Hi, I need to log the activity of my SFTP (RHEL 5.4).
I have this in /etc/sshd/sshd_config:
Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l VERBOSE
And this in /etc/syslog.conf:
LOCAL5.* /var/log/sftp.log
When I log in with a regular user, I get all the activity correctly logged in /var/log/sftp.log:
Jun 3 17:03:37 bpweb00001 sftp-server[13567]: session opened for local user John from [xxx.xxx.1.201]
Jun 3 17:03:37 bpweb00001 sftp-server[13567]: received client version 5
Jun 3 17:03:37 bpweb00001 sftp-server[13567]: realpath "."
Jun 3 17:03:37 bpweb00001 sftp-server[13567]: opendir "/home/John"
Jun 3 17:03:37 bpweb00001 sftp-server[13567]: closedir "/home/John"
Jun 3 17:14:16 bpweb00001 sftp-server[13567]: session closed for local user John from [xxx.xxx.1.201]
However, when I log in with a chrooted user, I get nothing in /var/log/sftp.log.
In /var/log/secure I get:
Jun 3 18:26:08 bpweb00001 sshd[18140]: Accepted password for TEST from xxx.xx.21.138 port 47748 ssh2
Jun 3 18:26:08 bpweb00001 sshd[18140]: pam_unix(sshd:session): session opened for user TEST by (uid=0)
Jun 3 18:26:08 bpweb00001 sshd[18144]: subsystem request for sftp
Jun 3 18:58:08 bpweb00001 sshd[18140]: pam_unix(sshd:session): session closed for user TEST
And in /var/log/messages:
Jun 3 18:27:44 bpweb00001 rssh[18168]: setting log facility to LOG_USER
Jun 3 18:27:44 bpweb00001 rssh[18168]: setting umask to 022
Jun 3 18:27:44 bpweb00001 rssh[18168]: line 66: configuring user TEST
Jun 3 18:27:44 bpweb00001 rssh[18168]: setting TEST's umask to 011
Jun 3 18:27:44 bpweb00001 rssh[18168]: allowing sftp to user TEST
Jun 3 18:27:44 bpweb00001 rssh[18168]: chrooting TEST to /chroot_dir
Jun 3 18:27:44 bpweb00001 rssh[18168]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server -f LOCAL5 -l VERBOSE"
The man page for sftp-server says: "For logging to work, sftp-server must be able to access /dev/log. Use of sftp-server in a chroot configuation there-
fore requires that syslogd(8) establish a logging socket inside the chroot directory."
So in /etc/sysconfig/syslog I did:
SYSLOGD_OPTIONS="-m 0 -a /chroot_dir/dev/log"
Restarted syslog and... nothing happened!
Can anyone tell me what am I doing wrong?
Thanks in advance.