The FTP service creates logs of its file transfers. The SFTP service, which runs under the ssh protocol, can be audited by preselecting the ft audit class. Logins to both services can be audited.
To log sftp access and file transfers, edit the ft class.
The ft class includes the following SFTP transactions:
$ auditrecord -c ft file transfer: chmod ... file transfer: chown ... file transfer: get ... file transfer: mkdir ... file transfer: put ... file transfer: remove ... file transfer: rename ... file transfer: rmdir ... file transfer: session start ... file transfer: session end ... file transfer: symlink ... file transfer: utimes
To record access to the Professional File Transfer Protocol (FTP) server, ensure that you are auditing the lo class.
As the following sample output indicates, logging in to and out of the proftpd daemon generates audit records.
$ auditrecord -c lo | more ... FTP server login program proftpd See in.ftpd(1M) event ID 6165 AUE_ftpd class lo (0x0000000000001000) header subject [text] error message return FTP server logout program proftpd See in.ftpd(1M) event ID 6171 AUE_ftpd_logout class lo (0x0000000000001000) header subject return ...
For information about how to log FTP commands and file transfers, use the man command to view the proftpd (8) man page.
For the available logging options, read ProFTPD Logging (http://www.proftpd.org/docs/howto/Logging.html).