1SUDO_LOGSRVD.CONF(5) BSD File Formats Manual SUDO_LOGSRVD.CONF(5)
2
4 sudo_logsrvd.conf — configuration for sudo_logsrvd
5
7 The sudo_logsrvd.conf file is used to configure the sudo_logsrvd log
8 server. It uses an INI-style format made up of sections in square brack‐
9 ets and “key = value” pairs specific to each section below the section
10 name. Depending on the key, values may be integers, booleans or strings.
11 Section and key names are not case sensitive, but values are.
12 The pound sign (‘#’) is used to indicate a comment. Both the comment
14 character and any text after it, up to the end of the line, are ignored.
15 Lines beginning with a semi-colon (‘;’) are also ignored.
16 Long lines can be continued with a backslash (‘\’) as the last character
18 on the line. Note that leading white space is removed from the beginning
19 of lines even when the continuation character is used.
20 The EXAMPLES section contains a copy of the default sudo_logsrvd.conf
22 file.
23 The following configuration sections are recognized:
25 • server
27 • relay
28 • iolog
29 • eventlog
30 • syslog
31 • logfile
32 Each section is described in detail below.
34 server
36 The server section configures the address and port the server will listen
37 on. The following keys are recognized:
38 listen_address = host[:port][(tls)]
40 The host name or IP address, optional port to listen on and an
41 optional Transport Layer Security (TLS) flag in parentheses.
42 The host may be a host name, an IPv4 address, an IPv6 address
44 in square brackets or the wild card entry ‘*’. A host setting
45 of ‘*’ will cause sudo_logsrvd to listen on all configured net‐
46 work interfaces.
47 If the optional tls flag is present, sudo_logsrvd will secure
49 the connection with TLS version 1.2 or 1.3. Versions of TLS
50 prior to 1.2 are not supported. See sudo_logsrvd(8) for de‐
51 tails on generating TLS keys and certificates.
52 If a port is specified, it may either be a port number or a
54 known service name as defined by the system service name data‐
55 base. If no port is specified, port 30343 will be used for
56 plaintext connections and port 30344 will be used for TLS con‐
57 nections.
58 The default value is:
60 listen_address = *:30343
61 listen_address = *:30344(tls)
62 which will listen on all configured network interfaces for both
63 plaintext and TLS connections. Multiple listen_address lines
64 may be specified to listen on more than one port or interface.
65 pid_file = path
67 The path to the file containing the process ID of the running
68 sudo_logsrvd. If set to an empty value, or if sudo_logsrvd is
69 run with the -n option, no pid_file will be created. If
70 pid_file refers to a symbolic link, it will be ignored. The
71 default value is /run/sudo/sudo_logsrvd.pid.
72 tcp_keepalive = boolean
74 If true, sudo_logsrvd will enable the TCP keepalive socket op‐
75 tion on the client connection. This enables the periodic
76 transmission of keepalive messages to the client. If the
77 client does not respond to a message in time, the connection
78 will be closed.
79 timeout = number
81 The amount of time, in seconds, sudo_logsrvd will wait for the
82 client to respond. A value of 0 will disable the timeout. The
83 default value is 30.
84 tls_cacert = path
86 The path to a certificate authority bundle file, in PEM format,
87 to use instead of the system's default certificate authority
88 database when authenticating clients. The default is to use
89 /etc/ssl/sudo/cacert.pem if it exists, otherwise the system's
90 default certificate authority database is used.
91 tls_cert = path
93 The path to the server's certificate file, in PEM format. The
94 default value is /etc/ssl/sudo/certs/logsrvd_cert.pem.
95 tls_checkpeer = bool
97 If true, client certificates will be validated by sudo_logsrvd;
98 clients without a valid certificate will be unable to connect.
99 If false, no validation of client certificates will be per‐
100 formed. It true and client certificates are created using a
101 private certificate authority, the tls_cacert setting must be
102 set to a CA bundle that contains the CA certificate used to
103 generate the client certificate. The default value is false.
104 tls_ciphers_v12 = string
106 A list of ciphers to use for connections secured by TLS version
107 1.2 only, separated by a colon ‘:’. See the CIPHER LIST FORMAT
108 section in openssl-ciphers(1) for full details. The default
109 value is HIGH:!aNULL which consists of encryption cipher suites
110 with key lengths larger than 128 bits, and some cipher suites
111 with 128-bit keys. Cipher suites that offer no authentication
112 are excluded.
