Join Log in
Score:1
Matrix avatar Server

Finding deleted/imported files in SFTP server using logs

cn flag
Matrix

We have an SFTP server, I am trying to find out if some specific files have been deleted from the server or if they have even imported to the server or not. I'm going through the log files under /var/log but coudn't find out relevant logs so far.

I'm wondering in which log file I can find such infomation?

Any help would be appreciated.

Updated:

Based on the answer and the link: enter link description here I have modified config file which parts of it looks like below:

Subsystem sftp internal-sftp -f AUTH -l INFO

# Force sftp and chroot jail for members of sftp group
Match group sftp
ForceCommand internal-sftp
ChrootDirectory /sftp/%u

# Members of sftp-glob have access to all user folders
Match group sftp-glob
ForceCommand internal-sftp
ChrootDirectory /sftp


# Enable this for more logs
LogLevel VERBOSE

Then restarted sshd:

sudo systemctl restart sshd

In this case I can only see the logs created by admin user(me) under /var/log/auth.log

Jan 17 12:57:50 ios-sftp internal-sftp[5262]: remove name "/tmp/test.txt"

For logging the chrooted users actions I have done this:

cd /sftp 
sudo mkdir dev
sudo chmod 755 dev
sudo touch dev/log
sudo mount --bind /dev/log dev/log

However I still can't see the other users logs in /var/log/auth.log if they upload or delete files.

It started to work after fixing config file by changing ForceCommand internal-sftp to ForceCommand internal-sftp -f AUTH -l INFO

Subsystem sftp internal-sftp -f AUTH -l INFO

# Force sftp and chroot jail for members of sftp group
Match group sftp
ForceCommand internal-sftp -f AUTH -l INFO
ChrootDirectory /sftp/%u

# Members of sftp-glob have access to all user folders
Match group sftp-glob
ForceCommand internal-sftp -f AUTH -l INFO
ChrootDirectory /sftp


# Enable this for more logs
LogLevel VERBOSE

now I can see the logs under /var/log/auth.log:

Jan 18 10:13:02 user-sftp internal-sftp[7466]: set "/folder1/folder2/myfile.xml" modtime 20210106-10:32:58
153
0 + 0
Score:3
vidarlo avatar Server
ar flag
vidarlo

By default transferred files is not logged by sftp in system logs, only connection-disconnection.

It can be enabled for future transactions, but that probably won't help you solving your problem at hand - but it may solve it for the future.

0 + 0
Matrix avatar
cn flag
Matrix
Thanks for swift reply. After adding it to sshd_config file, I can only see the logs of admin user in /var/log/auth.log. However I'm more intrested in the other chrooted users. My chroot directory is in /sftp so based on the link, I have created a dev folder under /sftp folder and a log file(touch dev/log) also mounted /dev/log to /sftp/dev/log. but I still can't see the user's log under /dev/log/auth.log. Is there another directory that I should check ? or is there another setup that I'm missing?
0
Reply
vidarlo avatar
ar flag
vidarlo
I think messages is probably more appropriate than auth.log
0
Reply
Matrix avatar
cn flag
Matrix
I don't have messages file in that directory
0
Reply
vidarlo avatar
ar flag
vidarlo
I don't know how your environment is configured wrt. logging.
0
Reply
Matrix avatar
cn flag
Matrix
it has default setup as I know. As I can see the logs that comes from admin user under /var/log/auth.log so I assume the logs of chrooted users should come in the same place, shouldn't it? I have updated my question with more info.
0
Reply
Matrix avatar
cn flag
Matrix
It is fixed, I missed some config in sshd_config file, now it is working fine :) thanks for the helpful answer.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.