Solved

How to enable SFTP logging in AIX?

Posted on 2009-04-15
8
7,979 Views
Last Modified: 2013-11-17
I need to be able to log sftp commands with the same level of verbosity I log ftp commands. That is, what file a user if ftp'ng, did they delete and files during their sftp session, and so on. Any help would be appreciated, thanks!

File levels below:
  openssh.base.client     5.0.0.5301  COMMITTED  Open Secure Shell Commands
  openssh.base.client     5.0.0.5301  COMMITTED  Open Secure Shell Commands
  openssh.base.server     5.0.0.5301  COMMITTED  Open Secure Shell Server
  openssh.base.server     5.0.0.5301  COMMITTED  Open Secure Shell Server
  openssh.license         5.0.0.5301  COMMITTED  Open Secure Shell License
  openssh.man.en_US       5.0.0.5301  COMMITTED  Open Secure Shell
  openssl.base             0.9.8.802  COMMITTED  Open Secure Socket Layer
  openssl.base             0.9.8.802  COMMITTED  Open Secure Socket Layer
  openssl.license          0.9.8.802  COMMITTED  Open Secure Socket License
  openssl.man.en_US        0.9.8.802  COMMITTED  Open Secure Socket Layer

0
Comment
Question by:shanetexas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24150293
Hi,

in /etc/ssh/sshd_config uncomment the 'Subsystem' line, and
change '/usr/sbin/sftp-server' to '/usr/sbin/sftp-server -l [loglevel] -f [log-facility]'
where [loglevel] is the setting you made in sshd_config for LogLevel (default: INFO)
and [log-facility] is the setting you made in sshd_config for SyslogFacility (default: AUTH). e.g.

Subsystem sftp /usr/sbin/sftp-server -l info -f auth

Next, edit /etc/syslog.conf (if you didn't do that already) and add a line

auth.info      /path/to/logfile

e.g.

auth.info /var/log/auth.log

Now issue 'touch /path/to/logfile', e.g. 'touch /var/log/auth.log' and

restart sshd and syslogd by issuing
refresh -s syslogd
and
stopsrc  -s sshd ; startsrc -s sshd

Take care that /usr/sbin/sftp-server is executable (I saw systems where it wasn't by default) by issuing

chmod +x /usr/sbin/sftp-server

Now you should see entries arriving in your logfile.

Cheers

wmp




0
 

Author Comment

by:shanetexas
ID: 24151046
I did everything you said but now I cant connect via sftp.

I get SFTP Connection Error.

When I remove the additional -f INFO -l AUTH from the

Subsystem       sftp    /usr/sbin/sftp-server

entry in /etc/ssh/sshd_config it connects?

Shane
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24151487
Well,

it's -l INFO -f AUTH
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:shanetexas
ID: 24151717
Ok, I've got it logging but the detail is nothing more than showing I logged in:

Apr 15 13:44:08 tech9 auth|security:info sshd[380998]: Accepted password for root from 10.150.71.15 port 2732 ssh2
Apr 15 13:44:08 tech9 auth|security:info sshd[380998]: subsystem request for sftp

Is there a way I can capture the names of the files the users are sftp'ng?

Shane
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24151879
With auth.info it should do what you want!

This is a part of my log:

Apr 15 19:13:58 lpxxxx auth|security:info sshd[409830]: Accepted publickey for root from 172.16.xx.xxx port 52556 ssh2
Apr 15 19:13:58 lpxxxx auth|security:info sshd[409830]: subsystem request for sftp
Apr 15 19:13:58 lpxxxx auth|security:info sftp-server[364600]: session opened for local user root from [172.16.xx.xxx]
Apr 15 19:14:05 lpxxxx auth|security:info sftp-server[364600]: open "/home/admin/root/testfile" flags WRITE,CREATE,TRUNCATE mode 0644
Apr 15 19:14:05 lpxxxx auth|security:info sftp-server[364600]: close "/home/admin/root/testfile" bytes read 8160 written 8160
Apr 15 19:14:33 lpxxxx auth|security:info sftp-server[364600]: session closed for local user root from [172.16.xx.xxx]

sshd_config:
#SyslogFacility AUTH (# = left on default)
#LogLevel INFO           (# = left on default)
Subsystem       sftp    /usr/sbin/sftp-server -l INFO -f AUTH

syslog.conf:
auth.info               /var/log/auth.log

/var/log:
-rw-r--r--    1 root     system        982244 Apr 15 19:14 /var/log/auth.log


Do you have the correct line in syslog.conf? Seems that you're only logging sshd!

auth.info in syslogd.conf must correspond to -l INFO -f AUTH  (uppercase or lowercase doesn't matter!)

Did you look at the right logfile? Did you 'touch' it if it did not already exist?
0
 

Author Comment

by:shanetexas
ID: 24152003
/etc/ssh/sshd_config
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
&
# override default of no subsystems
Subsystem       sftp    /usr/sbin/sftp-server -l INFO -f AUTH

/etc/syslog.conf    
auth.info               /var/log/auth.log

ls -l /var/log/auth.log
-rw-rw-rw-    1 root     system            0 Apr 15 14:53 /var/log/auth.log

#refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.
#stopsrc -s sshd ; sleep 5 ; startsrc -s sshd ; lssrc -g ssh
0513-044 The sshd Subsystem was requested to stop.
0513-059 The sshd Subsystem has been started. Subsystem PID is 377040.
Subsystem         Group            PID          Status
 sshd             ssh              377040       active

For some reason it works now!!!

Apr 15 15:00:54 tech9 auth|security:info sshd[385140]: Accepted password for root from 10.150.71.15 port 2947 ssh2
Apr 15 15:00:54 tech9 auth|security:info sshd[385140]: subsystem request for sftp
Apr 15 15:00:54 tech9 auth|security:info sftp-server[372900]: session opened for local user root from [10.150.71.15]
Apr 15 15:00:54 tech9 auth|security:info sftp-server[372900]: opendir "/home/root"
Apr 15 15:00:54 tech9 auth|security:info sftp-server[372900]: closedir "/home/root"
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: sent status No such file
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: sent status No such file
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: open "/home/root/shane.txt" flags WRITE,CREATE,TRUNCATE mode 0666
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: close "/home/root/shane.txt" bytes read 0 written 179
Apr 15 15:01:17 tech9 auth|security:info sftp-server[372900]: set "/home/root/shane.txt" modtime 20090414-10:57:24
Apr 15 15:01:29 tech9 auth|security:info sftp-server[372900]: rename old "/home/root/shane.txt" new "/home/root/asdfshane.txt"
Apr 15 15:01:38 tech9 auth|security:info sftp-server[372900]: remove name "/home/root/asdfshane.txt"
Apr 15 15:01:38 tech9 auth|security:info sftp-server[372900]: opendir "/home/root/"
Apr 15 15:01:39 tech9 auth|security:info sftp-server[372900]: closedir "/home/root/"
Apr 15 15:01:47 tech9 auth|security:info sftp-server[372900]: session closed for local user root from [10.150.71.15]

Thank you very much!!!

Shane
0
 

Author Closing Comment

by:shanetexas
ID: 31570559
Thank you for your time and help!
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24152059
You're very welcome! Thx for the points. I think the clue was the refresh of syslogd!
Cheers and good luck,

Wmp
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question