Enabling SFTP Logging in Reflection for Secure IT UNIX Server 7.1

  • 7021945
  • 02-Apr-2009
  • 02-Mar-2018

Environment

Reflection for Secure IT UNIX Server version 7.1

Situation

This technical note describes how to enable SFTP logging in Reflection for Secure IT UNIX Server version 7.1.

Note the following:

Resolution

Enabling SFTP Logging

Follow these steps to enable SFTP logging in Reflection for Secure IT for UNIX.

Note: Depending on the number of users and number of files uploaded or downloaded, the log file may fill up quickly.

  1. Open the sshd2_config file in a text editor. By default, this file is located in the /etc/ssh2 directory.
  2. Uncomment (remove the # symbol from the beginning of the line) the following line:
#SftpSysLogFacility=

Add local7 after the equals sign, so the entry reads:

SftpSyslogFacility=local7
  1. Locate the entry for SftpLogCategory. Make the entry active (uncomment it) by removing the # symbol from the beginning of the line.

If necessary, edit this value. The default value is to log the actions loginlogout,directorylistings,downloads,modifications,uploads. For example, you may choose to log only loginlogout actions, or only uploads.

Note: It is not necessary to increase the LogLevel value when editing SftpLogCategory. Raising the LogLevel increases the verbosity generated by SftpSyslogFacility.

  1. Save the file.
  2. Open the syslog.conf file in a text editor. By default, this file is located in the /etc directory.
  3. Add the following two lines:
# Attachmate Reflection for Secure IT SFTP
local7.<level> /var/log/sftplog

You can replace <level> with any one of the following logging level values.

    Setting
    Values
    Notes
    Facility logged
    daemon, user, auth, local0, local1, local2, local3, local4, local5, local6, local7
     
    Logging level
    emerg, alert, crit, err, warning, notice, info, debug
    The amount of data logged increases as you move through the value list from left to right. With emerg producing the least logging and debug the most.

Note the following:

    • The syslog.conf priority level must be equal to or higher than the LogLevel value configured in Reflection for Secure IT. The syslog.conf value can not be lower than the LogLevel value.

For example, if syslog.conf is set to local7.notice, and sshd2_config is set to LogLevel=debug3 and SftpSyslogFacility=local7; no data is logged to /var/log/sftplog because syslog.conf is set lower than debug3.

    • Recommended value for daily use is "info."
    • Any syslog priority level is an acceptable value.
  1. Issue the following commands to create the file where the log information will be stored:
# cd /var/log
# touch sftplog
# chown root sftplog
# chgrp sys sftplog
# chmod 600 sftplog
  1. Restart the system-log and ssh daemons after making changes.

The following command line stops and restarts the system-log (syslog) and the ssh daemon in Solaris 10:

# svcadm restart ssh && svcadm restart system-log

Logging starts once the daemons are restarted.

Disabling SFTP Logging

Follow these steps to disable SFTP logging.

  1. Open the sshd2_config file in a text editor. By default, this file is located in the /etc/ssh2 directory.
  2. Comment out (insert a # at the beginning of the line) the following line:
# SftpSyslogFacility=LOCAL7
  1. Save the file.
  2. Open the syslog.conf file in a text editor. By default, this file is located in the /etc directory.
  3. Remove the following two lines:
# WRQ Reflection for Secure IT SFTP
local7.<level> /var/log/sftplog
  1. Save the file.
  2. Restart the system-log and ssh daemons.
# svcadm restart ssh && svcadm restart system-log
  1. If you want to delete the log, delete the file /var/log/sftplog.

Logging Examples

The following example captures general login/logout information in the sshlog file and sftp get/put information for sftp in the sftplog file.

This first example uses facility local7 for ssh and facility local4 for sftp. Because the ssh daemon handles authentication for the sftp subsystem, these settings capture login information to both sshlog and sftplog.

/etc/ssh2/sshd2_config

LogLevel=info
SyslogFacility=local7
SftpSysLogFacility=local4

/etc/syslog.conf

local7.info /var/log/sshlog
local4.info /var/log/sftplog

This example also logs information to the sshlog and sftplog files but increases the priority to debug.

