Rocky linux sftp logs are not getting recorded to /var/vlog/sftp.log
I have added the below line to /etc/rsyslog.d/sftplog.conf
#Output to SFTP.log
local6.* /var/log/sftp.log
and on rsyslog.conf
#includeConfig /etc/rsyslog.d/.conf
include(file="/etc/rsyslog.d/.conf" mode=“optional”)
I thought you’d forgotten the special character “*” but once I copied your line it appeared and to see it in a post you have to “\” escape it so now I don’t know why you are not getting the log output. Are you getting any of the other logs configured in /etc/rsyslog.conf?
What is the output of:
systemctl status rsyslog.service
Hey, thank you for the reply,
rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-08-09 12:32:37 UTC; 43s ago
Docs: man:rsyslogd(8)
Welcome to Rsyslog — Rsyslog documentation
Main PID: 9054 (rsyslogd)
Tasks: 3 (limit: 48741)
Memory: 1.1M
CPU: 32ms
CGroup: /system.slice/rsyslog.service
└─9054 /usr/sbin/rsyslogd -n
Aug 09 12:32:37 vm-citpsftp02 systemd[1]: Starting System Logging Service…
Aug 09 12:32:37 vm-citpsftp02 systemd[1]: Started System Logging Service.
Aug 09 12:32:37 vm-citpsftp02 rsyslogd[9054]: [origin software=“rsyslogd” swVersion=“8.2310.0-4.el9” x-pid=“9054” x-info=“https://www.rsyslog.com”] start
Aug 09 12:32:37 vm-citpsftp02 rsyslogd[9054]: imjournal: journal files changed, reloading… [v8.2310.0-4.el9 try
#$AddUnixListenSocket /home/jailed/username/dev/log
#$AddUnixListenSocket /home/jailed/username/dev/log
#Output to SFTP.log
local6.* /var/log/sftp.log
here is the sftplog.conf
You didn’t answer if you were getting the other log files in /var/log/ defined in /etc/rsyslog.conf. This is helpful to know so to narrow the scope of what is causing the problem.
Does sftp have its own config file(s) in /etc? You might want to look there to see if it defines the logging path. It could be in contradiction to what you have defined in /etc/rsyslog.d/sftp.conf
$AddUnixListenSocket /home/jailed/folder1dev/log
$AddUnixListenSocket /home/jailed/folder2/dev/log
#Output to SFTP.log
#local6.* /var/log/sftp.log
if $programname == ‘sshd’ and $msg contains ‘sftp’ then /var/log/sftp.log
& stop
I dont see any error with the config validation
The default logs that capture ssh traffic are:
/var/log/audit/audit
/var/log/secure
Outgoing traffic is not logged at all with the default settings in your machine ssh_config. Incoming traffic only logs the authentication activity but not the transfer protocol. The default log level is INFO. So first it would be necessary to change the default log level to a more informative one in the machine ssh_config and then do some test scp/sftp transfers and check the two logs identified above in the host and destination machines to see if you are going to get the filterablle traffic to provide output for the rsyslog script.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.