How to enable log for chroot sftp users in Linux Server?

Follow the below steps to enable logs for chroot sftp users

1. Take the backup of /etc/ssh/sshd_config

2. Add the below settings to sshd_config

Subsystem       sftp   internal-sftp  -f LOCAL6 -l INFO

  Match group sftpgroup
  ChrootDirectory /home/%u
  KbdInteractiveAuthentication no
  PasswordAuthentication no
  AllowTCPForwarding no
  X11Forwarding no
  Subsystem       sftp  internal-sftp -f LOCAL6 -l INFO

Save & Exit the sshd configuration.

3. Take the back of /etc/sysconfig/rsyslog & add the below entry.

SYSLOGD_OPTIONS="-m 0 -a /home/sftpuser/dev/log"

4. Create sftp.log file under /etc/rsyslog.d & add the below entry (This is used for create sockets)

# create additional sockets for the sftp chrooted users
module(load="imuxsock")
input(type="imuxsock" Socket="/path/to/somedirectory/dev/log" CreatePath="on")
input(type="imuxsock" Socket="/path/to/anotherdirectory/dev/log" CreatePath="on")

# log internal-sftp activity to sftp.log
if $programname == 'internal-sftp' then /var/log/sftp/sftp.log
& stop

5. Create dev directory under /home/sftpuser user

6. Now restart both sshd & rsyslog service

7. Now chroot sftp users activity logs are enabled & available under /var/log/sftp/

Hope it helps.