Enable SFTP Logging

I skimmed through google searches and stackoverflow queries, but found only patchy answers to the question, “How do I log the SFTP access of a directory?”. So I thought I would provide a clear(possibly) answer to the query. The answer seems to be two fold

  1. Enable the ssh access logs
  2. Enable logging of directory access

Enable SSH access logs

By default SSH server’s Loglevel is at INFO. For getting more verbose logging we should enable change that to VERBOSE. To impact this you need to edit the /etc/ssh/sshd_config file. Here is a snuppet.

...

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

...

To view all the options please look up the man pages of sshd_config.

$ man sshd_config

Restart the SSH server and this will enable verbose logging into /var/log/auth.log.

Enable Logging of Directory Access

The above setting changes to VERBOSE only logs the access to the machine(source, user and time), and not which directories are accessed.

Since sftp-server is another subsystem that is enabled through secure transport(ssh), it requires to enable its own logging as well. Notice the following line the following line in /etc/ssh/sshd_config.

...
Subsystem sftp /usr/lib/openssh/sftp-server
...

Looking up sftp-server man pages reveals that it too has options for VERBOSE logging, and need be passed as an argument to -l flag. So change the above line this on /etc/ssh/sshd_config

...
Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE
...

To effect the changes, restart the SSH server and you should see the directory access logs appearing in /var/log/auth.log.

Show Comments