I'm configuring an SFTP server and having some issues with logs ending up in different places, depending on a group membership. This is on RHEL 8 but the same issue exists on an old RHEL 6 machine. Most users are SFTP only and have no shell access, this is configured by membership in the ftpnoshell group. Some users have a shell and can ssh to the server as well.
Here's the operative part of /etc/ssh/sshd_config:
Subsystem sftp internal-sftp -f LOCAL4 -l VERBOSE -d %u
Match Group ftpnoshell
ChrootDirectory /home
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp -f LOCAL4 -l VERBOSE -d %u
This is in /etc/rsyslog.conf:
local4.* /var/log/sftp.log
I would expect logs for all users to end up in /var/log/sftp.log, however logs for members of ftpnoshell are instead written in /var/log/secure.
Any ideas?