Skip to content

Logging Facilities

bagajjal edited this page Apr 20, 2021 · 8 revisions

Logging facilities

Prior to v7.6.1.0, server side components supported only 1 logging facility (file based at logs\sshd.log). In v7.6.1.0 and later, ETW logging is added and is the default. You can view these logs under event viewer as follows:

image

The admin channel is for CRITICAL and ERROR events, operational is for INFO and debug is for DEBUG* variants. The payload would mimic what users would otherwise see in a typical syslog entry.

To see Debug logs in EventViewer, do the following:

  • Ensure sshd_config has logging level at DEBUG or above
  • In Eventviewer, select option to show "Analytic and Debug Logs" (under top menu, View)
  • Enable Debug logging (select Debug channel, click "Enable log" on right menu)

File based logging

File based logging option (useful for quickly collecting debug traces) can be turned on by setting the following in sshd_config

SyslogFacility LOCAL0

LogLevel Debug3

Restart the sshd service after making changes to sshd_config.

net stop sshd

net start sshd

With this option, the logs would be collected at %programdata%\ssh\logs.

sftp-server would follow similar semantics for logging (by default to ETW) and to files using the following as subsystem path in sshd_config:

sftp-server -f LOCAL0 -l DEBUG3

Restart the sshd service after making changes to sshd_config. sftp-server logs will be written to %programdata%\ssh\logs\sftp-server.log

Clone this wiki locally