Where would you find SCP logs?

I can't seem to get SCP logs (on the server) to show up anywhere. I've searched through quite a few pages, including:

scp / ssh log on ssh-server

I've tried on 10.04 (yes, EOL, etc.) with OpenSSH 5.3 and 12.04 with OpenSSH 5.9, I've enabled all levels of logging including DEBUG3 in /etc/ssh/sshd_config, and tried regular users and root, but nothing about the file that was transferred (or even that a file was transferred) shows up in any log for SCP. SFTP logs show up in auth.log even without cranking up the LogLevel to VERBOSE.

Is there anything I'm missing? Can anyone confirm they are able to get SCP logs to show up somewhere?

Thanks

0

2 Answers

scp is executed internally just as ssh command and transferred files are not logged. You have only authentication logs in /var/log/auth.log or somewhere like this.

2

I studied this once when I had to come up with a way to monitor SCP transfers. The OpenSSH scp utility doesn't log anything. It supports debugging output for the underlying SSH session, but that won't log the actual file transfers which are taking place.

Similarly, the OpenSSH server can be set to log detail about what it's doing, and it can be set to log the fact that a user connected and ran scp, but it won't log the actual file transfers which are taking place.

If you can't get these users to use SFTP instead, there are three approaches available to you:

  1. Investigate commercial SSH/SFTP/SCP servers. They should generally support logging file transfers.

  2. Replace the scp utility on the server with one that logs the data you want. OpenSSH is open source. Someone who knows how to program in C for Unix could download the source and modify it.

  3. Replace the scp utility with a "wrapper" that launches the original scp program and monitors what it does. There are debugging tools for Unix which can monitor what another process is doing.

We took the third approach. We wrote a Perl script which launched the original scp program under strace. Strace would output the names of files being opened and closed by the scp process. The Perl script read the strace output and converted it to log entries.

3

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like