1SUDO_LOGSRVD.CONF(5) BSD File Formats Manual SUDO_LOGSRVD.CONF(5)
2
4 sudo_logsrvd.conf — configuration for sudo_logsrvd
5
7 The sudo_logsrvd.conf file is used to configure the sudo_logsrvd log
8 server. It uses an INI-style format made up of sections in square brack‐
9 ets and “key = value” pairs specific to each section below the section
10 name. Depending on the key, values may be integers, booleans, or
11 strings. Section and key names are not case sensitive, but values are.
12
13 The pound sign (‘#’) is used to indicate a comment. Both the comment
14 character and any text after it, up to the end of the line, are ignored.
15 Lines beginning with a semi-colon (‘;’) are also ignored.
16
17 Long lines can be continued with a backslash (‘\’) as the last character
18 on the line. Leading white space is removed from the beginning of lines
19 even when the continuation character is used.
20
21 The EXAMPLES section contains a copy of the default sudo_logsrvd.conf
22 file.
23
24 The following configuration sections are recognized:
25
26 • server
27 • relay
28 • iolog
29 • eventlog
30 • syslog
31 • logfile
32
33 Each section is described in detail below.
34
35 server
36 The server section configures the address and port the server will listen
37 on. The following keys are recognized:
38
39 listen_address = host[:port][(tls)]
40 The host name or IP address, optional port to listen on and an
41 optional Transport Layer Security (TLS) flag in parentheses.
42
43 The host may be a host name, an IPv4 address, an IPv6 address
44 in square brackets or the wild card entry ‘*’. A host setting
45 of ‘*’ will cause sudo_logsrvd to listen on all configured net‐
46 work interfaces.
47
48 If the optional tls flag is present, sudo_logsrvd will secure
49 the connection with TLS version 1.2 or 1.3. Versions of TLS
50 prior to 1.2 are not supported. See sudo_logsrvd(8) for de‐
51 tails on generating TLS keys and certificates.
52
53 If a port is specified, it may either be a port number or a
54 known service name as defined by the system service name data‐
55 base. If no port is specified, port 30343 will be used for
56 plaintext connections and port 30344 will be used for TLS con‐
57 nections.
58
59 The default value is:
60 listen_address = *:30343
61 listen_address = *:30344(tls)
62 which will listen on all configured network interfaces for both
63 plaintext and TLS connections. Multiple listen_address lines
64 may be specified to listen on more than one port or interface.
65
66 server_log = string
67 Where to log server warning and error messages. Supported val‐
68 ues are none, stderr, syslog, or a path name beginning with the
69 ‘/’ character. A value of stderr is only effective when used
70 in conjunction with the -n option. The default value is
71 syslog.
72
73 pid_file = path
74 The path to the file containing the process ID of the running
75 sudo_logsrvd. If set to an empty value, or if sudo_logsrvd is
76 run with the -n option, no pid_file will be created. If
77 pid_file refers to a symbolic link, it will be ignored. The
78 default value is /run/sudo/sudo_logsrvd.pid.
79
80 tcp_keepalive = boolean
81 If true, sudo_logsrvd will enable the TCP keepalive socket op‐
82 tion on the client connection. This enables the periodic
83 transmission of keepalive messages to the client. If the
84 client does not respond to a message in time, the connection
85 will be closed. Defaults to true.
86
87 timeout = number
88 The amount of time, in seconds, sudo_logsrvd will wait for the
89 client to respond. A value of 0 will disable the timeout. The
90 default value is 30.
91
92 tls_cacert = path
93 The path to a certificate authority bundle file, in PEM format,
94 to use instead of the system's default certificate authority
95 database when authenticating clients. The default is to use
96 /etc/ssl/sudo/cacert.pem if it exists, otherwise the system's
97 default certificate authority database is used.
98
99 tls_cert = path
100 The path to the server's certificate file, in PEM format. The
101 default value is /etc/ssl/sudo/certs/logsrvd_cert.pem.
102
103 tls_checkpeer = bool
104 If true, client certificates will be validated by sudo_logsrvd;
105 clients without a valid certificate will be unable to connect.
106 If false, no validation of client certificates will be per‐
107 formed. It true and client certificates are created using a
108 private certificate authority, the tls_cacert setting must be
109 set to a CA bundle that contains the CA certificate used to
110 generate the client certificate. The default value is false.
