System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

File Transfer via SCP or SFTP

SOLVED
Go to solution
mt_1299
Advisor

File Transfer via SCP or SFTP

Is it possible to configure logging on an Integrity HPUX 11.31 box to show which user transferred which files in what location to/from the server or is this information all encrypted and therefore unloggable?

Thanks.
4 REPLIES
Kapil Jha
Honored Contributor

Re: File Transfer via SCP or SFTP

Nothing is logged by the SFTP-service if the SftpSysLogFacility is not set in the configuration.

In /etc/ssh2/sshd2_config add the following:

SftpSysLogFacility LOCAL7
In /etc/syslog.conf add the following:

local7.notice /var/log/sftp

BR,
Kapil+
I am in this small bowl, I wane see the real world......
Steve Post
Trusted Contributor
Solution

Re: File Transfer via SCP or SFTP

First off your title is way off.
It should have been: How do I log filenames in when a person uses scp or sftp.
I was looking for a comparison between scp and sftp.

Kapil's response is nice and fast. Let me try to add some more to the those bones.

You need to update a configuration file in ssh to log stuff. The file might be sshd2_config. Maybe not? Run a man page on ssh to find the config file.

Next dig into the config file.
For me it's ssh_config. And the lines,
SyslogFacility LOCAL3
LogLevel INFO

The word next to SyslogFacility is the name of the log file thingy that HPUX uses.
You have to modify /etc/syslog.conf to tell hpux how to handle "LOCAL3" messages. And "LOCAL3" messages might not just come from ssh. They might come from other jobs.

The LogLevel is needed to give let you see deeper and deeper into the guts of the sftp process. I would assume DEBUG level will tell you the files that got moved in and out. But it also might shove so much text into the log that you'll blow up the /var filesystem. There's a fine balance here. Who knows? Maybe you will have to set a cronjob to purge the ssh's log of junk every 5 minutes.

Now about /etc/syslog.conf, run: man syslogd. You might need to also modify other lines in there to keep ssh log info from going to syslog.log in addition to whatever other log file you make. The easiest way to see it? CAREFULLY mess with syslog.conf and sshd_config, restart ssh, look at what files got updated in the /var/adm/syslog directory.

Take a look at part of my /etc/syslog.conf file. I have ssh logging to local3 in sshd_config.
mail.debug /var/adm/syslog/mail.log
auth.info /var/adm/syslog/auth.log
local3.info /var/adm/syslog/ssh.log
*.info;mail,auth,local3.none /var/adm/syslog/syslog.log
*.alert;local3.none /dev/console
*.alert root
*.emerg *

Note the commas and semicolons.
I don't have mail, auth or local3 text go to syslog.log
I don't have local3 text go to the console either

steve

mt_1299
Advisor

Re: File Transfer via SCP or SFTP

Thanks to all for your feedback.

I eventually found the most straightforward method of accomplishing my goal was to append "-l INFO" to the "Subsystem sftp /opt/ssh/libexec/sftp-server" statement in sshd_config.
Steve Post
Trusted Contributor

Re: File Transfer via SCP or SFTP

and thanks for your conclusion.
It's nice that you found an alternate method.