113 tls_ciphers_v13 = string
115 A list of ciphers to use for connections secured by TLS version
116 1.3 only, separated by a colon ‘:’. Supported cipher suites
117 depend on the version of OpenSSL used, but should include the
118 following:
119 TLS_AES_128_GCM_SHA256
121 TLS_AES_256_GCM_SHA384
122 TLS_CHACHA20_POLY1305_SHA256
123 TLS_AES_128_CCM_SHA256
124 TLS_AES_128_CCM_8_SHA256
125 The default cipher suite is TLS_AES_256_GCM_SHA384.
127 tls_dhparams = path
129 The path to a file containing custom Diffie-Hellman parameters
130 in PEM format. This file can be created with the following
131 command:
132 openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
134 By default, sudo_logsrvd will use the OpenSSL defaults for
136 Diffie-Hellman key generation.
137 tls_key = path
139 The path to the server's private key file, in PEM format. The
140 default value is /etc/ssl/sudo/private/logsrvd_key.pem.
141 tls_verify = bool
143 If true, the server certificate will be verified at startup and
144 clients will authenticate the server by verifying its certifi‐
145 cate and identity. If false, no verification is performed of
146 the server certificate by the server or the client. When using
147 self-signed certificates without a certificate authority, this
148 setting should be set to false. The default value is true.
149 relay
151 The relay section configures the optional logsrv relay host and port the
152 server will connect to. The TLS configuration keys are optional, by de‐
153 fault the corresponding keys in the server section will be used. They
154 are only present in this section to make it possible for the relay con‐
155 nection to use a different set of TLS parameters from the client-facing
156 server. The following keys are recognized:
157 connect_timeout = number
159 The amount of time, in seconds, sudo_logsrvd will wait for the
160 connection to a relay_host (see below) to complete. Once the
161 connection is complete, the timeout setting controls the amount
162 of time sudo_logsrvd will wait for the relay to respond. A
163 value of 0 will disable the timeout. The default value is 30.
164 relay_dir = path
166 The directory in which log messages are temporarily stored be‐
167 fore they are sent to the relay host. Messages are stored in
168 the wire format specified by sudo_logsrv.proto(5) The default
169 value is /var/log/sudo_logsrvd.
170 relay_host = host[:port][(tls)]
172 The relay host name or IP address, optional port to connect to
173 and an optional Transport Layer Security (TLS) flag in paren‐
174 theses. The syntax is identical to listen_address in the
175 server section with one exception: the wild card ‘*’ syntax is
176 not supported.
177 When this setting is enabled, messages from the client will be
179 forwarded to one of the specified relay hosts instead of being
180 stored locally. The host could be running an instance of
181 sudo_logsrvd or another server that supports the
182 sudo_logsrv.proto(5) protocol.
183 If multiple relay_host lines are specified, the first available
185 relay host will be used.
186 retry_interval = number
188 The number of seconds to wait after a connection error before
189 making a new attempt to forward a message to a relay host. The
190 default value is 30 seconds.
191 store_first = boolean
193 If true, sudo_logsrvd will store logs locally before relaying
194 them. Once the log is complete, a connection to the relay host
195 is opened and the log is relayed. If the network connection is
196 interrupted before the log can be fully transferred, it will be
197 retransmitted later. The default is to relay logs in real-
198 time.
199 tcp_keepalive = boolean
201 If true, sudo_logsrvd will enable the TCP keepalive socket op‐
202 tion on the relay connection. This enables the periodic trans‐
203 mission of keepalive messages to the relay server. If the re‐
204 lay does not respond to a message in time, the connection will
205 be closed.
206 timeout = number
208 The amount of time, in seconds, sudo_logsrvd will wait for the
209 relay server to respond after a connection has succeeded. A
210 value of 0 will disable the timeout. The default value is 30.
211 tls_cacert = path
213 The path to a certificate authority bundle file, in PEM format,
214 to use instead of the system's default certificate authority
215 database when authenticating clients. The default is to use
216 the value specified in the server section, or the system's de‐
217 fault certificate authority database if no value is set.
218 tls_cert = path
220 The path to the server's certificate file, in PEM format. The
221 default is to use the value specified in the server section.
