1SUDOREPLAY(8) BSD System Manager's Manual SUDOREPLAY(8)
2
4 sudoreplay — replay sudo session logs
5
7 sudoreplay [-FhnRS] [-d dir] [-f filter] [-m num] [-s num] ID[@offset]
8 sudoreplay [-h] [-d dir] -l [search expression]
10
12 sudoreplay plays back or lists the output logs created by sudo. When re‐
13 playing, sudoreplay can play the session back in real-time, or the play‐
14 back speed may be adjusted (faster or slower) based on the command line
15 options.
16 The ID should either be a six character sequence of digits and upper case
18 letters, e.g., 0100A5 or a path name. The ID may include an optional
19 @offset suffix which may be used to start replaying at a specific time
20 offset. The @offset is specified as a number in seconds since the start
21 of the session with an optional decimal fraction.
22 Path names may be relative to the I/O log directory /var/log/sudo-io (un‐
24 less overridden by the -d option) or fully qualified, beginning with a
25 ‘/’ character. When a command is run via sudo with log_output enabled in
26 the sudoers file, a TSID=ID string is logged via syslog or to the sudo
27 log file. The ID may also be determined using sudoreplay's list mode.
28 In list mode, sudoreplay can be used to find the ID of a session based on
30 a number of criteria such as the user, tty or command run.
31 In replay mode, if the standard input and output are connected to a ter‐
33 minal and the -n option is not specified, sudoreplay will operate inter‐
34 actively. In interactive mode, sudoreplay will attempt to adjust the
35 terminal size to match that of the session and write directly to the ter‐
36 minal (not all terminals support this). Additionally, it will poll the
37 keyboard and act on the following keys:
38 ‘\n’ or ‘\r’ Skip to the next replay event; useful for long pauses.
40 ‘ ’ (space) Pause output; press any key to resume.
42 ‘<’ Reduce the playback speed by one half.
44 ‘>’ Double the playback speed.
46 The session can be interrupted via control-C. When the session has fin‐
48 ished, the terminal is restored to its original size if it was changed
49 during playback.
50 The options are as follows:
52 -d dir, --directory=dir
54 Store session logs in dir instead of the default,
55 /var/log/sudo-io.
56 -f filter, --filter=filter
58 Select which I/O type(s) to display. By default, sudoreplay
59 will display the command's standard output, standard error
60 and tty output. The filter argument is a comma-separated
61 list, consisting of one or more of following: stdin, stdout,
62 stderr, ttyin, and ttyout.
63 -F, --follow
65 Enable “follow mode”. When replaying a session, sudoreplay
66 will ignore end-of-file and keep replaying until the log is
67 complete. This can be used to replay a session that is still
68 in progress, similar to “tail -f”. An I/O log file is con‐
69 sidered to be complete when the write bits have been cleared
70 on the session's timing file. Note that versions of sudo
71 prior to 1.9.1 do not clear the write bits upon completion.
72 -h, --help Display a short help message to the standard output and exit.
74 -l, --list [search expression]
76 Enable “list mode”. In this mode, sudoreplay will list
77 available sessions in a format similar to the sudo log file
78 format, sorted by file name (or sequence number). If a
79 search expression is specified, it will be used to restrict
80 the IDs that are displayed. An expression is composed of the
81 following predicates:
82 command pattern
84 Evaluates to true if the command run matches the
85 POSIX extended regular expression pattern.
86 cwd directory
88 Evaluates to true if the command was run with the
89 specified current working directory.
90 fromdate date
92 Evaluates to true if the command was run on or after
93 date. See Date and time format for a description of
94 supported date and time formats.
95 group runas_group
97 Evaluates to true if the command was run with the
98 specified runas_group. Note that unless a
99 runas_group was explicitly specified when sudo was
100 run this field will be empty in the log.
101 host hostname
103 Evaluates to true if the command was run on the spec‐
104 ified hostname.
105 runas runas_user
107 Evaluates to true if the command was run as the spec‐
108 ified runas_user. Note that sudo runs commands as
109 user root by default.
110 todate date
112 Evaluates to true if the command was run on or prior
113 to date. See Date and time format for a description
114 of supported date and time formats.
115 tty tty name
117 Evaluates to true if the command was run on the spec‐
118 ified terminal device. The tty name should be speci‐
119 fied without the /dev/ prefix, e.g., tty01 instead of
120 /dev/tty01.
121 user user name
123 Evaluates to true if the ID matches a command run by
124 user name.