/etc/ssh2/sshd2_config

LogLevel=debug
SyslogFacility=local7
SftpSysLogFacility=local4

/etc/syslog.conf

local7.debug /var/log/sshlog
local4.debug /var/log/sftplog

This example logs to the same two files. The actual settings used are not terribly practical, but this example is included to demonstrate the syntax.

/etc/ssh2/sshd2_config

LogLevel=info
SyslogFacility=local7
SftpSysLogFacility=local7

/etc/syslog.conf

local7.info /var/log/sshlog
local7.info /var/log/sftplog

This example puts everything in a single log, ssh_sftplog.

/etc/ssh2/sshd2_config

LogLevel=info
SyslogFacility=local7
SftpSysLogFacility=local7

/etc/syslog.conf

local7.info /var/log/ssh_sftplog

Sample Log File

The following is a sample log file.

Feb 11 12:52:30 garytasun sftp-server[14090]: [ID 800047 local4.info] info SFTP syslogLevel=1, syslogFacility=8, debugLogLevel=-99.
Feb 11 12:52:30 garytasun sftp-server[14090]: [ID 800047 local4.info] info session opened for local user garyta from [150.215.21.97 60994 150.215.21.162 22]
Feb 11 12:52:30 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose received client version 3
Feb 11 12:52:30 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose realpath "."
Feb 11 12:52:30 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 1: sent names count 1
Feb 11 12:52:34 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose lstat name "/export/home/garyta"
Feb 11 12:52:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 2: sent attrib have 0xf
Feb 11 12:52:34 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose lstat name "/export/home/garyta/"
Feb 11 12:52:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 3: sent attrib have 0xf
Feb 11 12:52:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 4: sent handle handle 0
Feb 11 12:52:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 5: readdir "/export/home/garyta/" (handle 0)
Feb 11 12:52:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 5: sent names count 65
Feb 11 12:52:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 6: readdir "/export/home/garyta/" (handle 0)
Feb 11 12:52:34 garytasun sftp-server[14090]: [ID 800047 local4.info] info closedir "/export/home/garyta/"
Feb 11 12:52:48 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose lstat name "/export/home/garyta/J^H^H^H"
Feb 11 12:52:48 garytasun sftp-server[14090]: [ID 800047 local4.info] info sent status No such file
Feb 11 12:52:57 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose lstat name "/export/home/garyta/boug^H"
Feb 11 12:52:57 garytasun sftp-server[14090]: [ID 800047 local4.info] info sent status No such file
Feb 11 12:53:00 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose lstat name "/export/home/garyta/bogus"
Feb 11 12:53:00 garytasun sftp-server[14090]: [ID 800047 local4.info] info sent status No such file
Feb 11 12:53:16 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose lstat name "/export/home/garyta/Calculator.class"
Feb 11 12:53:16 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 11: sent attrib have 0xf
Feb 11 12:53:16 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose lstat name "/export/home/garyta/Calculator.class"
Feb 11 12:53:16 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 12: sent attrib have 0xf
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose lstat name "/export/home/garyta/Calculator.class"
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 13: sent attrib have 0xf
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose stat name "/export/home/garyta/Calculator.class"
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 14: sent attrib have 0xf
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose stat name "/export/home/garyta/Calculator.class"
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 15: sent attrib have 0xf
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.info] verbose stat name "/export/home/garyta/Calculator.class"
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 16: sent attrib have 0xf
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 17: sent handle handle 0
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.info] audit User garyta from [150.215.21.97 60994 150.215.21.162 22]: opened file /export/home/garyta/Calculator.class, flags=READ
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 18: read "/export/home/garyta/Calculator.class" (handle 0) off 0 len 32768
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 18: sent data len 8379
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.debug] debug(1) request 19: read "/export/home/garyta/Calculator.class" (handle 0) off 8379 len 24389
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.info] info close "/export/home/garyta/Calculator.class" bytes read 8379 written 0
Feb 11 12:53:34 garytasun sftp-server[14090]: [ID 800047 local4.info] audit User garyta from [150.215.21.97 60994 150.215.21.162 22]: closed file /export/home/garyta/Calculator.class

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2432.