1SUDOREPLAY(8)             BSD System Manager's Manual            SUDOREPLAY(8)
2

NAME

4     sudoreplay — replay sudo session logs
5

SYNOPSIS

7     sudoreplay [-hnRS] [-d dir] [-f filter] [-m num] [-s num] ID
8
9     sudoreplay [-h] [-d dir] -l [search expression]
10

DESCRIPTION

12     sudoreplay plays back or lists the output logs created by sudo.  When
13     replaying, sudoreplay can play the session back in real-time, or the
14     playback speed may be adjusted (faster or slower) based on the command
15     line options.
16
17     The ID should either be a six character sequence of digits and upper case
18     letters, e.g., 0100A5, a pattern matching the iolog_file option in the
19     sudoers file, or a path name.  Path names may be relative to the
20     iolog_dir option in the sudoers file (unless overridden by the -d option)
21     or fully qualified, beginning with a ‘/’ character.  When a command is
22     run via sudo with log_output enabled in the sudoers file, a TSID=ID
23     string is logged via syslog or to the sudo log file.  The ID may also be
24     determined using sudoreplay's list mode.
25
26     In list mode, sudoreplay can be used to find the ID of a session based on
27     a number of criteria such as the user, tty or command run.
28
29     In replay mode, if the standard input and output are connected to a ter‐
30     minal and the -n option is not specified, sudoreplay will operate inter‐
31     actively.  In interactive mode, sudoreplay will attempt to adjust the
32     terminal size to match that of the session and write directly to the ter‐
33     minal (not all terminals support this).  Additionally, it will poll the
34     keyboard and act on the following keys:
35
36     ‘\n’ or ‘\r’  Skip to the next replay event; useful for long pauses.
37
38     ‘ ’ (space)   Pause output; press any key to resume.
39
40     ‘<’           Reduce the playback speed by one half.
41
42     ‘>’           Double the playback speed.
43
44     The session can be interrupted via control-C.  When the session has fin‐
45     ished, the terminal is restored to its original size if it was changed
46     during playback.
47
48     The options are as follows:
49
50     -d dir, --directory=dir
51                 Store session logs in dir instead of the default,
52                 /var/log/sudo-io.
53
54     -f filter, --filter=filter
55                 Select which I/O type(s) to display.  By default, sudoreplay
56                 will display the command's standard output, standard error
57                 and tty output.  The filter argument is a comma-separated
58                 list, consisting of one or more of following: stdin, stdout,
59                 stderr, ttyin, and ttyout.
60
61     -h, --help  Display a short help message to the standard output and exit.
62
63     -l, --list [search expression]
64                 Enable “list mode”.  In this mode, sudoreplay will list
65                 available sessions in a format similar to the sudo log file
66                 format, sorted by file name (or sequence number).  If a
67                 search expression is specified, it will be used to restrict
68                 the IDs that are displayed.  An expression is composed of the
69                 following predicates:
70
71                 command pattern
72                         Evaluates to true if the command run matches the
73                         POSIX extended regular expression pattern.
74
75                 cwd directory
76                         Evaluates to true if the command was run with the
77                         specified current working directory.
78
79                 fromdate date
80                         Evaluates to true if the command was run on or after
81                         date.  See Date and time format for a description of
82                         supported date and time formats.
83
84                 group runas_group
85                         Evaluates to true if the command was run with the
86                         specified runas_group.  Note that unless a
87                         runas_group was explicitly specified when sudo was
88                         run this field will be empty in the log.
89
90                 runas runas_user
91                         Evaluates to true if the command was run as the spec‐
92                         ified runas_user.  Note that sudo runs commands as
93                         user root by default.
94
95                 todate date
96                         Evaluates to true if the command was run on or prior
97                         to date.  See Date and time format for a description
98                         of supported date and time formats.
99
100                 tty tty name
101                         Evaluates to true if the command was run on the spec‐
102                         ified terminal device.  The tty name should be speci‐
103                         fied without the /dev/ prefix, e.g., tty01 instead of
104                         /dev/tty01.
105
106                 user user name
107                         Evaluates to true if the ID matches a command run by
108                         user name.
109
110                 Predicates may be abbreviated to the shortest unique string.
111
112                 Predicates may be combined using and, or and ! operators as
113                 well as ‘(’ and ‘)’ grouping (note that parentheses must gen‐
114                 erally be escaped from the shell).  The and operator is
115                 optional, adjacent predicates have an implied and unless sep‐
116                 arated by an or.
117
118     -m, --max-wait max_wait
119                 Specify an upper bound on how long to wait between key
120                 presses or output data.  By default, sudoreplay will accu‐
121                 rately reproduce the delays between key presses or program
122                 output.  However, this can be tedious when the session
123                 includes long pauses.  When the -m option is specified,
124                 sudoreplay will limit these pauses to at most max_wait sec‐
125                 onds.  The value may be specified as a floating point number,
126                 e.g., 2.5.  A max_wait of zero or less will eliminate the
127                 pauses entirely.
128
129     -n, --non-interactive
130                 Do not prompt for user input or attempt to re-size the termi‐
131                 nal.  The session is written to the standard output, not
132                 directly to the user's terminal.
133
134     -R, --no-resize
135                 Do not attempt to re-size the terminal to match the terminal
136                 size of the session.
137
138     -S, --suspend-wait
139                 Wait while the command was suspended.  By default, sudoreplay
140                 will ignore the time interval between when the command was
141                 suspended and when it was resumed.  If the -S option is spec‐
142                 ified, sudoreplay will wait instead.
143
144     -s, --speed speed_factor
145                 This option causes sudoreplay to adjust the number of seconds
146                 it will wait between key presses or program output.  This can
147                 be used to slow down or speed up the display.  For example, a
148                 speed_factor of 2 would make the output twice as fast whereas
149                 a speed_factor of .5 would make the output twice as slow.
150
151     -V, --version
152                 Print the sudoreplay versions version number and exit.
153
154   Date and time format
155     The time and date may be specified multiple ways, common formats include:
156
157     HH:MM:SS am MM/DD/CCYY timezone
158             24 hour time may be used in place of am/pm.
159
160     HH:MM:SS am Month, Day Year timezone
161             24 hour time may be used in place of am/pm, and month and day
162             names may be abbreviated.  Note that month and day of the week
163             names must be specified in English.
164
165     CCYY-MM-DD HH:MM:SS
166             ISO time format
167
168     DD Month CCYY HH:MM:SS
169             The month name may be abbreviated.
170
171     Either time or date may be omitted, the am/pm and timezone are optional.
172     If no date is specified, the current day is assumed; if no time is speci‐
173     fied, the first second of the specified date is used.  The less signifi‐
174     cant parts of both time and date may also be omitted, in which case zero
175     is assumed.
176
177     The following are all valid time and date specifications:
178
179     now     The current time and date.
180
181     tomorrow
182             Exactly one day from now.
183
184     yesterday
185             24 hours ago.
186
187     2 hours ago
188             2 hours ago.
189
190     next Friday
191             The first second of the Friday in the next (upcoming) week.  Not
192             to be confused with “this Friday” which would match the Friday of
193             the current week.
194
195     last week
196             The current time but 7 days ago.  This is equivalent to “a week
197             ago”.
198
199     a fortnight ago
200             The current time but 14 days ago.
201
202     10:01 am 9/17/2009
203             10:01 am, September 17, 2009.
204
205     10:01 am
206             10:01 am on the current day.
207
208     10      10:00 am on the current day.
209
210     9/17/2009
211             00:00 am, September 17, 2009.
212
213     10:01 am Sep 17, 2009
214             10:01 am, September 17, 2009.
215
216     Note that relative time specifications do not always work as expected.
217     For example, the “next” qualifier is intended to be used in conjunction
218     with a day such as “next Monday”.  When used with units of weeks, months,
219     years, etc the result will be one more than expected.  For example, “next
220     week” will result in a time exactly two weeks from now, which is probably
221     not what was intended.  This will be addressed in a future version of
222     sudoreplay.
223
224   Debugging sudoreplay
225     sudoreplay versions 1.8.4 and higher support a flexible debugging frame‐
226     work that is configured via Debug lines in the sudo.conf(5) file.
227
228     For more information on configuring sudo.conf(5), please refer to its
229     manual.
230

