夏期劇*_*期劇場 7 sftp logs logrotate sshd
I'm using CentOS, i have already figured out how to enable the SFTP Logging. After that when i test it by using FileZilla (from User-end) and tail -f /var/log/sftp.log from the Server, all the activities from the Users are surely logged. Working great!
But i still have some important questions related to this, as below:
For example:
Feb 27 02:59:31 myhostname sftp-server[13307]: session opened for local user michael from [10.xxx.xxx.xxx]
Feb 27 03:01:00 myhostname sftp-server[13312]: session opened for local user jimmy from [10.xxx.xxx.xxx]
...
...
Feb 27 04:00:34 myhostname sftp-server[13307]: mkdir name "/var/www/html/nnnnn" mode 0777
...
Feb 27 04:01:30 myhostname sftp-server[13307]: rmdir name "/var/www/html/nnnnn"
Feb 27 04:01:30 myhostname sftp-server[13307]: opendir "/var/www/html"
Feb 27 04:01:30 myhostname sftp-server[13307]: closedir "/var/www/html"
There is NO USERNAME mentioned in the lines itself. (Except for the login/logout actions)
And the another question is:
Any idea please?
Here's some sample log file output:
Feb 26 23:04:55 pegasus internal-sftp[32524]: session opened for local user joeuser from [123.123.123.123]
Feb 26 23:04:57 pegasus internal-sftp[32524]: opendir "/home/joeuser"
Feb 26 23:04:58 pegasus internal-sftp[32524]: closedir "/home/joeuser"
Feb 26 23:05:01 pegasus internal-sftp[32524]: opendir "/home/joeuser/"
Feb 26 23:05:01 pegasus internal-sftp[32524]: closedir "/home/joeuser/"
Feb 26 23:05:02 pegasus internal-sftp[32524]: opendir "/home/joeuser/upload"
Feb 26 23:05:02 pegasus internal-sftp[32524]: closedir "/home/joeuser/upload"
Feb 26 23:05:07 pegasus internal-sftp[32524]: opendir "/home/joeuser/upload"
Feb 26 23:05:07 pegasus internal-sftp[32524]: closedir "/home/joeuser/upload"
Feb 26 23:05:09 pegasus internal-sftp[32524]: session closed for local user joeuser from [123.123.123.123]
If you take notice of the output above there is a number between square brackets , internal-sftp[32524]. The number is 32524. This represents the session ID for user joeuser, so you can use this string together which messages relate to which user's login.
You can modify the log rotation schedule for various logs under /etc/logrotate.d/*. Each log file typically has a corresponding file in this directory. So you could change the syslog file there, for example or create your own for your sftp.log logfile.
Also logrotate has a configuration file, /etc/logrotate.conf which contains these lines:
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
These are what the files in the /etc/logrotate.d directory use, if they don't have a setting of their own. So most files are rotated weekly and 4 of them are kept. If you wanted to keep 6 months it would be 4*6 = 24 for the rotate option to keep 6 months, roughly.
Given you're logging to /var/log/sftp.log via syslog you'll need to make your changes in this file, /etc/logrotate.d/syslog. Your file will look like this after making the required changes:
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
/var/log/sftp.log
{
rotate 24
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
Since you're using syslog you'll have to rotate all these log files as well, keep 24 weeks worth of these as well. If this is unacceptable then your only other course of action would be to create a separate section in this file, syslog like so:
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
/var/log/sftp.log
{
rotate 24
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
这有一些副作用,其中之一是您将syslog每周重新启动守护程序 2 次而不是一次。但是,当日志文件由同一服务生成时,logroate 语法不允许对某些日志文件的轮换计划进行细粒度控制,而不会轮换其他日志文件,即syslog.