Page 1 of 1

SFTP monitoring tools

Posted: 2019/06/07 13:15:31
by cerino
Hi guys, how can I monitor connection and file transfer process on my SFTP server?
My goal is to know who is connected (username) and if one or more file tranfer process are on execution (upload or download).
What do you do in this case or what tools do you usually use?

Thank you!

Re: SFTP monitoring tools

Posted: 2019/06/07 14:55:10
by TrevorH
You will find that sftp connections are logged in /var/log/secure as it's using openssh to do the connections. What is transferred is another question entirely.

Re: SFTP monitoring tools

Posted: 2019/06/07 14:58:52
by stevemowbray
Change the logging on the sftp subsystem in /etc/ssh/sshd_config e.g.

Code: Select all

Subsystem       sftp    /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
That then logs all file access to wherever you configure your rsyslog to log them, /var/log/secure by default.

Re: SFTP monitoring tools

Posted: 2019/06/10 08:08:29
by cerino
Thank you!
Sounds good, so I can send log to my Loganalyzer server.

What is the differnce between:

Code: Select all

Subsystem sftp internal-sftp
and

Code: Select all

Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
Thanks!

Re: SFTP monitoring tools

Posted: 2019/07/01 23:33:07
by jscarville
cerino wrote:
2019/06/10 08:08:29
Thank you!
Sounds good, so I can send log to my Loganalyzer server.

What is the differnce between:

Code: Select all

Subsystem sftp internal-sftp
and

Code: Select all

Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
Thanks!
Not much. They are built from the same code and support the same options. The big difference is that sftp-server is an external process and internal-sftp is built into the sshd executable. This means that if you want to use chroot then internal-sftp is a lot easier.