111
112 tls_ciphers_v12 = string
113 A list of ciphers to use for connections secured by TLS version
114 1.2 only, separated by a colon ‘:’. See the CIPHER LIST FORMAT
115 section in openssl-ciphers(1) for full details. The default
116 value is “HIGH:!aNULL” which consists of encryption cipher
117 suites with key lengths larger than 128 bits, and some cipher
118 suites with 128-bit keys. Cipher suites that offer no authen‐
119 tication are excluded.
120
121 tls_ciphers_v13 = string
122 A list of ciphers to use for connections secured by TLS version
123 1.3 only, separated by a colon ‘:’. Supported cipher suites
124 depend on the version of OpenSSL used, but should include the
125 following:
126
127 TLS_AES_128_GCM_SHA256
128 TLS_AES_256_GCM_SHA384
129 TLS_CHACHA20_POLY1305_SHA256
130 TLS_AES_128_CCM_SHA256
131 TLS_AES_128_CCM_8_SHA256
132
133 The default cipher suite is “TLS_AES_256_GCM_SHA384”.
134
135 tls_dhparams = path
136 The path to a file containing custom Diffie-Hellman parameters
137 in PEM format. This file can be created with the following
138 command:
139
140 openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
141
142 By default, sudo_logsrvd will use the OpenSSL defaults for
143 Diffie-Hellman key generation.
144
145 tls_key = path
146 The path to the server's private key file, in PEM format. The
147 default value is /etc/ssl/sudo/private/logsrvd_key.pem.
148
149 tls_verify = bool
150 If true, sudo_logsrvd will validate its own certificate at
151 startup time or when the configuration is changed. If false,
152 no verification is performed of the server certificate. When
153 using self-signed certificates without a certificate authority,
154 this setting should be set to false. The default value is
155 true.
156
157 relay
158 The relay section configures the optional logsrv relay host and port the
159 server will connect to. The TLS configuration keys are optional, by de‐
160 fault the corresponding keys in the server section will be used. They
161 are only present in this section to make it possible for the relay con‐
162 nection to use a different set of TLS parameters from the client-facing
163 server. The following keys are recognized:
164
165 connect_timeout = number
166 The amount of time, in seconds, sudo_logsrvd will wait for the
167 connection to a relay_host (see below) to complete. Once the
168 connection is complete, the timeout setting controls the amount
169 of time sudo_logsrvd will wait for the relay to respond. A
170 value of 0 will disable the timeout. The default value is 30.
171
172 relay_dir = path
173 The directory in which log messages are temporarily stored be‐
174 fore they are sent to the relay host. Messages are stored in
175 the wire format specified by sudo_logsrv.proto(5) The default
176 value is /var/log/sudo_logsrvd.
177
178 relay_host = host[:port][(tls)]
179 The relay host name or IP address, optional port to connect to
180 and an optional Transport Layer Security (TLS) flag in paren‐
181 theses. The syntax is identical to listen_address in the
182 server section with one exception: the wild card ‘*’ syntax is
183 not supported.
184
185 When this setting is enabled, messages from the client will be
186 forwarded to one of the specified relay hosts instead of being
187 stored locally. The host could be running an instance of
188 sudo_logsrvd or another server that supports the
189 sudo_logsrv.proto(5) protocol.
190
191 If multiple relay_host lines are specified, the first available
192 relay host will be used.
193
194 retry_interval = number
195 The number of seconds to wait after a connection error before
196 making a new attempt to forward a message to a relay host. The
197 default value is 30.
198
199 store_first = boolean
200 If true, sudo_logsrvd will store logs locally before relaying
201 them. Once the log is complete, a connection to the relay host
202 is opened and the log is relayed. If the network connection is
203 interrupted before the log can be fully transferred, it will be
204 retransmitted later. The default is to relay logs in real-
205 time.
206
207 tcp_keepalive = boolean
208 If true, sudo_logsrvd will enable the TCP keepalive socket op‐
209 tion on the relay connection. This enables the periodic trans‐
210 mission of keepalive messages to the relay server. If the re‐
211 lay does not respond to a message in time, the connection will
212 be closed.
