The FTP service creates logs of its file transfers. The SFTP service, which runs under the ssh protocol, can be audited by preselecting the ft audit class. Logins to both services can be audited.
For the available logging options, read ProFTPD Logging.
To log sftp access and file transfers, edit the ft class.
The ft class includes the following SFTP transactions:
% auditrecord -c ft file transfer: chmod ... file transfer: chown ... file transfer: get ... file transfer: mkdir ... file transfer: put ... file transfer: remove ... file transfer: rename ... file transfer: rmdir ... file transfer: session start ... file transfer: session end ... file transfer: symlink ... file transfer: utimes
To record access to the FTP server, audit the lo class.
As the following sample output indicates, logging in to and out of the proftpd daemon generates audit records.
% auditrecord -c lo | more ... FTP server login program proftpd See in.ftpd(1M) event ID 6165 AUE_ftpd class lo (0x0000000000001000) header subject [text] error message return FTP server logout program proftpd See in.ftpd(1M) event ID 6171 AUE_ftpd_logout class lo (0x0000000000001000) header subject return ...