Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ETW logging doesn't work for non-admin accounts #1174

Closed
julien-padovani opened this issue Jun 4, 2018 · 7 comments
Closed

ETW logging doesn't work for non-admin accounts #1174

julien-padovani opened this issue Jun 4, 2018 · 7 comments
Labels
0 - Backlog Area-Logging/Diagnostics Issue-Bug
Milestone
vNext

Comments

@julien-padovani
Copy link

julien-padovani commented Jun 4, 2018
edited
Loading

"OpenSSH for Windows" version
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.4

Server OperatingSystem
Windows Server 2012 R2 Datacenter

Client OperatingSystem
Windows 10

What is failing
Once client is connected to sftp-server, there is no visible actions in logs.
Exemple, a user remove a file or folder, no logs show this.

Expected output
Get detailled logs about the user actions - create/delete/rename/move

Get logs in Event viewer from sftp-server
image

Get logs in file from sftp-server
image

Actual output
sshd provides logs about the ssh connection
sftp-server provides no information in logs about users actions.

Current SSHD_CONFIG
#Logging
SyslogFacility AUTH
#SyslogFacility LOCAL0
LogLevel DEBUG3

#Override default of no subsystems
#Subsystem sftp sftp-server.exe
#Subsystem sftp sftp-server.exe -f LOCAL0 -l DEBUG3
Subsystem sftp sftp-server.exe -f AUTH -l DEBUG3

I have missed something?

Regards
@manojampalam
Copy link
Contributor

Did you follow these 3 steps in https://github.com/PowerShell/Win32-OpenSSH/wiki/Logging-Facilities (referenced in sshd_config manual)

To see Debug logs in EventViewer, do the following:

  • Ensure sshd_config has logging level at DEBUG or above
  • In Eventviewer, select option to show "Analytic and Debug Logs" (under top menu, View)
  • Enable Debug logging (select Debug channel, click "Enable log" on right menu)

@julien-padovani
Copy link
Author

Hello,

Yes, I did. When enabled I find detailed information when the user establish the connexion. But I see no logs about files or user actions.

@manojampalam
Copy link
Contributor

Looks like its only working for admin accounts. Thanks for catching this. We'll follow up.

@manojampalam manojampalam changed the title sftp-server logging - no detailed actions performed by users ETW logging doesn't work for non-admin accounts Jun 5, 2018
@manojampalam manojampalam added this to the vNext milestone Jun 5, 2018
@julien-padovani
Copy link
Author

I've added the user to administrators group, I still see no logs about files that the user create/remove/etc...

What results do you see as admin? Could you share your logs?

@manojampalam manojampalam mentioned this issue Jun 21, 2018
Closed
@bingbing8 bingbing8 modified the milestones: 7.7.2.0p1-Beta, vNext Jul 26, 2018
@bingbing8 bingbing8 self-assigned this Aug 6, 2018
@bingbing8 bingbing8 mentioned this issue Aug 9, 2018
Merged
bingbing8 added a commit to PowerShell/openssh-portable that referenced this issue Aug 11, 2018
@bingbing8
Grant Built-in-Users to log event to channels (#339)
48e0cdb 
Fix of PowerShell/Win32-OpenSSH#1174 to grant non-admin permission to log events
Change the file type to text so it will show the diff in the future
@bingbing8
Copy link
Contributor

Currently user should be able to see non-admin logs in Debug channel. The Admin and Operational channel are on by default, so setting custom isolation would adds 2 more independent autologgers on the system.
PowerShell/openssh-portable@fc6d825

@bagajjal bagajjal mentioned this issue Jun 1, 2020
Closed
@kesadae11
Copy link

Hello!
When it is planned to solve this Issue? I have the same problem like here: #1615
Do you have any information about it?

Thank you!

@bagajjal
Copy link
Collaborator

The fix is part of V8.6 release

PowerShell/openssh-portable#513

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0 - Backlog Area-Logging/Diagnostics Issue-Bug
Projects
None yet
Milestone
vNext
Development

No branches or pull requests
6 participants
@bingbing8 @manojampalam @bagajjal @kesadae11 @maertendMSFT @julien-padovani