222 tls_checkpeer = bool
224 If true, the relay host's certificate will be validated by
225 sudo_logsrvd; connections to a relay without a valid certifi‐
226 cate will fail. If false, no validation of relay certificates
227 will be performed. It true and relay certificates are created
228 using a private certificate authority, the tls_cacert setting
229 must be set to a CA bundle that contains the CA certificate
230 used to generate the relay certificate. The default is to use
231 the value specified in the server section.
232 tls_ciphers_v12 = string
234 A list of ciphers to use for connections secured by TLS version
235 1.2 only, separated by a colon ‘:’. See the CIPHER LIST FORMAT
236 section in openssl-ciphers(1) for full details. The default is
237 to use the value specified in the server section.
238 tls_ciphers_v13 = string
240 A list of ciphers to use for connections secured by TLS version
241 1.3 only, separated by a colon ‘:’. Supported cipher suites
242 depend on the version of OpenSSL used, see the server section
243 for more information. The default is to use the value speci‐
244 fied in the server section.
245 tls_dhparams = path
247 The path to a file containing custom Diffie-Hellman parameters
248 in PEM format. The default is to use the value specified in
249 the server section.
250 tls_key = path
252 The path to the server's private key file, in PEM format. The
253 default is to use the value specified in the server section.
254 tls_verify = bool
256 If true, the server's certificate used for relaying will be
257 verified at startup. If false, no verification is performed of
258 the server certificate. When using self-signed certificates
259 without a certificate authority, this setting should be set to
260 false. The default is to use the value specified in the server
261 section.
262 iolog
264 The iolog section configures I/O log parameters. These settings are
265 identical to the I/O configuration in sudoers(5). The following keys are
266 recognized:
267 iolog_compress = boolean
269 If set, I/O logs will be compressed using zlib. Enabling com‐
270 pression can make it harder to view the logs in real-time as
271 the program is executing due to buffering. The default value
272 is false.
273 iolog_dir = path
275 The top-level directory to use when constructing the path name
276 for the I/O log directory. The session sequence number, if
277 any, is stored in the directory. The default value is
278 /var/log/sudo-io.
279 The following percent (‘%’) escape sequences are supported:
281 %{seq}
283 expanded to a monotonically increasing base-36 sequence
284 number, such as 0100A5, where every two digits are used
285 to form a new directory, e.g., 01/00/A5
286 %{user}
288 expanded to the invoking user's login name
289 %{group}
291 expanded to the name of the invoking user's real group-ID
292 %{runas_user}
294 expanded to the login name of the user the command will
295 be run as (e.g., root)
296 %{runas_group}
298 expanded to the group name of the user the command will
299 be run as (e.g., wheel)
300 %{hostname}
302 expanded to the local host name without the domain name
303 %{command}
305 expanded to the base name of the command being run
306 In addition, any escape sequences supported by the system's
308 strftime(3) function will be expanded.
309 To include a literal ‘%’ character, the string ‘%%’ should be
311 used.
312 iolog_file = path
314 The path name, relative to iolog_dir, in which to store I/O
315 logs. Note that iolog_file may contain directory components.
316 The default value is %{seq}.
317 See the iolog_dir setting above for a list of supported percent
319 (‘%’) escape sequences.
320 In addition to the escape sequences, path names that end in six
322 or more Xs will have the Xs replaced with a unique combination
323 of digits and letters, similar to the mktemp(3) function.
324 If the path created by concatenating iolog_dir and iolog_file
326 already exists, the existing I/O log file will be truncated and
327 overwritten unless iolog_file ends in six or more Xs.
328 iolog_flush = boolean
330 If set, I/O log data is flushed to disk after each write in‐
331 stead of buffering it. This makes it possible to view the logs
332 in real-time as the program is executing but may significantly
333 reduce the effectiveness of I/O log compression. The default
334 value is true.
335 iolog_group = name
337 The group name to look up when setting the group-ID on new I/O
338 log files and directories. If iolog_group is not set, the pri‐
339 mary group-ID of the user specified by iolog_user is used. If
340 neither iolog_group nor iolog_user are set, I/O log files and
341 directories are created with group-ID 0.
342 iolog_mode = mode
344 The file mode to use when creating I/O log files. Mode bits
345 for read and write permissions for owner, group or other are
346 honored, everything else is ignored. The file permissions will
347 always include the owner read and write bits, even if they are
348 not present in the specified mode. When creating I/O log di‐
349 rectories, search (execute) bits are added to match the read
350 and write bits specified by iolog_mode. The default value is
351 0600.
