x /usr/sbin/sftp-server
Now you should see entries arriving in your logfile.
Cheers
wmp