Thank you for your prompt response Lars!
You suggestions worked perfectly for non-chrooted SFTP users, but didn't worked for my chrooted users. However, it led me on the right track in contrasting the differences between logging for non-chroot and chroot.
So, after a minor trip to hell and back, understanding the different procedures of adding sockets in syslogd/rsyslogd, as well the logging structures in centOS/debian, I FINALLY got this to WORK. A lot of help came from this thread http://kb.monitorware.com/log-sftp-c...sh-t10497.html and here is what my setup looks like:
Then I created /etc/rsyslog.d/60-sftp.conf and added the following three commands.
Subsystem sftp internal-sftp -f LOCAL7 -l INFO
Match group sftpusers
ForceCommand internal-sftp -f LOCAL7 -l INFO
Finally, I created the directory specified in 60-sftp.conf, which for me was /SFTP/dev (basically, there needs to be a "dev" directory at the root level of the chroot)
# Create an additional socket for some of the sshd chrooted users.
# Parse the data logged at level INFO and facility LOCAL7 into /var/log/sftp.log
# Report logins and logoffs
Now, when someone logs in to my chroot and transfer files, a file called "log" is created by rsyslog in /SFTP/dev and the information from this file is parsed into /var/log/sftp.log where I can read it. To see who did what, I use two commands.
Phew! Thats one day of frustration, but with a happy ending! Thanks again!
cat /var/log/sftp.log | grep [username]
# Among other things, this returns a number that I use in the next command
cat /var/log/sftp.log | grep [number] | grep -w -e close -e remove
(The only thing still a mystery is the prefixes for the files in rsyslog.d/. Are these (10,50,60) just to get the files processed in the correct order? I know the GRUB config has the same setup, since a few distro updates back.)