352 iolog_user = name
354 The user name to look up when setting the owner of new I/O log
355 files and directories. If iolog_group is set, it will be used
356 instead of the user's primary group-ID. By default, I/O log
357 files and directories are created with user and group-ID 0.
358 maxseq = number
360 The maximum sequence number that will be substituted for the
361 “%{seq}” escape in the I/O log file (see the iolog_dir descrip‐
362 tion above for more information). While the value substituted
363 for “%{seq}” is in base 36, maxseq itself should be expressed
364 in decimal. Values larger than 2176782336 (which corresponds
365 to the base 36 sequence number “ZZZZZZ”) will be silently trun‐
366 cated to 2176782336. The default value is 2176782336.
367 eventlog
369 The eventlog section configures how (and if) security policy events are
370 logged.
371 log_type = string
373 Where to log accept, reject and alert events reported by the pol‐
374 icy. Supported values are syslog, logfile, and none. The default
375 value is syslog.
376 log_format = string
378 The event log format. Supported log formats are “sudo” for tradi‐
379 tional sudo-style logs and “json” for JSON-format logs. The JSON
380 log entries contain the full contents of the accept, reject and
381 alert messages. The default value is sudo.
382 syslog
384 The syslog section configures how events are logged via syslog(3).
385 facility = string
387 Syslog facility if syslog is being used for logging. Defaults to
388 authpriv.
389 The following syslog facilities are supported: authpriv (if your OS
391 supports it), auth, daemon, user, local0, local1, local2, local3,
392 local4, local5, local6, and local7.
393 accept_priority = string
395 Syslog priority to use when the user is allowed to run a command
396 and authentication is successful. Defaults to notice.
397 The following syslog priorities are supported: alert, crit, debug,
399 emerg, err, info, notice, warning, and none. Setting it to a value
400 of none will disable logging of successful commands.
401 reject_priority = string
403 Syslog priority to use when the user is not allowed to run a com‐
404 mand or when authentication is unsuccessful. Defaults to alert.
405 See accept_priority for the list of supported syslog priorities.
407 alert_priority = string
409 Syslog priority to use for event log alert messages received from
410 the client. Defaults to alert.
411 See accept_priority for the list of supported syslog priorities.
413 maxlen = number
415 On many systems, syslog(3) has a relatively small log buffer. IETF
416 RFC 5424 states that syslog servers must support messages of at
417 least 480 bytes and should support messages up to 2048 bytes. By
418 default, sudo_logsrvd creates log messages up to 960 bytes which
419 corresponds to the historic BSD syslog implementation which used a
420 1024 byte buffer to store the message, date, hostname and program
421 name.
422 To prevent syslog messages from being truncated, sudo_logsrvd will
424 split up sudo-style log messages that are larger than maxlen bytes.
425 When a message is split, additional parts will include the string
426 “(command continued)” after the user name and before the continued
427 command line arguments. JSON-format log entries are never split
428 and are not affected by maxlen.
429 logfile
431 The logfile section consists of settings related to logging to a plain
432 file (not syslog).
433 path = string
435 The path to the file-based event log. This path must be fully-
436 qualified and start with a ‘/’ character. The default value is
437 /var/log/sudo.log.
438 time_format = string
440 The string used when formatting the date and time for file-based
441 event logs. Formatting is performed via the system's strftime(3)
442 function so any escape sequences supported by that function will be
443 expanded. The default value is “%h %e %T” which produces dates
444 like “Oct 3 07:15:24” in the C locale.
445
447 /etc/sudo_logsrvd.conf Sudo log server configuration file
448
450 #
451 # sudo logsrv daemon configuration
452 #
453 [server]
455 # The host name or IP address and port to listen on with an optional TLS
456 # flag. If no port is specified, port 30343 will be used for plaintext
457 # connections and port 30344 will be used to TLS connections.
458 # The following forms are accepted:
459 # listen_address = hostname(tls)
460 # listen_address = hostname:port(tls)
461 # listen_address = IPv4_address(tls)
462 # listen_address = IPv4_address:port(tls)
463 # listen_address = [IPv6_address](tls)
464 # listen_address = [IPv6_address]:port(tls)
465 #
466 # The (tls) suffix should be omitted for plaintext connections.
467 #
468 # Multiple listen_address settings may be specified.
469 # The default is to listen on all addresses.
470 #listen_address = *:30343
471 #listen_address = *:30344(tls)
472 # The file containing the ID of the running sudo_logsrvd process.