213
214 timeout = number
215 The amount of time, in seconds, sudo_logsrvd will wait for the
216 relay server to respond after a connection has succeeded. A
217 value of 0 will disable the timeout. The default value is 30.
218
219 tls_cacert = path
220 The path to a certificate authority bundle file, in PEM format,
221 to use instead of the system's default certificate authority
222 database when authenticating clients. The default is to use
223 the value specified in the server section, or the system's de‐
224 fault certificate authority database if no value is set.
225
226 tls_cert = path
227 The path to the server's certificate file, in PEM format. The
228 default is to use the value specified in the server section.
229
230 tls_checkpeer = bool
231 If true, the relay host's certificate will be validated by
232 sudo_logsrvd; connections to a relay without a valid certifi‐
233 cate will fail. If false, no validation of relay certificates
234 will be performed. It true and relay certificates are created
235 using a private certificate authority, the tls_cacert setting
236 must be set to a CA bundle that contains the CA certificate
237 used to generate the relay certificate. The default is to use
238 the value specified in the server section.
239
240 tls_ciphers_v12 = string
241 A list of ciphers to use for connections secured by TLS version
242 1.2 only, separated by a colon ‘:’. See the CIPHER LIST FORMAT
243 section in openssl-ciphers(1) for full details. The default is
244 to use the value specified in the server section.
245
246 tls_ciphers_v13 = string
247 A list of ciphers to use for connections secured by TLS version
248 1.3 only, separated by a colon ‘:’. Supported cipher suites
249 depend on the version of OpenSSL used, see the server section
250 for more information. The default is to use the value speci‐
251 fied in the server section.
252
253 tls_dhparams = path
254 The path to a file containing custom Diffie-Hellman parameters
255 in PEM format. The default is to use the value specified in
256 the server section.
257
258 tls_key = path
259 The path to the server's private key file, in PEM format. The
260 default is to use the value specified in the server section.
261
262 tls_verify = bool
263 If true, the server's certificate used for relaying will be
264 verified at startup. If false, no verification is performed of
265 the server certificate. When using self-signed certificates
266 without a certificate authority, this setting should be set to
267 false. The default is to use the value specified in the server
268 section.
269
270 iolog
271 The iolog section configures I/O log parameters. These settings are
272 identical to the I/O configuration in sudoers(5). The following keys are
273 recognized:
274
275 iolog_compress = boolean
276 If set, I/O logs will be compressed using zlib. Enabling com‐
277 pression can make it harder to view the logs in real-time as
278 the program is executing due to buffering. The default value
279 is false.
280
281 iolog_dir = path
282 The top-level directory to use when constructing the path name
283 for the I/O log directory. The session sequence number, if
284 any, is stored in the directory. The default value is
285 /var/log/sudo-io.
286
287 The following percent (‘%’) escape sequences are supported:
288
289 %{seq}
290 expanded to a monotonically increasing base-36 sequence
291 number, such as 0100A5, where every two digits are used
292 to form a new directory, e.g., 01/00/A5
293
294 %{user}
295 expanded to the invoking user's login name
296
297 %{group}
298 expanded to the name of the invoking user's real group-ID
299
300 %{runas_user}
301 expanded to the login name of the user the command will
302 be run as (e.g., root)
303
304 %{runas_group}
305 expanded to the group name of the user the command will
306 be run as (e.g., wheel)
307
308 %{hostname}
309 expanded to the local host name without the domain name
310
311 %{command}
312 expanded to the base name of the command being run
313
314 In addition, any escape sequences supported by the system's
315 strftime(3) function will be expanded.
316
317 To include a literal ‘%’ character, the string ‘%%’ should be
318 used.
319
320 iolog_file = path
321 The path name, relative to iolog_dir, in which to store I/O
322 logs. It is possible for iolog_file to contain directory com‐
323 ponents. The default value is “%{seq}”.
324
325 See the iolog_dir setting above for a list of supported percent
326 (‘%’) escape sequences.
327
328 In addition to the escape sequences, path names that end in six
329 or more Xs will have the Xs replaced with a unique combination
330 of digits and letters, similar to the mktemp(3) function.
331
332 If the path created by concatenating iolog_dir and iolog_file
333 already exists, the existing I/O log file will be truncated and
334 overwritten unless iolog_file ends in six or more Xs.
