We have an SFTP server, I am trying to find out if some specific files have been deleted from the server or if they have even imported to the server or not. I'm going through the log files under /var/log but coudn't find out relevant logs so far.
I'm wondering in which log file I can find such infomation?
Any help would be appreciated.
Updated:
Based on the answer and the link: enter link description here I have modified config file which parts of it looks like below:
Subsystem sftp internal-sftp -f AUTH -l INFO # Force sftp and chroot jail for members of sftp group Match group sftp ForceCommand internal-sftp ChrootDirectory /sftp/%u # Members of sftp-glob have access to all user folders Match group sftp-glob ForceCommand internal-sftp ChrootDirectory /sftp # Enable this for more logs LogLevel VERBOSE Then restarted sshd:
sudo systemctl restart sshd In this case I can only see the logs created by admin user(me) under /var/log/auth.log
Jan 17 12:57:50 ios-sftp internal-sftp[5262]: remove name "/tmp/test.txt" For logging the chrooted users actions I have done this:
cd /sftp sudo mkdir dev sudo chmod 755 dev sudo touch dev/log sudo mount --bind /dev/log dev/log However I still can't see the other users logs in /var/log/auth.log if they upload or delete files.
It started to work after fixing config file by changing ForceCommand internal-sftp to ForceCommand internal-sftp -f AUTH -l INFO
Subsystem sftp internal-sftp -f AUTH -l INFO # Force sftp and chroot jail for members of sftp group Match group sftp ForceCommand internal-sftp -f AUTH -l INFO ChrootDirectory /sftp/%u # Members of sftp-glob have access to all user folders Match group sftp-glob ForceCommand internal-sftp -f AUTH -l INFO ChrootDirectory /sftp # Enable this for more logs LogLevel VERBOSE now I can see the logs under /var/log/auth.log:
Jan 18 10:13:02 user-sftp internal-sftp[7466]: set "/folder1/folder2/myfile.xml" modtime 20210106-10:32:58 
