Merge pull request #18 from thomasbilk/master

Added an option to enable verbose logging

defaults/main.yml

@@ -4,3 +4,4 @@ sftp_group_name: sftpusers
 sftp_directories: []
 sftp_allow_passwords: False
 sftp_enable_selinux_support: False
+sftp_enable_logging: False

handlers/main.yml

@@ -4,3 +4,8 @@
     name: "{{ 'ssh' if ansible_os_family == 'Debian' else 'sshd' }}"
     state: restarted
   ignore_errors: Yes
+
+- name: SFTP-Server | Restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted

tasks/main.yml

@@ -39,8 +39,8 @@
           ChrootDirectory %h
           AllowTCPForwarding no
           X11Forwarding no
-          ForceCommand internal-sftp
-          PasswordAuthentication {% if sftp_allow_passwords %}yes{% else %}no{% endif %}
+          ForceCommand internal-sftp {{ sftp_enable_logging | ternary('-l VERBOSE', '') }}
+          PasswordAuthentication {{ sftp_allow_passwords | ternary('yes', 'no') }}
   notify: SFTP-Server | Restart sshd
 
 # Create each SFTP user with home directory on the correct partition, and add to SFTP group.
@@ -108,3 +108,31 @@
     - flags:
       skip_missing: True
 
+- name: SFTP-Server | Create dev directory for logging
+  file:
+    path: "{{ sftp_home_partition }}/{{ item.name }}/dev"
+    owner: root
+    group: root
+    state: directory
+  with_items:
+    - "{{ sftp_users }}"
+  when: sftp_enable_logging
+
+- name: SFTP-Server | Enable Logging
+  blockinfile:
+    dest: "/etc/rsyslog.d/sshd.conf"
+    create: yes
+    block: |
+      # Create an additional socket for some of the sshd chrooted users.
+      {% for user in sftp_users %}
+      $AddUnixListenSocket /home/{{ user.name }}/dev/log
+      {% endfor %}
+
+      # Log internal-sftp in a separate file
+      :programname, isequal, "internal-sftp" -/var/log/sftp/verbose.log
+      :programname, isequal, "internal-sftp" ~
+
+      # additionally write an auth log
+      auth,authpriv.*  /var/log/sftp/auth.log
+  when: sftp_enable_logging
+  notify: SFTP-Server | Restart rsyslog