Loggin SFTP activity for chrooted (rssh) users

Linux and Unix-Like Red Hat
1

Hi, I need to log the activity of my SFTP (RHEL 5.4).

I have this in /etc/sshd/sshd_config:

Subsystem       sftp    /usr/libexec/openssh/sftp-server -f LOCAL5 -l VERBOSE

And this in /etc/syslog.conf:

LOCAL5.*                                                /var/log/sftp.log

When I log in with a regular user, I get all the activity correctly logged in /var/log/sftp.log:

Jun  3 17:03:37 bpweb00001 sftp-server[13567]: session opened for local user John from [xxx.xxx.1.201]
Jun  3 17:03:37 bpweb00001 sftp-server[13567]: received client version 5
Jun  3 17:03:37 bpweb00001 sftp-server[13567]: realpath "."
Jun  3 17:03:37 bpweb00001 sftp-server[13567]: opendir "/home/John"
Jun  3 17:03:37 bpweb00001 sftp-server[13567]: closedir "/home/John"
Jun  3 17:14:16 bpweb00001 sftp-server[13567]: session closed for local user John from [xxx.xxx.1.201]

However, when I log in with a chrooted user, I get nothing in /var/log/sftp.log.
In /var/log/secure I get:

Jun  3 18:26:08 bpweb00001 sshd[18140]: Accepted password for TEST from xxx.xx.21.138 port 47748 ssh2
Jun  3 18:26:08 bpweb00001 sshd[18140]: pam_unix(sshd:session): session opened for user TEST by (uid=0)
Jun  3 18:26:08 bpweb00001 sshd[18144]: subsystem request for sftp
Jun  3 18:58:08 bpweb00001 sshd[18140]: pam_unix(sshd:session): session closed for user TEST

And in /var/log/messages:

Jun  3 18:27:44 bpweb00001 rssh[18168]: setting log facility to LOG_USER
Jun  3 18:27:44 bpweb00001 rssh[18168]: setting umask to 022
Jun  3 18:27:44 bpweb00001 rssh[18168]: line 66: configuring user TEST
Jun  3 18:27:44 bpweb00001 rssh[18168]: setting TEST's umask to 011
Jun  3 18:27:44 bpweb00001 rssh[18168]: allowing sftp to user TEST
Jun  3 18:27:44 bpweb00001 rssh[18168]: chrooting TEST to /chroot_dir
Jun  3 18:27:44 bpweb00001 rssh[18168]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server -f LOCAL5 -l VERBOSE"

The man page for sftp-server says: "For logging to work, sftp-server must be able to access /dev/log. Use of sftp-server in a chroot configuation there-
fore requires that syslogd(8) establish a logging socket inside the chroot directory."

So in /etc/sysconfig/syslog I did:

SYSLOGD_OPTIONS="-m 0 -a /chroot_dir/dev/log"

Restarted syslog and... nothing happened!

Can anyone tell me what am I doing wrong?

Thanks in advance.

2

What's your system logger? Most of them don't have -a.

Is the chroot dir on the same filesystem as /dev/log ? you could make a hard-link.