335
336 iolog_flush = boolean
337 If set, I/O log data is flushed to disk after each write in‐
338 stead of buffering it. This makes it possible to view the logs
339 in real-time as the program is executing but may significantly
340 reduce the effectiveness of I/O log compression. I/O logs are
341 always flushed before sending a commit point to the client re‐
342 gardless of this setting. The default value is true.
343
344 iolog_group = name
345 The group name to look up when setting the group-ID on new I/O
346 log files and directories. If iolog_group is not set, the pri‐
347 mary group-ID of the user specified by iolog_user is used. If
348 neither iolog_group nor iolog_user are set, I/O log files and
349 directories are created with group-ID 0.
350
351 iolog_mode = mode
352 The file mode to use when creating I/O log files. Mode bits
353 for read and write permissions for owner, group, or other are
354 honored, everything else is ignored. The file permissions will
355 always include the owner read and write bits, even if they are
356 not present in the specified mode. When creating I/O log di‐
357 rectories, search (execute) bits are added to match the read
358 and write bits specified by iolog_mode. The default value is
359 0600.
360
361 iolog_user = name
362 The user name to look up when setting the owner of new I/O log
363 files and directories. If iolog_group is set, it will be used
364 instead of the user's primary group-ID. By default, I/O log
365 files and directories are created with user and group-ID 0.
366
367 log_passwords = bool
368 Most programs that require a user's password will disable echo
369 before reading the password to avoid displaying the plaintext
370 password on the screen. However, if terminal input is being
371 logged, the password will still be present in the I/O log. If
372 log_passwords is set to false, sudo_logsrvd will attempt to
373 prevent passwords from being logged. It does this by using the
374 regular expressions in passprompt_regex to match a password
375 prompt in the terminal output buffer. When a match is found,
376 input characters in the I/O log will be replaced with ‘*’ until
377 either a line feed or carriage return is found in the terminal
378 input or a new terminal output buffer is received. If, how‐
379 ever, a program displays characters as the user types them
380 (such as sudo when the pwfeedback option is set), only the
381 first character of the password will be replaced in the I/O
382 log. The default value is true.
383
384 maxseq = number
385 The maximum sequence number that will be substituted for the
386 “%{seq}” escape in the I/O log file (see the iolog_dir descrip‐
387 tion above for more information). While the value substituted
388 for “%{seq}” is in base 36, maxseq itself should be expressed
389 in decimal. Values larger than 2176782336 (which corresponds
390 to the base 36 sequence number “ZZZZZZ”) will be silently trun‐
391 cated to 2176782336. The default value is 2176782336.
392
393 passprompt_regex = string
394 One or more POSIX extended regular expressions used to match
395 password prompts in the terminal output when log_passwords is
396 disabled. As an extension, if the regular expression begins
397 with “(?i)”, it will be matched in a case-insensitive manner.
398 Multiple passprompt_regex settings may be specified. Each reg‐
399 ular expression is limited to 1024 characters. The default
400 value is “[Pp]assword[: ]*”.
401
402 eventlog
403 The eventlog section configures how (and if) security policy events are
404 logged.
405
406 log_type = string
407 Where to log accept, reject, and alert events reported by the pol‐
408 icy. Supported values are syslog, logfile, and none. The default
409 value is syslog.
410
411 log_exit = boolean
412 If true, sudo_logsrvd will log an event when a command exits or is
413 terminated by a signal. Defaults to false.
414
415 log_format = string
416 The event log format. Supported log formats are “sudo” for tradi‐
417 tional sudo-style logs and “json” for JSON-format logs. The JSON
418 log entries contain the full contents of the accept, reject, exit
419 and alert messages. The default value is sudo.
420
421 syslog
422 The syslog section configures how events are logged via syslog(3).
423
424 facility = string
425 Syslog facility if syslog is being used for logging. Defaults to
426 authpriv.
427
428 The following syslog facilities are supported: authpriv (if your OS
429 supports it), auth, daemon, user, local0, local1, local2, local3,
430 local4, local5, local6, and local7.
431
432 accept_priority = string
433 Syslog priority to use when the user is allowed to run a command
434 and authentication is successful. Defaults to notice.
