Agile Aspect wrote:
> Hi Darren - thanks for the reply!
>
> The so-called "normal" logging is working - the problem is it's tragically
> incomplete.
>
> We store IP information on the server. In addition, it's not possible to have
> security without accountability.
>
> I was able to modify sftp-server.c to our needs, i.e., basically log every
> sftp command issued - including the names of the files transferred - tagged
> with user name and stored in a seperate log file.
>
> If anyone is interested in what I did I would more than happy to share it -
> otherwise I won't bore you to death.

I'm curious about what you needed that wasn't provided out of the box.

sftp-server(8) says about loglevel: "INFO and VERBOSE log transactions
that sftp-server performs on behalf of the client", and setting this in
sshd_config:

Subsystem sftp /usr/local/libexec/sftp-server -f LOCAL7 -l INFO

gives:

2009-09-04T11:07:35.660499+10:00 gate sftp-server[24692]: session opened
for local user dtucker from [127.0.0.1]
2009-09-04T11:07:39.723595+10:00 gate sftp-server[24692]: open
"/home/dtucker/foo" flags READ mode 0666
2009-09-04T11:07:39.725142+10:00 gate sftp-server[24692]: close
"/home/dtucker/foo" bytes read 4763 written 0
2009-09-04T11:07:41.100064+10:00 gate sftp-server[24692]: session closed
for local user dtucker from [127.0.0.1]

Everything you mentioned (user, source IP address, files accessed) is
all there. What did you find missing?

> In short, I solved the my problem and thanks!

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[ reply ]