Guide

SFTP audit logging: what to capture and why it matters

A good SFTP audit trail answers who connected, from where, and what moved. Here's what to log, why object storage doesn't give you this for free, and how to keep an exportable record.

Sooner or later someone asks: “Did the file arrive? When? Who deleted it? Where did that login come from?” If you can’t answer, you don’t have an audit trail, you have hope. SFTP audit logging is what turns file transfer from a black box into something you can actually account for, and it matters for operations, security, and compliance alike.

What to capture

A useful SFTP audit record covers, for every session and operation:

  • Who: the authenticated user/credential.
  • From where: the source IP address.
  • When: timestamps for connect, each operation, and disconnect.
  • What: the operation (login, upload, download, list, rename, delete) and the path or object it touched.
  • Outcome: success or failure, and why it failed.

That’s enough to reconstruct “user X uploaded report.csv to /clients/acme/ at 02:14 from 203.0.113.5, and downloaded processed.csv at 06:00.”

Why object storage doesn’t give you this for free

Cloud object storage can log API calls (S3 access logs, CloudTrail data events, and so on), but those record the gateway’s actions against the bucket, not your SFTP users’ actions. They don’t know about SFTP usernames, path jails, or sessions. To get a transfer-level trail keyed to the actual partner who connected, the SFTP layer has to log it, because only it knows who the SFTP user was. Stitching SFTP identity onto raw storage logs after the fact is painful and lossy.

Why it matters

  • Operations: answer “did the nightly file land?” without guessing.
  • Security & forensics: if a credential is misused, you can see exactly what it touched and from where, and scope the blast radius.
  • Compliance: many frameworks expect an access and transfer record for data exchange. (Logging supports compliance; it isn’t the same as holding a certification, treat any vendor’s “compliance” claims with that distinction in mind.)
  • Partner disputes: a timestamped record settles “we never received it” quickly.

Make it exportable

A trail you can’t get out of the tool is half-useless. Insist on being able to export the audit log (CSV or via an interface you can pull into your own SIEM or warehouse), so it survives independently of the vendor and feeds your own monitoring.

Don’t silently cap it

Watch for tools that quietly truncate the audit log (top-N rows, short retention) without telling you. A record with invisible gaps reads as “complete” when it isn’t. Know your retention window and whether anything is being dropped.

In a managed gateway

Firepipe records every login, upload, download, and delete with the user, source IP, timestamp, and path, and lets you export the full trail. Combined with per-user credentials and path jails, the log attributes each action to a specific partner rather than to one shared login. See SFTP security best practices for how it fits the wider picture.

Try it on your own bucket

Connect a bucket you already own, Amazon S3, Azure Blob, Google Cloud Storage, or an S3-compatible store, and hand out a clean SFTP endpoint in minutes. Your files stay in your cloud.

Start free

← All guides