435
436 The following syslog priorities are supported: alert, crit, debug,
437 emerg, err, info, notice, warning, and none. Setting it to a value
438 of none will disable logging of successful commands.
439
440 reject_priority = string
441 Syslog priority to use when the user is not allowed to run a com‐
442 mand or when authentication is unsuccessful. Defaults to alert.
443
444 See accept_priority for the list of supported syslog priorities.
445
446 alert_priority = string
447 Syslog priority to use for event log alert messages received from
448 the client. Defaults to alert.
449
450 See accept_priority for the list of supported syslog priorities.
451
452 maxlen = number
453 On many systems, syslog(3) has a relatively small log buffer. IETF
454 RFC 5424 states that syslog servers must support messages of at
455 least 480 bytes and should support messages up to 2048 bytes. By
456 default, sudo_logsrvd creates log messages up to 960 bytes which
457 corresponds to the historic BSD syslog implementation which used a
458 1024 byte buffer to store the message, date, hostname, and program
459 name.
460
461 To prevent syslog messages from being truncated, sudo_logsrvd will
462 split up sudo-style log messages that are larger than maxlen bytes.
463 When a message is split, additional parts will include the string
464 “(command continued)” after the user name and before the continued
465 command line arguments. JSON-format log entries are never split
466 and are not affected by maxlen.
467
468 server_facility = string
469 Syslog facility if syslog is being used for server warning mes‐
470 sages. See above for a list of supported facilities. Defaults to
471 daemon
472
473 logfile
474 The logfile section consists of settings related to logging to a plain
475 file (not syslog).
476
477 path = string
478 The path to the file-based event log. This path must be fully-
479 qualified and start with a ‘/’ character. The default value is
480 /var/log/sudo.log.
481
482 time_format = string
483 The string used when formatting the date and time for file-based
484 event logs. Formatting is performed via the system's strftime(3)
485 function so any escape sequences supported by that function will be
486 expanded. The default value is “%h %e %T” which produces dates
487 like “Oct 3 07:15:24” in the ‘C’ locale.
488
490 /etc/sudo_logsrvd.conf Sudo log server configuration file
491
493 #
494 # sudo logsrv daemon configuration
495 #
496
497 [server]
498 # The host name or IP address and port to listen on with an optional TLS
499 # flag. If no port is specified, port 30343 will be used for plaintext
500 # connections and port 30344 will be used to TLS connections.
501 # The following forms are accepted:
502 # listen_address = hostname(tls)
503 # listen_address = hostname:port(tls)
504 # listen_address = IPv4_address(tls)
505 # listen_address = IPv4_address:port(tls)
506 # listen_address = [IPv6_address](tls)
507 # listen_address = [IPv6_address]:port(tls)
508 #
509 # The (tls) suffix should be omitted for plaintext connections.
510 #
511 # Multiple listen_address settings may be specified.
512 # The default is to listen on all addresses.
513 #listen_address = *:30343
514 #listen_address = *:30344(tls)
515
516 # The file containing the ID of the running sudo_logsrvd process.
517 #pid_file = /run/sudo/sudo_logsrvd.pid
518
519 # Where to log server warnings: none, stderr, syslog, or a path name.
520 #server_log = syslog
521
522 # If true, enable the SO_KEEPALIVE socket option on client connections.
523 # Defaults to true.
524 #tcp_keepalive = true
525
526 # The amount of time, in seconds, the server will wait for the client to
527 # respond. A value of 0 will disable the timeout. The default value is 30.
528 #timeout = 30
529
530 # If true, the server will validate its own certificate at startup.
531 # Defaults to true.
532 #tls_verify = true
533
534 # If true, client certificates will be validated by the server;
535 # clients without a valid certificate will be unable to connect.
536 # By default, client certs are not checked.
537 #tls_checkpeer = false
538
539 # Path to a certificate authority bundle file in PEM format to use
540 # instead of the system's default certificate authority database.
541 #tls_cacert = /etc/ssl/sudo/cacert.pem
542
543 # Path to the server's certificate file in PEM format.
544 # Required for TLS connections.
545 #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
546
547 # Path to the server's private key file in PEM format.
548 # Required for TLS connections.
