openssh unix dev - Apr 2009 - sftp-server "audit" logging

Hello

I would like to ask you for any assistance regarding sftp-server logging. 
Till now i used openssh-4.4p1.sftplogging-v1.5.patch + openssh-4.4p1, that was
later replaced by filecontroll patch. With openssh-4.4p1.sftplogging-v1.5.patch
I could specify SFTP server logging in sshd_config like this:

    LogSftp yes
    SftpLogFacility LOCAL7
    SftpLogLevel INFO

That did sftp logging like following:

    Oct 10 11:57:20 vision sftp-server[23768]: opendir /home/reeusda/www
    Oct 10 11:58:25 vision sftp-server[23768]: realpath /home/reeusda/www/1700
    Oct 10 11:58:25 vision sftp-server[23768]: opendir /home/reeusda/www/1700
    Oct 10 11:58:29 vision sftp-server[23768]: realpath
/home/reeusda/www/1700/whatnew
    Oct 10 11:58:29 vision sftp-server[23768]: opendir
/home/reeusda/www/1700/whatnew
    Oct 10 11:58:32 vision sftp-server[23768]: realpath
/home/reeusda/www/1700/whatnew/03
    Oct 10 11:58:32 vision sftp-server[23768]: opendir
/home/reeusda/www/1700/whatnew/03
    Oct 10 11:58:38 vision sftp-server[23768]: realpath
/home/reeusda/www/1700/whatnew/03
    Oct 10 11:58:38 vision sftp-server[23768]: setting file creation mode to
0666 and umask to 2
    Oct 10 11:58:38 vision sftp-server[23768]: open
/home/reeusda/www/1700/whatnew/03/administrative_officers_mt.htm
    Oct 10 11:58:38 vision sftp-server[23768]: open /u/mikem/temp/somefile.file
    Oct 10 11:58:38 vision sftp-server[23768]: writing 32768 bytes to file

Stpfilecontrol patch doesn't have the described functionality, because as
stated ": Openssh versions 4.4p1 and up provide sftp logging, so this has
been taken out of the patch."

.... but also after setting LogLevel to DEBUG3, i cannot see the file logging
info. Log looks like this

    Mar 30 10:12:59 sftp2 sshd[18519]: [ID 800047 local7.info] Connection from
212.200.223.201 port 14170
    Mar 30 10:13:00 sftp2 sshd[18519]: [ID 800047 local7.info] Failed none for
ftp_op from 212.200.223.201 port 14170 ssh2
    Mar 30 10:13:00 sftp2 sshd[18519]: [ID 800047 local7.info] Accepted
keyboard-interactive/pam for ftp_op from 212.200.223.201 port 14170 ssh2
    Mar 30 10:13:00 sftp2 sshd[18519]: [ID 800047 local7.info] User child is on
pid 18522
    Mar 30 10:13:00 sftp2 sshd[18522]: [ID 800047 local7.info] subsystem request
for sftp
    Mar 30 10:24:23 sftp2 sshd[18522]: [ID 800047 local7.info] Connection closed
by 212.200.223.201
    Mar 30 10:24:23 sftp2 sshd[18522]: [ID 800047 local7.info] Transferred: sent
14952, received 2608 bytes
    Mar 30 10:24:23 sftp2 sshd[18522]: [ID 800047 local7.info] Closing
connection to 212.200.223.201 port 14170

...no info about chdir, fileopen, write, filedelete ...

I need to log file access, creation and deletion ... (audit reasons) This is
needed for my service audit purposes.
Any RTFM hint if the logging granularity listed above is possible? 

Thank you in advance

Alex

Alexander Varga wrote:
> Any RTFM hint if the logging granularity listed above is possible?
I would try to RTFS, usually that's much more reliable than FMs. :)


//Peter

On Wed, 8 Apr 2009, Alexander Varga wrote:
> I need to log file access, creation and deletion ... (audit reasons)  
> This is needed for my service audit purposes. Any RTFM hint if the    
> logging granularity listed above is possible?                         
man sftp-server