4

Hello people of the stackexchange,

I am having a little difficulty trying to find a location of a particular log file which i'm hoping someone on here could help me with.

What i am trying to do is list the login dates/times for a particular user on our sftp server. From researching online i have so far come up

cat /var/log/auth.log | grep "username" which has listed some of the logins but not as far back as i am looking for.

I have also tried

last -n 1000 | grep "username" but unfortunately this only seems to work for ssh access to the server rather than sftp (as far as i am aware)

Can anyone think of any other methods of listing the logins from a particular user of an sftp user?

many thanks in advance, daark. N.B. the user is chrooted to their own home directory if that helps in any way.

Edit: I didn't notice some of the archive files in the first instance, these gave me up to one month worth of logins which is better. New question: By default how long does CentOs hold onto the archived auth logs? If it is more than one month where do the older archives move to? I have checked the logrotate.conf and there is no mention of /var/log/auth.log so i'm assuming it is using default values.

Edit:Edit I think I may have found the answer I was looking for but posting this anyway just in case it is of any use to some one else.

The logrotate script is /etc/logrotate.d/rsyslog. By default these rotate weekly and store up to 4 weeks worth of logs.

I do not yet have the reputation to put this as an answer but if an admin see's this please feel free to close it.

Best wishes ~ daark

Improve this question

1 Answer 1

Reset to default
3

On CentOS 6, /var/log/secure contains output from sshd, which launches the sftp subserver. By default, you will see messages similar to the following, but not much more:

Feb 25 12:34:56 server sshd[1234]: Accepted password for user from 1.2.3.4 port 12345 ssh2
Feb 25 12:34:56 server sshd[1234]: pam_unix(sshd:session): session opened for user user by (uid=0)
Feb 25 12:34:57 server sshd[1234]: subsystem request for sftp

If you want to have more visibility into sftp actions, like which files have been transferred, modify the following line in /etc/ssh/sshd_config:

Subsystem       sftp    /usr/libexec/openssh/sftp-server

to be

Subsystem       sftp    /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO

and then restart sshd:

# service sshd restart

Then you will have the default logs plus logs like the following:

Feb 25 12:34:56 server sftp-server[1234]: session opened for local user user from 1.2.3.4
Feb 25 12:34:56 server sftp-server[1234]: opendir "/home/user/"
Feb 25 12:34:56 server sftp-server[1234]: closedir "/home/user/"
Feb 25 12:34:56 server sftp-server[1234]: open "/home/user/test" flags READ mode 0666
Feb 25 12:34:56 server sftp-server[1234]: close "/home/user/test" bytes read 1234 written 0
Feb 25 12:34:56 server sftp-server[1234]: session closed for local user user from 1.2.3.4
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.