Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
custos2014-06-08 12:19:35
linux
custos, 2014-06-08 12:19:35

CentOS 6.5: need to write internal-sftp and sshd logs to different files

Clean and completely updated Centos 6.5, OpenSSH version 5.3p1-94.el6, classic settings:
/etc/rsyslog.d/sftp.conf

$AddUnixListenSocket /var/www/vhosts/user1/dev/log
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~

/etc/ssh/sshd_config
Subsystem       sftp    internal-sftp -l VERBOSE
Match Group sftp
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp -l VERBOSE

User user1 , home= /var/www/vhosts/user1 , group= sftp
The problem is that everything works as it should, only if you remove ChrootDirectory from the settings, even ChrootDirectory / does not help. Actually, this is what should be:
/var/log/secure
Jun  8 12:08:01 srv sshd[10371]: Accepted password for user1 from IP port 38817 ssh2
Jun  8 12:08:01 srv sshd[10371]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Jun  8 12:08:01 srv sshd[10373]: subsystem request for sftp
...

/var/log/sftp.log
Jun  8 12:08:01 srv internal-sftp[10374]: session opened for local user user1 from [IP]
Jun  8 12:08:01 srv internal-sftp[10374]: received client version 3
Jun  8 12:08:01 srv internal-sftp[10374]: opendir "/"
Jun  8 12:08:01 srv internal-sftp[10374]: closedir "/"
...

If you enable ChrootDirectory , all logs go to /var/log/secure from sshd with its Level and Facility, so separating them into different files is no longer realistic, here is an example
Jun  8 12:11:01 srv sshd[10825]: Accepted password for user1 from IP port 38821 ssh2
Jun  8 12:11:01 srv sshd[10825]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Jun  8 12:11:01 srv sshd[10827]: subsystem request for sftp
Jun  8 12:11:01 srv sshd[10828]: session opened for local user user1 from [IP]
Jun  8 12:11:01 srv sshd[10828]: received client version 3
Jun  8 12:11:01 srv sshd[10828]: opendir "/"
Jun  8 12:11:01 srv sshd[10828]: closedir "/"
...

I went over the options, but nothing good came of it:
1) The presence of an additional rsyslog socket does not affect anything, scattered it almost the entire file system, with no visible result.
2) The user's home directory is essentially not important either, of course, if you specify the absolute path in jail or% u, so I left the option above as the most convenient ... I also tried the root.
3) Advanced rsyslog rule script scheme (version 5.8.10) does not work. Alternatively, one could write for example:
if $programname == 'sshd' and ($msg startswith 'open' or $msg startswith 'close' ...) then /var/log/sftp.log

This is where my bright ideas ended ... tell me, please, what could I have missed?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
T
Troodi Larson2018-02-28 16:22:25
Console proxy? 2Reply
Y
Yupa201711232018-02-28 18:14:11
Why in SunOS 5, SubBlade1000, instead of c2t1d0s0, the disk is defined as c2t2100002037f0da78d0s2? 1Reply
V
vlarkanov2020-04-30 08:52:38
Postfix: how to use it as a relay for Office 365? 1Reply
O
okazymyrov2011-09-23 17:51:35
Keyboard layout in linux 1Reply
T
timur1022018-03-01 15:50:53
What OC will not lag? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question