2023-08-31 (Thu) 16:29 UTC -0500 <[email protected]>:
> I am setting an openbsd 7.3 stable system to serve files via ssh's sftp
> subsystem.
>
> Does openssh have a native way to audit what files were
> downloaded/uploaded with user/timestamp information?
>
> If not, are there any recommendations?
(I think you did not ask suggestions for the log parsing part but here is one
anyway)
This is what I have come up with Fluent Bit and OpenSSH portable on other OS:
---
[PARSER]
Name my_sftp_receiver
Format regex
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L%z
Regex ^\<(?<pri>[0-9]{1,5})\>(?<time>.+) (?<host>[^ ]*) (?<ident>[^ ]+):
close "(?<filename>.+)" bytes read (?<dlsize>.*) written (?<ulsize>.*)$
Types filename:string dlsize:int ulsize:int
---
My use case is to get triggered after succesful upload, so rest of the
Fluent Bit pipeline is set to do output action (HTTP POST) when
variable "ulsize" is greater than 0 and "filename" contains directory
path of special interest.
Hope this helps.
--
Mikko
