previous
next
To maintain a detailed record of file transfer activity, you can configure the server to create file transfer logs. This logging is not enabled by default.
To enable file transfer auditing
Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor.
Set AuditLog to 'sftp' as shown here:
AuditLog = sftp
(Optional) Edit the values for AuditLog.Directory and/or AuditLog.Sftp.WithHash. The default values are:
AuditLog.Directory=/etc/ssh2/logs AuditLog.Sftp.WithHash=yes
Save your changes to the configuration file.
When audit logging is enabled, Reflection for Secure IT creates a new log each day in the specified audit log directory. Audit logs use this name format: sshd2-audit-YYYYMMDD.log, where YYYYMMDD indicates the date.
Log files are created in comma-delimited format. The first line of the audit log file, shown here, identifies the logged content:
UserID, ClientIP, Action, ServerFilename, StartTime, EndTime, ServerFileModificationTime, ServerFileSize, BytesTransferred, Result, Reason, ServerFileHash
NOTE:
The server logs sftp transfers and scp transfers that use SCP2 (a file transfer implementation that uses the SFTP subsystem). Transfers using SCP1 (An early implementation of the SCP protocol used by OpenSSH) are not logged.
When SmartFileTransfer is enabled (the default), the server may not create an audit record when the client and server files are identical. To ensure that transfers of identical files create an audit record, set SmartFileTransfer to no.
If users have been limited to a home directory for sftp protocol connections (using ChrootSftpUsers or ChrootSftpGroups), the audit log directory must be located in the home directory. Because of this limitation, audit logging only works for chrooted users if they share the same home directory.