When debugging SFTP file transfer issues, having detailed command logs is crucial. Many administrators find themselves in situations where:
- Clients report transfer failures with vague error messages
- SFTP client developers request server-side logs
- You need to audit file operations for security purposes
The most effective method is to configure the SSH daemon (which handles SFTP connections) to log verbose output. Here's how to set this up:
# Edit sshd_config sudo vim /etc/ssh/sshd_config # Add these lines: LogLevel VERBOSE Subsystem sftp /usr/lib/openssh/sftp-server -l INFO
For newer OpenSSH versions (7.4+), use:
Subsystem sftp internal-sftp -l INFO -f AUTH
Create a separate log file just for SFTP activity:
# Create rsyslog config sudo vim /etc/rsyslog.d/20-sftp.conf # Add this content: if $programname == 'sftp-server' then /var/log/sftp.log & stop
Restart services:
sudo systemctl restart sshd rsyslog
On macOS, the process is similar but paths differ:
# Edit sshd_config sudo vim /private/etc/ssh/sshd_config # Enable logging LogLevel DEBUG3 Subsystem sftp /usr/libexec/sftp-server -l INFO
Here's what you might see when logging works:
Nov 15 10:23:45 server sftp-server[12345]: session opened for local user bob Nov 15 10:23:47 server sftp-server[12345]: received client version 3 Nov 15 10:23:49 server sftp-server[12345]: opendir "/uploads" Nov 15 10:23:52 server sftp-server[12345]: get "/uploads/test.txt"
To log only file transfer operations, consider using auditd on Linux:
# Install auditd if needed sudo yum install auditd # CentOS sudo apt-get install auditd # Ubuntu # Add audit rule sudo auditctl -a always,exit -F arch=b64 -F auid>=1000 -F auid!=4294967295 -S openat -S write -S read -S connect -k sftp_audit
View logs with:
sudo ausearch -k sftp_audit
If logs aren't appearing:
- Verify log file permissions:
sudo chmod 640 /var/log/sftp.log - Check SELinux contexts on CentOS:
ls -Z /var/log/sftp.log - Ensure sufficient disk space for logs
When troubleshooting SFTP (SSH File Transfer Protocol) issues, having detailed logs of client-server communication is invaluable. Many administrators face situations where client applications behave unexpectedly, but lack visibility into the actual commands being executed.
The most effective approach is configuring the SSH daemon (sshd) to log verbose output. On both CentOS (RHEL-based) and macOS, edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Add or modify these directives:
LogLevel VERBOSE Subsystem sftp /usr/lib/openssh/sftp-server -l INFO
For temporary debugging without configuration changes, you can launch a dedicated SSH instance with enhanced logging:
/usr/sbin/sshd -d -p 2222 -f /path/to/temp_config
Sample temp_config contents:
Port 2222 LogLevel DEBUG3 Subsystem sftp /usr/lib/openssh/sftp-server -l DEBUG
With verbose logging enabled, you'll see detailed session information including:
debug1: Received command 'sftp@openssh.com' debug1: subsystem: exec() /usr/lib/openssh/sftp-server -l INFO sftp-server: session setup sftp-server: received client version 3 sftp-server: open "/test.txt" flags READ mode 0664
For deeper inspection, trace the SFTP server process:
sudo strace -p $(pgrep -f "sftp-server") -s 1024 -f -o /tmp/sftp_trace.log
When enabling verbose logging long-term, configure log rotation to prevent disk space issues. Create /etc/logrotate.d/sshd:
/var/log/secure {
rotate 7
daily
compress
delaycompress
missingok
notifempty
create 0600 root root
postrotate
/bin/kill -HUP $(cat /var/run/syslogd.pid 2>/dev/null) 2>/dev/null || true
endscript
}
If server logs aren't sufficient, many SFTP clients support verbose output:
sftp -v -P 22 user@host
For libssh2-based clients, set these environment variables before execution:
export LIBSSH2_TRACE=1 export LIBSSH2_DEBUG=1