Ubuntu – outgoing traffic monitoring

I’m new in this topic, so there are things I don’t understand yet. For one port (22) I need to monitor the outgoing traffic and be able to tell it’s origin (service or user). I thought it’ll be as easy as setting the logging level to INFO on the sftp subsystem. After I set that up I got the results I expected:

Nov 18 10:34:12 testhost sftp-server[898]: close "/../../../test.ini" bytes read 25760 written 0

However, I see entries only when I test with an SFTP client or the lftp command. I don’t see anything like that if I use scp or rsync. I read some posts, threads and mans, but I couldn’t find any solid solution. I understand that scp doesn’t use the sftp subsystem but if I’m on the right track, it still uses SSH, so that should be available as well.

The best would be if I’d see the same line for all file/data transfer methods like above. I’m avoiding any analytical service which would affect the performance and provide 100* more data that I need. Also, creating GBs of log entries with individual packets. The question is if there’s any method (even if it’s multiple separate logging facilities) which would help me in achieving my goal?

Thank you!