Increasing the ESXi 5.x/6.0 host logging to capture SFTP-based file access
search cancel

Increasing the ESXi 5.x/6.0 host logging to capture SFTP-based file access

book

Article ID: 341613

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides the steps to increase the ESXi 5.x and 6.0 host logging to capture SFTP-based file access. When monitoring ESXi host it may be helpful to increase the log levels for the SFTP daemon on an ESXi host. This increased logging enables customers to monitor which users are accessing which ESXi host files. When enabled, SFTP operations on individual files are logged on the ESXi host in /var/log/syslog.log.


Environment

VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.0
VMware vSphere ESXi 5.1

Resolution

To increase logging for SFTP:
  1. Log in to your host as root from either an SSH session or directly from the console. For more information, see Using Tech Support Mode in ESXi 4.1, ESXi 5.x, and ESXi 6.0 (1017910) or Enabling root SSH login on an ESX host (8375637).

  2. Run this command to change the logging level:

    grep LOCAL5 /etc/ssh/sshd_config || sed 's/sftp-server/sftp-server -f LOCAL5 -l INFO/g' -i /etc/ssh/sshd_config

  3. Restart the sftp daemon for the change to take effect. For more information, see Restarting the Management agents on an ESXi or ESX host (1003490).

    After it is enabled, you see similar entries in the syslog.log files when files are accessed:

    <YYYY-MM-DD>T<time> sftp-server[1000016610]: session opened for local user <username> from [<Originating_Session_IP>]
    <YYYY-MM-DD>T<time> sftp-server[1000016610]: opendir "/"
    <YYYY-MM-DD>T<time> sftp-server[1000016610]: sent status No such file
    <YYYY-MM-DD>T<time> sftp-server[1000016610]: closedir "/"
    <YYYY-MM-DD>T<time> sftp-server[1000016610]: opendir "/etc"
    <YYYY-MM-DD>T<time> sftp-server[1000016610]: closedir "/etc"
    <YYYY-MM-DD>T<time> sftp-server[1000016610]: open "/etc/profile.local" flags READ mode 0666
    <YYYY-MM-DD>T<time> sftp-server[1000016610]: close "/etc/profile.local" bytes read 73 written 0</time></time></time></time></time></time></time></time>


Additional Information

How to increase ESXi logging to create logs for SFTP based file accesses for multiple hosts:

Run this script to increase ESXi logging to create logs for SFTP based file accesses for multiple hosts:

ESXHOSTS="space separated list of esx host names or IP addresses";
ESXUSER="root";

for host in $ESXHOSTS; do
ssh $ESXUSER@$host "grep LOCAL5 /etc/ssh/sshd_config || sed 's/sftp-server/sftp-server -f LOCAL5 -l INFO/g' -i /etc/ssh/sshd_config";
done


Restarting the Management agents in ESXi
Using Tech Support Mode in ESXi 4.1, ESXi 5.x, and ESXi 6.x
SFTP ベースのファイル アクセスをキャプチャするために ESXi 5.x/6.0 ホストのログ レベルを上げる
Aumentando o log do host ESXi 5.x/6.0 para captar o acesso a arquivos baseados em SFTP
Incrementar el registro del host ESXi 5.x/6.0 para capturar el acceso de archivos basado en SFTP
增加 ESXi 5.x/6.0 主机日志记录以捕获基于 SFTP 的文件访问
Enabling root SSH login on an ESX host

Powered by Wolken Software