Azure Audit Logging · Thorn Tech Support

SFTP Gateway enables audit logging for SFTP by default.

These logs are contained within the file: /var/log/secure.

Here's a sample output:

Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: Accepted publickey for robtest from 71.179.98.86 port 56155 ssh2: RSA SHA256:4+Yc4RpsQuxF55NdRCGwCKHHcKqXfvKf/gm9Q89/aH8
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: pam_unix(sshd:session): session opened for user robtest by (uid=0)
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: session opened for local user robtest from [71.179.98.86] [postauth]
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: opendir "/local" [postauth]
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: closedir "/local" [postauth]
Mar 20 21:07:32 ip-172-31-0-92 sshd[27990]: open "/local/Installer.pkg" flags WRITE,CREATE,TRUNCATE mode 0100644 [postauth]
Mar 20 21:07:42 ip-172-31-0-92 sshd[27990]: close "/local/Installer.pkg" bytes read 0 written 17844019 [postauth]
Mar 20 21:07:43 ip-172-31-0-92 sshd[27990]: opendir "/local" [postauth]
Mar 20 21:07:43 ip-172-31-0-92 sshd[27990]: closedir "/local" [postauth]

Here, you can see that robtest logged in, and any actions logged by process 27990 are tied to this user.