I'd like to log an user specific ssh and following sftp session into a file which would have username in the filename:
I have this:
Jan 8 13:43:38 mx1 sshd[84622]: Connection from 17x.xx.xx.xx port 50512 on 199.xx.xx.xx port 2222 rdomain "0"
Jan 8 13:43:39 mx1 sshd[84622]: Accepted key ED25519 SHA256:z6YhMPFiis6PAHg6XaWDj3Yyq4HqRCqv2SjXIP259EI found at /sites/users/<user>/home/<user>/.ssh/authorized_keys:1
Jan 8 13:43:39 mx1 sshd[84622]: Postponed publickey for <user> from 17x.xx.xx.xx port 50512 ssh2 [preauth]
Jan 8 13:43:39 mx1 sshd[84622]: Accepted key ED25519 SHA256:z6YhMPFiis6PAHg6XaWDj3Yyq4HqRCqv2SjXIP259EI found at /sites/users/<user>/home/<user>/.ssh/authorized_keys:1
Jan 8 13:43:39 mx1 sshd[84622]: Accepted publickey for <user> from 17x.xx.xx.xx port 50512 ssh2: ED25519 SHA256:z6YhMPFiis6PAHg6XaWDj3Yyq4HqRCqv2SjXIP259EI
Jan 8 13:43:39 mx1 sshd[84622]: User child is on pid 12325
Jan 8 13:43:39 mx1 sshd[12325]: Changed root directory to "/sites/users/<user>"
Jan 8 13:43:39 mx1 sshd[12325]: Starting session: forced-command (config) 'internal-sftp -u 0002 -l INFO' for <user> from 17x.xx.xx.xx port 50512 id 0
Jan 8 13:43:39 mx1 internal-sftp[9660]: session opened for local user <user> from [17x.xx.xx.xx]
Jan 8 13:43:42 mx1 internal-sftp[9660]: session closed for local user <user> from [17x.xx.xx.xx]
Jan 8 13:43:42 mx1 sshd[12325]: Close session: user <user> from 17x.xx.xx.xx port 50512 id 0
Thus IMO logging should match first line 'Connection from', remember IP, then wait for 'Accepted publickey for' line and match IP from first line. Then wait for 'User child is on pid' and remember the PID, then match lines with the PID. Then wait for 'internal-sftp' lines with previously matched and IP and remember PID of sftp session, match all SFTP PID lines. Lastly 'Close session:' if user is matched.
Is it at least doable with rsyslog or syslog-ng?
My understanding is that you have a set of log data and you want to do event correlation on this data? First, the log data that you are working with is unstructured ie "Connection from 17x.xx.xx.xx port 50512 on 199.xx.xx.xx port 2222 rdomain "0"". While this makes sense as a human reader, it is not structured and would be a challenge when you are using other tools to process this data.
An example of structured data from that message would be something like:
and so on.
I would suggest looking into these Syslog messages and parsing/converting them into structured data ie JSON. There are log collectors available that you can download for free to parse from Syslog to JSON. The log collectors accept log messages from your Rsyslog and from there, parse the message from Syslog, convert to JSON format (structured data), and send out to some sort of analytics or other dashboard for processing.