1SUDOREPLAY(8) BSD System Manager's Manual SUDOREPLAY(8)
2
4 sudoreplay — replay sudo session logs
5
7 sudoreplay [-FhnRS] [-d dir] [-f filter] [-m num] [-s num] ID
8 sudoreplay [-h] [-d dir] -l [search expression]
10
12 sudoreplay plays back or lists the output logs created by sudo. When re‐
13 playing, sudoreplay can play the session back in real-time, or the play‐
14 back speed may be adjusted (faster or slower) based on the command line
15 options.
16 The ID should either be a six character sequence of digits and upper case
18 letters, e.g., 0100A5 or a path name. Path names may be relative to the
19 I/O log directory /var/log/sudo-io (unless overridden by the -d option)
20 or fully qualified, beginning with a ‘/’ character. When a command is
21 run via sudo with log_output enabled in the sudoers file, a TSID=ID
22 string is logged via syslog or to the sudo log file. The ID may also be
23 determined using sudoreplay's list mode.
24 In list mode, sudoreplay can be used to find the ID of a session based on
26 a number of criteria such as the user, tty or command run.
27 In replay mode, if the standard input and output are connected to a ter‐
29 minal and the -n option is not specified, sudoreplay will operate inter‐
30 actively. In interactive mode, sudoreplay will attempt to adjust the
31 terminal size to match that of the session and write directly to the ter‐
32 minal (not all terminals support this). Additionally, it will poll the
33 keyboard and act on the following keys:
34 ‘\n’ or ‘\r’ Skip to the next replay event; useful for long pauses.
36 ‘ ’ (space) Pause output; press any key to resume.
38 ‘<’ Reduce the playback speed by one half.
40 ‘>’ Double the playback speed.
42 The session can be interrupted via control-C. When the session has fin‐
44 ished, the terminal is restored to its original size if it was changed
45 during playback.
46 The options are as follows:
48 -d dir, --directory=dir
50 Store session logs in dir instead of the default,
51 /var/log/sudo-io.
52 -f filter, --filter=filter
54 Select which I/O type(s) to display. By default, sudoreplay
55 will display the command's standard output, standard error
56 and tty output. The filter argument is a comma-separated
57 list, consisting of one or more of following: stdin, stdout,
58 stderr, ttyin, and ttyout.
59 -F, --follow
61 Enable “follow mode”. When replaying a session, sudoreplay
62 will ignore end-of-file and keep replaying until the log is
63 complete. This can be used to replay a session that is still
64 in progress, similar to “tail -f”. An I/O log file is con‐
65 sidered to be complete when the write bits have been cleared
66 on the session's timing file. Note that versions of sudo
67 prior to 1.9.1 do not clear the write bits upon completion.
68 -h, --help Display a short help message to the standard output and exit.
70 -l, --list [search expression]
72 Enable “list mode”. In this mode, sudoreplay will list
73 available sessions in a format similar to the sudo log file
74 format, sorted by file name (or sequence number). If a
75 search expression is specified, it will be used to restrict
76 the IDs that are displayed. An expression is composed of the
77 following predicates:
78 command pattern
80 Evaluates to true if the command run matches the
81 POSIX extended regular expression pattern.
82 cwd directory
84 Evaluates to true if the command was run with the
85 specified current working directory.
86 fromdate date
88 Evaluates to true if the command was run on or after
89 date. See Date and time format for a description of
90 supported date and time formats.
91 group runas_group
93 Evaluates to true if the command was run with the
94 specified runas_group. Note that unless a
95 runas_group was explicitly specified when sudo was
96 run this field will be empty in the log.
97 host hostname
99 Evaluates to true if the command was run on the spec‐
100 ified hostname.
101 runas runas_user
103 Evaluates to true if the command was run as the spec‐
104 ified runas_user. Note that sudo runs commands as
105 user root by default.
106 todate date
108 Evaluates to true if the command was run on or prior
109 to date. See Date and time format for a description
110 of supported date and time formats.
111 tty tty name
113 Evaluates to true if the command was run on the spec‐
114 ified terminal device. The tty name should be speci‐
115 fied without the /dev/ prefix, e.g., tty01 instead of
116 /dev/tty01.
117 user user name
119 Evaluates to true if the ID matches a command run by
120 user name.
121 Predicates may be abbreviated to the shortest unique string.
123 Predicates may be combined using and, or and ! operators as
125 well as ‘(’ and ‘)’ grouping (note that parentheses must gen‐
126 erally be escaped from the shell). The and operator is op‐
127 tional, adjacent predicates have an implied and unless sepa‐
128 rated by an or.
129 -m, --max-wait max_wait
131 Specify an upper bound on how long to wait between key
132 presses or output data. By default, sudoreplay will accu‐
133 rately reproduce the delays between key presses or program
134 output. However, this can be tedious when the session in‐
135 cludes long pauses. When the -m option is specified,
136 sudoreplay will limit these pauses to at most max_wait sec‐
137 onds. The value may be specified as a floating point number,
138 e.g., 2.5. A max_wait of zero or less will eliminate the
139 pauses entirely.
140 -n, --non-interactive
142 Do not prompt for user input or attempt to re-size the termi‐
143 nal. The session is written to the standard output, not di‐
144 rectly to the user's terminal.
