DWA Emitter for OpenSSH SFTP Server

Prerequisites

This emitter supports monitoring of Linux OpenSSH 8.0 SFTP Server configured with verbose logging.

Verbose logging can be turned on by configuring sftp service in /etc/ssh/sshd_config as shown below (root authority required):

Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE

The logging usually happens on /var/log/messages file, make sure that this file has been made accessible to DWAgent runtime user by your administrator (by default it is not).

Moreover, consider the option of asking your administrator to route just sftp-server messages to a dedicated log file that can be accessed by DWAgent at runtime, for better isolation and performance.

Example

Here is an example of a configuration with a dedicated /var/log/sftp.log for DWAgent containing just OpenSSH SFTP messages.

/etc/rsyslog.conf contents

$umask 0000 local3.* action(type="omfile" fileCreateMode="0644" file="/var/log/sftp.log")

/var/log/sftp.log contents

Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE -f LOCAL3

DWA Emitter for OpenSSH SFTP Server allows for limited customization of the pattern matching configuration driving log parsing, in normal circumstances the provided defaults will just work, but if the monitored OpenSSH SFTP Server version logs in a slightly modified way, the default settings can be adjusted to some extent.

On the other hand, major changes in the log structure cannot be covered by simply adjusting pattern matching configuration.

DWA Emitter for OpenSSH SFTP Server handles rolling logs, i.e. log dynamically renamed by the system according to some configurable policy (for instance, log file size threshold and/or log age threshold) giving rise to current log and archived logs.

Configuration reference

DWA Emitter for OpenSSH SFTP Server -- Prefix emitter.osshsftp[<label>].*

All pattern properties included in the configuration conform to Java Message Format syntax as defined in: https://docs.oracle.com/javase/8/docs/api/java/text/MessageFormat.html

logFilePath

Name of the primary log file to monitor, complete with absolute path.

logFileFilterRegEx

Regular expression identifying all archived log files to monitor, located in the same directory configured for logFilePath primary log.

Secondary log files are those logs that have been renamed by the system as part of some dynamic log rotation policy.

filterSftpdPattern

Pattern used to filter only SFTP lines related to current OpenSSH SFTP daemon.

The provided default value is:

{0,date,MMM d HH:mm:ss} {1} sftp-server[{2,number,integer}]: {3}

Where:

{0,date,MMM d HH:mm:ss} = timestamp according to the specified locale

{1} = hostname

{2} = session

{3} = remainder of the line

sessionOpenedPattern

Pattern used to match user session opening.

The provided default value is:

session opened for local user {0} from [{1}]

Where:

{0} = user name

{1} = client IP

sessionClosedPattern

Pattern used to match user session closing.

The provided default value is:

session closed for local user {0} from [{1}]

Where:

{0} = user name

{1} = client IP

openPattern

Pattern used to match file opening.

The provided default value is:

open "{0}" flags {1} mode {2}

Where:

{0} = file name

{1} = file opening flag

{2} = file opening mode bitmask

closePattern

Pattern used to match file closing.

The provided default value is:

close "{0}" bytes read {1,number,integer} written {2,number,integer}

Where:

{0} = file name

{1} = total read bytes

{2} = total written bytes

sendStatusPattern

Pattern used to match send errors.

The provided default value is:

sent status {0}

Where:

{0} = error message

forcedClosePattern

Pattern used to match session errors/session abort.

The provided default value is:

forced close "{0}" bytes read {1,number,integer} written {2,number,integer}

Where:

{0} = file name

{1} = total read bytes

{2} = total written bytes

PreviousDWA Emitter for XFERLOGNextDWA Emitter for IBM STERLING CONNECT:DIRECT

Last updated