474 #pid_file = /run/sudo/sudo_logsrvd.pid
475 # If true, enable the SO_KEEPALIVE socket option on client connections.
477 #tcp_keepalive = true
478 # The amount of time, in seconds, the server will wait for the client to
480 # respond. A value of 0 will disable the timeout. The default value is 30.
481 #timeout = 30
482 # If true, the server certificate will be verified at startup and clients
484 # will authenticate the server by verifying its certificate and identity.
485 #tls_verify = true
486 # If true, client certificates will be validated by the server;
488 # clients without a valid certificate will be unable to connect.
489 # By default, client certs are not checked.
490 #tls_checkpeer = false
491 # Path to a certificate authority bundle file in PEM format to use
493 # instead of the system's default certificate authority database.
494 #tls_cacert = /etc/ssl/sudo/cacert.pem
495 # Path to the server's certificate file in PEM format.
497 # Required for TLS connections.
498 #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
499 # Path to the server's private key file in PEM format.
501 # Required for TLS connections.
502 #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
503 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
505 # NOTE that this setting is only effective if the negotiated protocol
506 # is TLS version 1.2.
507 # The default cipher list is HIGH:!aNULL.
508 #tls_ciphers_v12 = HIGH:!aNULL
509 # TLS cipher list if the negotiated protocol is TLS version 1.3.
511 # The default cipher list is TLS_AES_256_GCM_SHA384.
512 #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
513 # Path to the Diffie-Hellman parameter file in PEM format.
515 # If not set, the server will use the OpenSSL defaults.
516 #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
517 [relay]
519 # The host name or IP address and port to send logs to in relay mode.
520 # The syntax is identical to listen_address with the exception of
521 # the wild card ('*') syntax. When this setting is enabled, logs will
522 # be relayed to the specified host instead of being stored locally.
523 # This setting is not enabled by default.
524 #relay_host = relayhost.dom.ain
525 #relay_host = relayhost.dom.ain(tls)
526 # The amount of time, in seconds, the server will wait for a connection
528 # to the relay server to complete. A value of 0 will disable the timeout.
529 # The default value is 30.
530 #connect_timeout = 30
531 # The directory to store messages in before they are sent to the relay.
533 # Messages are stored in wire format.
534 # The default value is /var/log/sudo_logsrvd.
535 #relay_dir = /var/log/sudo_logsrvd
536 # The number of seconds to wait after a connection error before
538 # making a new attempt to forward a message to a relay host.
539 # The default value is 30.
540 #retry_interval = 30
541 # Whether to store the log before relaying it. If true, enable store
543 # and forward mode. If false, the client connection is immediately
544 # relayed. Defaults to false.
545 #store_first = true
546 # If true, enable the SO_KEEPALIVE socket option on relay connections.
548 #tcp_keepalive = true
549 # The amount of time, in seconds, the server will wait for the relay to
551 # respond. A value of 0 will disable the timeout. The default value is 30.
552 #timeout = 30
553 # If true, the server's relay certificate will be verified at startup.
555 # The default is to use the value in the [server] section.
556 #tls_verify = true
557 # Whether to verify the relay's certificate for TLS connections.
559 # The default is to use the value in the [server] section.
560 #tls_checkpeer = false
561 # Path to a certificate authority bundle file in PEM format to use
563 # instead of the system's default certificate authority database.
564 # The default is to use the value in the [server] section.
565 #tls_cacert = /etc/ssl/sudo/cacert.pem
566 # Path to the server's certificate file in PEM format.
568 # The default is to use the certificate in the [server] section.
569 #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
570 # Path to the server's private key file in PEM format.
572 # The default is to use the key in the [server] section.
573 #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
574 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
576 # NOTE that this setting is only effective if the negotiated protocol
577 # is TLS version 1.2.
578 # The default is to use the value in the [server] section.
579 #tls_ciphers_v12 = HIGH:!aNULL
580 # TLS cipher list if the negotiated protocol is TLS version 1.3.
582 # The default is to use the value in the [server] section.
583 #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
584 # Path to the Diffie-Hellman parameter file in PEM format.
586 # The default is to use the value in the [server] section.
587 #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
588 [iolog]
590 # The top-level directory to use when constructing the path name for the
591 # I/O log directory. The session sequence number, if any, is stored here.
592 #iolog_dir = /var/log/sudo-io
593 # The path name, relative to iolog_dir, in which to store I/O logs.
