Applies to: All versions of DirectControl-Enabled OpenSSH

Question:
Is it possible to log all file transfers made to a UNIX machine via SFTP?

Answer:
Yes, it is possible to track file transfers done using SFTP. Follow the below steps to set it up:

sftp-server(8) says about loglevel: "INFO and VERBOSE log transactions that sftp-server performs on behalf of the client", and setting this in sshd_config:

Subsystem sftp /usr/share/centrifydc/libexec/sftp-server -f <log_facility> -l <INFO>

On redhat, <log_facility> is authpriv which will log messages into /var/log/secure.

[root@rhel3 log]# grep -i sftp /etc/centrifydc/ssh/sshd_config
Subsystem sftp /usr/share/centrifydc/libexec/sftp-server -f authpriv -l INFO

[root@rhel3 log]# grep authpriv /etc/syslog.conf
# The authpriv file has restricted access.
authpriv.* /var/log/secure

With the above change to sshd_config in place, restart sshd: /etc/init.d/centrify-sshd restart

sftp will now log messages about file transfers into the /var/log/secure as follows:

[root@rhel3 log]# tail secure
Nov 12 16:48:28 rhel3 sftp-server[23389]: session opened for local user root from [172.27.21.84]
Nov 12 16:51:49 rhel3 sftp-server[23638]: session opened for local user kayla from [172.27.21.84]
Nov 12 16:51:49 rhel3 sftp-server[23638]: opendir "/"
Nov 12 16:51:49 rhel3 sftp-server[23638]: closedir "/"
Nov 12 16:51:54 rhel3 sftp-server[23638]: open "/password" flags READ mode 0666
Nov 12 16:51:54 rhel3 sftp-server[23638]: close "/password" bytes read 45397 written 0
Nov 12 16:52:23 rhel3 sftp-server[23638]: opendir "/tmp"
Nov 12 16:52:23 rhel3 sftp-server[23638]: closedir "/tmp"
Nov 12 16:52:25 rhel3 sftp-server[23638]: open "/tmp/kset.zone" flags READ mode 0666
Nov 12 16:52:25 rhel3 sftp-server[23638]: close "/tmp/kset.zone" bytes read 36 written 0