145 -R, --no-resize
147 Do not attempt to re-size the terminal to match the terminal
148 size of the session.
149 -S, --suspend-wait
151 Wait while the command was suspended. By default, sudoreplay
152 will ignore the time interval between when the command was
153 suspended and when it was resumed. If the -S option is spec‐
154 ified, sudoreplay will wait instead.
155 -s, --speed speed_factor
157 This option causes sudoreplay to adjust the number of seconds
158 it will wait between key presses or program output. This can
159 be used to slow down or speed up the display. For example, a
160 speed_factor of 2 would make the output twice as fast whereas
161 a speed_factor of .5 would make the output twice as slow.
162 -V, --version
164 Print the sudoreplay versions version number and exit.
165 Date and time format
167 The time and date may be specified multiple ways, common formats include:
168 HH:MM:SS am MM/DD/CCYY timezone
170 24 hour time may be used in place of am/pm.
171 HH:MM:SS am Month, Day Year timezone
173 24 hour time may be used in place of am/pm, and month and day
174 names may be abbreviated. Note that month and day of the week
175 names must be specified in English.
176 CCYY-MM-DD HH:MM:SS
178 ISO time format
179 DD Month CCYY HH:MM:SS
181 The month name may be abbreviated.
182 Either time or date may be omitted, the am/pm and timezone are optional.
184 If no date is specified, the current day is assumed; if no time is speci‐
185 fied, the first second of the specified date is used. The less signifi‐
186 cant parts of both time and date may also be omitted, in which case zero
187 is assumed.
188 The following are all valid time and date specifications:
190 now The current time and date.
192 tomorrow
194 Exactly one day from now.
195 yesterday
197 24 hours ago.
198 2 hours ago
200 2 hours ago.
201 next Friday
203 The first second of the Friday in the next (upcoming) week. Not
204 to be confused with “this Friday” which would match the Friday of
205 the current week.
206 last week
208 The current time but 7 days ago. This is equivalent to “a week
209 ago”.
210 a fortnight ago
212 The current time but 14 days ago.
213 10:01 am 9/17/2009
215 10:01 am, September 17, 2009.
216 10:01 am
218 10:01 am on the current day.
219 10 10:00 am on the current day.
221 9/17/2009
223 00:00 am, September 17, 2009.
224 10:01 am Sep 17, 2009
226 10:01 am, September 17, 2009.
227 Note that relative time specifications do not always work as expected.
229 For example, the “next” qualifier is intended to be used in conjunction
230 with a day such as “next Monday”. When used with units of weeks, months,
231 years, etc the result will be one more than expected. For example, “next
232 week” will result in a time exactly two weeks from now, which is probably
233 not what was intended. This will be addressed in a future version of
234 sudoreplay.
235 Debugging sudoreplay
237 sudoreplay versions 1.8.4 and higher support a flexible debugging frame‐
238 work that is configured via Debug lines in the sudo.conf(5) file.
239 For more information on configuring sudo.conf(5), please refer to its
241 manual.
242
244 /etc/sudo.conf Debugging framework configuration
245 /var/log/sudo-io The default I/O log directory.
247 /var/log/sudo-io/00/00/01/log
249 Example session log info.
250 /var/log/sudo-io/00/00/01/log.json
252 Example session log info (JSON format).
253 /var/log/sudo-io/00/00/01/stdin
255 Example session standard input log.
256 /var/log/sudo-io/00/00/01/stdout
258 Example session standard output log.
259 /var/log/sudo-io/00/00/01/stderr
261 Example session standard error log.
262 /var/log/sudo-io/00/00/01/ttyin
264 Example session tty input file.
265 /var/log/sudo-io/00/00/01/ttyout
267 Example session tty output file.
268 /var/log/sudo-io/00/00/01/timing
270 Example session timing file.
271 Note that the stdin, stdout and stderr files will be empty unless sudo
273 was used as part of a pipeline for a particular command.
274
276 List sessions run by user millert:
277 # sudoreplay -l user millert
279 List sessions run by user bob with a command containing the string vi:
281 # sudoreplay -l user bob command vi
283 List sessions run by user jeff that match a regular expression:
285 # sudoreplay -l user jeff command '/bin/[a-z]*sh'
287 List sessions run by jeff or bob on the console:
289 # sudoreplay -l ( user jeff or user bob ) tty console
291
293 script(1), sudo.conf(5), sudo(8)
294
296 Many people have worked on sudo over the years; this version consists of
297 code written primarily by:
298 Todd C. Miller
300 See the CONTRIBUTORS file in the sudo distribution
302 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
303 who have contributed to sudo.
304
306 If you feel you have found a bug in sudoreplay, please submit a bug re‐
307 port at https://bugzilla.sudo.ws/
308
310 Limited free support is available via the sudo-users mailing list, see
311 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
312 the archives.
313
315 sudoreplay is provided “AS IS” and any express or implied warranties, in‐
316 cluding, but not limited to, the implied warranties of merchantability
317 and fitness for a particular purpose are disclaimed. See the LICENSE
318 file distributed with sudo or https://www.sudo.ws/license.html for com‐
319 plete details.
320Sudo 1.9.7p2 May 26, 2021 Sudo 1.9.7p2