Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1841: How to track file transfers using SFTP ?

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:37 AM

Applies to: All versions of DirectControl-Enabled OpenSSH

Question:
Is it possible to log all file transfers made to a UNIX machine via SFTP?

Answer:
Yes, it is possible to track file transfers done using SFTP. Follow the below steps to set it up:

sftp-server(8) says about loglevel: "INFO and VERBOSE log transactions that sftp-server performs on behalf of the client", and setting this in sshd_config:


Subsystem sftp /usr/share/centrifydc/libexec/sftp-server -f <log_facility> -l <INFO>

On redhat, <log_facility> is authpriv which will log messages into /var/log/secure.

[root@rhel3 log]# grep -i sftp /etc/centrifydc/ssh/sshd_config
Subsystem sftp /usr/share/centrifydc/libexec/sftp-server -f authpriv -l INFO

[root@rhel3 log]# grep authpriv /etc/syslog.conf
# The authpriv file has restricted access.
authpriv.* /var/log/secure


With the above change to sshd_config in place, restart sshd: /etc/init.d/centrify-sshd restart

sftp will now log messages about file transfers into the /var/log/secure as follows:

[root@rhel3 log]# tail secure
Nov 12 16:48:28 rhel3 sftp-server[23389]: session opened for local user root from [172.27.21.84]
Nov 12 16:51:49 rhel3 sftp-server[23638]: session opened for local user kayla from [172.27.21.84]
Nov 12 16:51:49 rhel3 sftp-server[23638]: opendir "/"
Nov 12 16:51:49 rhel3 sftp-server[23638]: closedir "/"
Nov 12 16:51:54 rhel3 sftp-server[23638]: open "/password" flags READ mode 0666
Nov 12 16:51:54 rhel3 sftp-server[23638]: close "/password" bytes read 45397 written 0
Nov 12 16:52:23 rhel3 sftp-server[23638]: opendir "/tmp"
Nov 12 16:52:23 rhel3 sftp-server[23638]: closedir "/tmp"
Nov 12 16:52:25 rhel3 sftp-server[23638]: open "/tmp/kset.zone" flags READ mode 0666
Nov 12 16:52:25 rhel3 sftp-server[23638]: close "/tmp/kset.zone" bytes read 36 written 0

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.