■ Purpose : store sftp log messages in custom file
■ OS Environment : RHEL 6
■ Applications: sftp, syslog
■ Prerequisites : Assuming chrooted environment is setup at /chroot, disable SELinux
■ Implementation Steps :
1. Modify sshd config file.
Make sure "AUTHPRIV" facility is used in sshd_config file. Sample file looks like :
$ cat /etc/ssh/sshd_config :
Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE
2. Use proper additional socket file in /etc/sysconfig/rsyslog like :
vi /etc/sysconfig/rsyslog
SYSLOGD_OPTIONS="-m 0 -a /chroots/dev/log"
3. Following lines should be present in /etc/rsyslog.conf :
Add following lines :
$InputUnixListenSocketHostname internal-sftp
$AddUnixListenSocket /chroots/dev/log
# Log internal-sftp activity in a separate file
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~
:programname, isequal, "sshd" -/var/log/sftp.log
:programname, isequal, "sshd" ~
4. Make sure that a hard link to socket file like :
$mkdir -p /chroots/dev
$ln /chroots/dev/log /chroots/dev/log
5. Restart rsyslog and sshd service :
$ service rsyslog restart
$ service sshd restart
6. Testing :
Open a terminal and execute following command on it like :
$tailf /var/log/sftp.log
Try to access SFTP account like :
$sftp username@IP
pw:
Enter password
You'll see that all sftp logs messages are available in /var/log/sftp.log.
■ OS Environment : RHEL 6
■ Applications: sftp, syslog
■ Prerequisites : Assuming chrooted environment is setup at /chroot, disable SELinux
■ Implementation Steps :
1. Modify sshd config file.
Make sure "AUTHPRIV" facility is used in sshd_config file. Sample file looks like :
$ cat /etc/ssh/sshd_config :
Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE
2. Use proper additional socket file in /etc/sysconfig/rsyslog like :
vi /etc/sysconfig/rsyslog
SYSLOGD_OPTIONS="-m 0 -a /chroots/dev/log"
3. Following lines should be present in /etc/rsyslog.conf :
Add following lines :
$InputUnixListenSocketHostname internal-sftp
$AddUnixListenSocket /chroots/dev/log
# Log internal-sftp activity in a separate file
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~
:programname, isequal, "sshd" -/var/log/sftp.log
:programname, isequal, "sshd" ~
4. Make sure that a hard link to socket file like :
$mkdir -p /chroots/
$ln /chroots/dev/log /chroots/
5. Restart rsyslog and sshd service :
$ service rsyslog restart
$ service sshd restart
6. Testing :
Open a terminal and execute following command on it like :
$tailf /var/log/sftp.log
Try to access SFTP account like :
$sftp username@IP
pw:
Hello.
ReplyDeleteSome questions about this tuto :
- In point 4, where is the username used ?
I think it should be :
ln /chroots/dev/log /chroots//dev/log
- in Point 3, the $ must be include in the config file ? or is it a typo ?
Thanks David
auto-response : $ in front of parameter is ok.
ReplyDeletefor point 3, problem with special characters in this site, juste seen that my comment has the same problem :)
--> must add the loginname between the two /