595 # Note that iolog_file may contain directory components.
596 #iolog_file = %{seq}
597 # If set, I/O logs will be compressed using zlib. Enabling compression can
599 # make it harder to view the logs in real-time as the program is executing.
600 #iolog_compress = false
601 # If set, I/O log data is flushed to disk after each write instead of
603 # buffering it. This makes it possible to view the logs in real-time
604 # as the program is executing but reduces the effectiveness of compression.
605 #iolog_flush = true
606 # The group to use when creating new I/O log files and directories.
608 # If iolog_group is not set, the primary group-ID of the user specified
609 # by iolog_user is used. If neither iolog_group nor iolog_user
610 # are set, I/O log files and directories are created with group-ID 0.
611 #iolog_group = wheel
612 # The user to use when setting the user-ID and group-ID of new I/O
614 # log files and directories. If iolog_group is set, it will be used
615 # instead of the user's primary group-ID. By default, I/O log files
616 # and directories are created with user and group-ID 0.
617 #iolog_user = root
618 # The file mode to use when creating I/O log files. The file permissions
620 # will always include the owner read and write bits, even if they are
621 # not present in the specified mode. When creating I/O log directories,
622 # search (execute) bits are added to match the read and write bits
623 # specified by iolog_mode.
624 #iolog_mode = 0600
625 # The maximum sequence number that will be substituted for the "%{seq}"
627 # escape in the I/O log file. While the value substituted for "%{seq}"
628 # is in base 36, maxseq itself should be expressed in decimal. Values
629 # larger than 2176782336 (which corresponds to the base 36 sequence
630 # number "ZZZZZZ") will be silently truncated to 2176782336.
631 #maxseq = 2176782336
632 [eventlog]
634 # Where to log accept, reject and alert events.
635 # Accepted values are syslog, logfile, or none.
636 # Defaults to syslog
637 #log_type = syslog
638 # Event log format.
640 # Currently only sudo-style event logs are supported.
641 #log_format = sudo
642 [syslog]
644 # The maximum length of a syslog payload.
645 # On many systems, syslog(3) has a relatively small log buffer.
646 # IETF RFC 5424 states that syslog servers must support messages
647 # of at least 480 bytes and should support messages up to 2048 bytes.
648 # Messages larger than this value will be split into multiple messages.
649 #maxlen = 960
650 # The syslog facility to use for event log messages.
652 # The following syslog facilities are supported: authpriv (if your OS
653 # supports it), auth, daemon, user, local0, local1, local2, local3,
654 # local4, local5, local6, and local7.
655 #facility = authpriv
656 # Syslog priority to use for event log accept messages, when the command
658 # is allowed by the security policy. The following syslog priorities are
659 # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
660 #accept_priority = notice
661 # Syslog priority to use for event log reject messages, when the command
663 # is not allowed by the security policy.
664 #reject_priority = alert
665 # Syslog priority to use for event log alert messages reported by the
667 # client.
668 #alert_priority = alert
669 [logfile]
671 # The path to the file-based event log.
672 # This path must be fully-qualified and start with a '/' character.
673 #path = /var/log/sudo
674 # The format string used when formatting the date and time for
676 # file-based event logs. Formatting is performed via strftime(3) so
677 # any format string supported by that function is allowed.
678 #time_format = %h %e %T
679
681 strftime(3), sudo.conf(5), sudoers(5), sudo(8), sudo_logsrvd(8)
682
684 See the HISTORY file in the sudo distribution (https://www.sudo.ws/his‐
685 tory.html) for a brief history of sudo.
686
688 Many people have worked on sudo over the years; this version consists of
689 code written primarily by:
690 Todd C. Miller
692 See the CONTRIBUTORS file in the sudo distribution
694 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
695 who have contributed to sudo.
696
698 If you feel you have found a bug in sudo, please submit a bug report at
699 https://bugzilla.sudo.ws/
700
702 Limited free support is available via the sudo-users mailing list, see
703 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
704 the archives.
705
707 sudo is provided “AS IS” and any express or implied warranties, includ‐
708 ing, but not limited to, the implied warranties of merchantability and
709 fitness for a particular purpose are disclaimed. See the LICENSE file
710 distributed with sudo or https://www.sudo.ws/license.html for complete
711 details.
712Sudo 1.9.7p2 May 1, 2021 Sudo 1.9.7p2