I skimmed through google searches and stackoverflow queries, but found only patchy answers to the question, “How do I log the SFTP access of a directory?”. So I thought I would provide a clear(possibly) answer to the query. The answer seems to be two fold
- Enable the ssh access logs
- Enable logging of directory access
Enable SSH access logs
By default SSH server’s Loglevel is at INFO. For getting more verbose logging we should enable change that to VERBOSE. To impact this you need to edit the
/etc/ssh/sshd_config file. Here is a snuppet.
... # Logging SyslogFacility AUTH LogLevel VERBOSE ...
To view all the options please look up the man pages of sshd_config.
$ man sshd_config
Restart the SSH server and this will enable verbose logging into
Enable Logging of Directory Access
The above setting changes to
VERBOSE only logs the access to the machine(source, user and time), and not which directories are accessed.
sftp-server is another subsystem that is enabled through secure transport(ssh), it requires to enable its own logging as well. Notice the following line the following line in
... Subsystem sftp /usr/lib/openssh/sftp-server ...
sftp-server man pages reveals that it too has options for
VERBOSE logging, and need be passed as an argument to
-l flag. So change the above line
... Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE ...
To effect the changes, restart the SSH server and you should see the directory access logs appearing in