I’m new in this topic, so there are things I don’t understand yet. For one port (22) I need to monitor the outgoing traffic and be able to tell it’s origin (service or user). I thought it’ll be as easy as setting the logging level to INFO on the sftp subsystem. After I set that up I got the results I expected:
Nov 18 10:34:12 testhost sftp-server: close "/../../../test.ini" bytes read 25760 written 0
However, I see entries only when I test with an SFTP client or the
lftp command. I don’t see anything like that if I use
rsync. I read some posts, threads and mans, but I couldn’t find any solid solution. I understand that
scp doesn’t use the
sftp subsystem but if I’m on the right track, it still uses SSH, so that should be available as well.
The best would be if I’d see the same line for all file/data transfer methods like above. I’m avoiding any analytical service which would affect the performance and provide 100* more data that I need. Also, creating GBs of log entries with individual packets. The question is if there’s any method (even if it’s multiple separate logging facilities) which would help me in achieving my goal?