Reflection for Secure IT for UNIX > Auditing > Auditing (Message Logging)

Auditing (Message Logging)

The following auditing services are always enabled.

  • Login history

  • Currently logged in users

  • Failed logins

You can also configure additional auditing to maintain a record of file transfer activity. This auditing is not enabled by default. For more information, see Configure File Transfer Auditing.

The table below summarizes keywords used for configuring auditing.

Keyword

Description

AuditLog

Specifies whether or not an audit log is created. Valid values are 'sftp' and 'none'.

When 'sftp' is specified, a comma-delimited log file containing a detailed record of file transfer activity is created in the location specified by AuditLog.Directory. The first line of the audit log file, shown here, identifies the logged content: UserID,ClientIP,Action,ServerFilename,StartTime,EndTime,ServerFileModificationTime,ServerFileSize,BytesTransferred,Result,Reason,ServerFileHash.

The default is 'none'.

AuditLog.Directory

The output location for audit logs. A new log is created each day using this name format: sshd2-audit-YYYYMMDD.log, where YYYYMMDD indicates the date. When AuditLog = sftp, this file is created the first time a client user transfers a file, or when you restart the server.

The default is /etc/ssh2/logs.

AuditLog.Sftp.WithHash

Specifies whether or not sftp log entries include a file hash. The hash value can be used to identify multiple records identifying transfer of the same file. Each time an unchanged file is transferred, the hash value in the log is identical. If a file is changed, the hash value is different.

The default is 'yes'.

SyslogFacility

A facility code for sshd messages. The value of SyslogFacility must correspond to a facility specified in syslog.conf.

The default is 'AUTH'.

SftpSysLogfacility

A facility code for sftp-server messages. When no value is configured (the default) sftp-server uses the current facility configured for sshd. Use SftpSysLogFacility to specify an alternate facility for sftp server logging. Sending sftp messages to a different facility is often useful for auditing.

The value of SftpSysLogFacility must correspond to a facility specified in syslog.conf.

SftpLogCategory

Specifies which categories of sftp server messages are sent to the facility specified by SftpSysLogFacility.

The default is 'loginlogout,directorylistings,downloads,modifications,uploads', which configures logging of all categories. You can specify any of those options, plus 'all', or 'none'.

LogLevel

The level of logging to SysLogFacility and SftpSysLogFacility. After the configuration file is read, messages are processed according to rules defined in syslog.conf.

This level applies to both sshd and sftp logging.