549 #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
550
551 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
552 # This setting is only effective if the negotiated protocol is TLS version
553 # 1.2. The default cipher list is HIGH:!aNULL.
554 #tls_ciphers_v12 = HIGH:!aNULL
555
556 # TLS cipher list if the negotiated protocol is TLS version 1.3.
557 # The default cipher list is TLS_AES_256_GCM_SHA384.
558 #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
559
560 # Path to the Diffie-Hellman parameter file in PEM format.
561 # If not set, the server will use the OpenSSL defaults.
562 #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
563
564 [relay]
565 # The host name or IP address and port to send logs to in relay mode.
566 # The syntax is identical to listen_address with the exception of
567 # the wild card ('*') syntax. When this setting is enabled, logs will
568 # be relayed to the specified host instead of being stored locally.
569 # This setting is not enabled by default.
570 #relay_host = relayhost.dom.ain
571 #relay_host = relayhost.dom.ain(tls)
572
573 # The amount of time, in seconds, the server will wait for a connection
574 # to the relay server to complete. A value of 0 will disable the timeout.
575 # The default value is 30.
576 #connect_timeout = 30
577
578 # The directory to store messages in before they are sent to the relay.
579 # Messages are stored in wire format.
580 # The default value is /var/log/sudo_logsrvd.
581 #relay_dir = /var/log/sudo_logsrvd
582
583 # The number of seconds to wait after a connection error before
584 # making a new attempt to forward a message to a relay host.
585 # The default value is 30.
586 #retry_interval = 30
587
588 # Whether to store the log before relaying it. If true, enable store
589 # and forward mode. If false, the client connection is immediately
590 # relayed. Defaults to false.
591 #store_first = true
592
593 # If true, enable the SO_KEEPALIVE socket option on relay connections.
594 # Defaults to true.
595 #tcp_keepalive = true
596
597 # The amount of time, in seconds, the server will wait for the relay to
598 # respond. A value of 0 will disable the timeout. The default value is 30.
599 #timeout = 30
600
601 # If true, the server's relay certificate will be verified at startup.
602 # The default is to use the value in the [server] section.
603 #tls_verify = true
604
605 # Whether to verify the relay's certificate for TLS connections.
606 # The default is to use the value in the [server] section.
607 #tls_checkpeer = false
608
609 # Path to a certificate authority bundle file in PEM format to use
610 # instead of the system's default certificate authority database.
611 # The default is to use the value in the [server] section.
612 #tls_cacert = /etc/ssl/sudo/cacert.pem
613
614 # Path to the server's certificate file in PEM format.
615 # The default is to use the certificate in the [server] section.
616 #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
617
618 # Path to the server's private key file in PEM format.
619 # The default is to use the key in the [server] section.
620 #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
621
622 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
623 # this setting is only effective if the negotiated protocol is TLS version
624 # 1.2. The default is to use the value in the [server] section.
625 #tls_ciphers_v12 = HIGH:!aNULL
626
627 # TLS cipher list if the negotiated protocol is TLS version 1.3.
628 # The default is to use the value in the [server] section.
629 #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
630
631 # Path to the Diffie-Hellman parameter file in PEM format.
632 # The default is to use the value in the [server] section.
633 #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
634
635 [iolog]
636 # The top-level directory to use when constructing the path name for the
637 # I/O log directory. The session sequence number, if any, is stored here.
638 #iolog_dir = /var/log/sudo-io
639
640 # The path name, relative to iolog_dir, in which to store I/O logs.
641 # It is possible for iolog_file to contain directory components.
642 #iolog_file = %{seq}
643
644 # If set, I/O logs will be compressed using zlib. Enabling compression can
645 # make it harder to view the logs in real-time as the program is executing.
646 #iolog_compress = false
647
648 # If set, I/O log data is flushed to disk after each write instead of
649 # buffering it. This makes it possible to view the logs in real-time
650 # as the program is executing but reduces the effectiveness of compression.
651 #iolog_flush = true
652
653 # The group to use when creating new I/O log files and directories.
654 # If iolog_group is not set, the primary group-ID of the user specified
655 # by iolog_user is used. If neither iolog_group nor iolog_user
656 # are set, I/O log files and directories are created with group-ID 0.