FILES

232     /etc/sudo.conf            Debugging framework configuration
233
234     /var/log/sudo-io          The default I/O log directory.
235
236     /var/log/sudo-io/00/00/01/log
237                               Example session log info.
238
239     /var/log/sudo-io/00/00/01/stdin
240                               Example session standard input log.
241
242     /var/log/sudo-io/00/00/01/stdout
243                               Example session standard output log.
244
245     /var/log/sudo-io/00/00/01/stderr
246                               Example session standard error log.
247
248     /var/log/sudo-io/00/00/01/ttyin
249                               Example session tty input file.
250
251     /var/log/sudo-io/00/00/01/ttyout
252                               Example session tty output file.
253
254     /var/log/sudo-io/00/00/01/timing
255                               Example session timing file.
256
257     Note that the stdin, stdout and stderr files will be empty unless sudo
258     was used as part of a pipeline for a particular command.
259

EXAMPLES

261     List sessions run by user millert:
262
263           # sudoreplay -l user millert
264
265     List sessions run by user bob with a command containing the string vi:
266
267           # sudoreplay -l user bob command vi
268
269     List sessions run by user jeff that match a regular expression:
270
271           # sudoreplay -l user jeff command '/bin/[a-z]*sh'
272
273     List sessions run by jeff or bob on the console:
274
275           # sudoreplay -l ( user jeff or user bob ) tty console
276

SEE ALSO

278     script(1), sudo.conf(5), sudo(8)
279

AUTHORS

281     Many people have worked on sudo over the years; this version consists of
282     code written primarily by:
283
284           Todd C. Miller
285
286     See the CONTRIBUTORS file in the sudo distribution
287     (https://www.sudo.ws/contributors.html) for an exhaustive list of people
288     who have contributed to sudo.
289

BUGS

291     If you feel you have found a bug in sudoreplay, please submit a bug
292     report at https://bugzilla.sudo.ws/
293

SUPPORT

295     Limited free support is available via the sudo-users mailing list, see
296     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
297     the archives.
298

DISCLAIMER

300     sudoreplay is provided “AS IS” and any express or implied warranties,
301     including, but not limited to, the implied warranties of merchantability
302     and fitness for a particular purpose are disclaimed.  See the LICENSE
303     file distributed with sudo or https://www.sudo.ws/license.html for com‐
304     plete details.
305
306Sudo 1.8.29                     August 27, 2019                    Sudo 1.8.29
Impressum