657 #iolog_group = wheel
658
659 # The user to use when setting the user-ID and group-ID of new I/O
660 # log files and directories. If iolog_group is set, it will be used
661 # instead of the user's primary group-ID. By default, I/O log files
662 # and directories are created with user and group-ID 0.
663 #iolog_user = root
664
665 # The file mode to use when creating I/O log files. The file permissions
666 # will always include the owner read and write bits, even if they are
667 # not present in the specified mode. When creating I/O log directories,
668 # search (execute) bits are added to match the read and write bits
669 # specified by iolog_mode.
670 #iolog_mode = 0600
671
672 # If disabled, sudo_logsrvd will attempt to avoid logging plaintext
673 # password in the terminal input using passprompt_regex.
674 #log_passwords = true
675
676 # The maximum sequence number that will be substituted for the "%{seq}"
677 # escape in the I/O log file. While the value substituted for "%{seq}"
678 # is in base 36, maxseq itself should be expressed in decimal. Values
679 # larger than 2176782336 (which corresponds to the base 36 sequence
680 # number "ZZZZZZ") will be silently truncated to 2176782336.
681 #maxseq = 2176782336
682
683 # One or more POSIX extended regular expressions used to match
684 # password prompts in the terminal output when log_passwords is
685 # disabled. Multiple passprompt_regex settings may be specified.
686 #passprompt_regex = [Pp]assword[: ]*
687 #passprompt_regex = [Pp]assword for [a-z0-9]+: *
688
689 [eventlog]
690 # Where to log accept, reject, exit, and alert events.
691 # Accepted values are syslog, logfile, or none.
692 # Defaults to syslog
693 #log_type = syslog
694
695 # Whether to log an event when a command exits or is terminated by a signal.
696 # Defaults to false
697 #log_exit = true
698
699 # Event log format.
700 # Currently only sudo-style event logs are supported.
701 #log_format = sudo
702
703 [syslog]
704 # The maximum length of a syslog payload.
705 # On many systems, syslog(3) has a relatively small log buffer.
706 # IETF RFC 5424 states that syslog servers must support messages
707 # of at least 480 bytes and should support messages up to 2048 bytes.
708 # Messages larger than this value will be split into multiple messages.
709 #maxlen = 960
710
711 # The syslog facility to use for event log messages.
712 # The following syslog facilities are supported: authpriv (if your OS
713 # supports it), auth, daemon, user, local0, local1, local2, local3,
714 # local4, local5, local6, and local7.
715 #facility = authpriv
716
717 # Syslog priority to use for event log accept messages, when the command
718 # is allowed by the security policy. The following syslog priorities are
719 # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
720 #accept_priority = notice
721
722 # Syslog priority to use for event log reject messages, when the command
723 # is not allowed by the security policy.
724 #reject_priority = alert
725
726 # Syslog priority to use for event log alert messages reported by the
727 # client.
728 #alert_priority = alert
729
730 # The syslog facility to use for server warning messages.
731 # Defaults to daemon.
732 #server_facility = daemon
733
734 [logfile]
735 # The path to the file-based event log.
736 # This path must be fully-qualified and start with a '/' character.
737 #path = /var/log/sudo.log
738
739 # The format string used when formatting the date and time for
740 # file-based event logs. Formatting is performed via strftime(3) so
741 # any format string supported by that function is allowed.
742 #time_format = %h %e %T
743
745 strftime(3), sudo.conf(5), sudoers(5), sudo(8), sudo_logsrvd(8)
746
748 Many people have worked on sudo over the years; this version consists of
749 code written primarily by:
750
751 Todd C. Miller
752
753 See the CONTRIBUTORS.md file in the sudo distribution
754 (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
755 ple who have contributed to sudo.
756
758 If you believe you have found a bug in sudo, you can submit a bug report
759 at https://bugzilla.sudo.ws/
760
762 Limited free support is available via the sudo-users mailing list, see
763 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
764 the archives.
765
767 sudo is provided “AS IS” and any express or implied warranties, includ‐
768 ing, but not limited to, the implied warranties of merchantability and
769 fitness for a particular purpose are disclaimed. See the LICENSE.md file
770 distributed with sudo or https://www.sudo.ws/about/license/ for complete
771 details.
772
773Sudo 1.9.12p2 September 13, 2022 Sudo 1.9.12p2