125 Predicates may be abbreviated to the shortest unique string.
127 Predicates may be combined using and, or and ! operators as
129 well as ‘(’ and ‘)’ grouping (note that parentheses must gen‐
130 erally be escaped from the shell). The and operator is op‐
131 tional, adjacent predicates have an implied and unless sepa‐
132 rated by an or.
133 -m, --max-wait max_wait
135 Specify an upper bound on how long to wait between key
136 presses or output data. By default, sudoreplay will accu‐
137 rately reproduce the delays between key presses or program
138 output. However, this can be tedious when the session in‐
139 cludes long pauses. When the -m option is specified,
140 sudoreplay will limit these pauses to at most max_wait sec‐
141 onds. The value may be specified as a floating point number,
142 e.g., 2.5. A max_wait of zero or less will eliminate the
143 pauses entirely.
144 -n, --non-interactive
146 Do not prompt for user input or attempt to re-size the termi‐
147 nal. The session is written to the standard output, not di‐
148 rectly to the user's terminal.
149 -R, --no-resize
151 Do not attempt to re-size the terminal to match the terminal
152 size of the session.
153 -S, --suspend-wait
155 Wait while the command was suspended. By default, sudoreplay
156 will ignore the time interval between when the command was
157 suspended and when it was resumed. If the -S option is spec‐
158 ified, sudoreplay will wait instead.
159 -s, --speed speed_factor
161 This option causes sudoreplay to adjust the number of seconds
162 it will wait between key presses or program output. This can
163 be used to slow down or speed up the display. For example, a
164 speed_factor of 2 would make the output twice as fast whereas
165 a speed_factor of .5 would make the output twice as slow.
166 -V, --version
168 Print the sudoreplay versions version number and exit.
169 Date and time format
171 The time and date may be specified multiple ways, common formats include:
172 HH:MM:SS am MM/DD/CCYY timezone
174 24 hour time may be used in place of am/pm.
175 HH:MM:SS am Month, Day Year timezone
177 24 hour time may be used in place of am/pm, and month and day
178 names may be abbreviated. Note that month and day of the week
179 names must be specified in English.
180 CCYY-MM-DD HH:MM:SS
182 ISO time format
183 DD Month CCYY HH:MM:SS
185 The month name may be abbreviated.
186 Either time or date may be omitted, the am/pm and timezone are optional.
188 If no date is specified, the current day is assumed; if no time is speci‐
189 fied, the first second of the specified date is used. The less signifi‐
190 cant parts of both time and date may also be omitted, in which case zero
191 is assumed.
192 The following are all valid time and date specifications:
194 now The current time and date.
196 tomorrow
198 Exactly one day from now.
199 yesterday
201 24 hours ago.
202 2 hours ago
204 2 hours ago.
205 next Friday
207 The first second of the Friday in the next (upcoming) week. Not
208 to be confused with “this Friday” which would match the Friday of
209 the current week.
210 last week
212 The current time but 7 days ago. This is equivalent to “a week
213 ago”.
214 a fortnight ago
216 The current time but 14 days ago.
217 10:01 am 9/17/2009
219 10:01 am, September 17, 2009.
220 10:01 am
222 10:01 am on the current day.
223 10 10:00 am on the current day.
225 9/17/2009
227 00:00 am, September 17, 2009.
228 10:01 am Sep 17, 2009
230 10:01 am, September 17, 2009.
231 Note that relative time specifications do not always work as expected.
233 For example, the “next” qualifier is intended to be used in conjunction
234 with a day such as “next Monday”. When used with units of weeks, months,
235 years, etc the result will be one more than expected. For example, “next
236 week” will result in a time exactly two weeks from now, which is probably
237 not what was intended. This will be addressed in a future version of
238 sudoreplay.
239 Debugging sudoreplay
241 sudoreplay versions 1.8.4 and higher support a flexible debugging frame‐
242 work that is configured via Debug lines in the sudo.conf(5) file.
243 For more information on configuring sudo.conf(5), please refer to its
245 manual.
246
248 /etc/sudo.conf Debugging framework configuration
249 /var/log/sudo-io The default I/O log directory.
251 /var/log/sudo-io/00/00/01/log
253 Example session log info.
254 /var/log/sudo-io/00/00/01/log.json
256 Example session log info (JSON format).
257 /var/log/sudo-io/00/00/01/stdin
259 Example session standard input log.
260 /var/log/sudo-io/00/00/01/stdout
262 Example session standard output log.
263 /var/log/sudo-io/00/00/01/stderr
265 Example session standard error log.
266 /var/log/sudo-io/00/00/01/ttyin
268 Example session tty input file.
269 /var/log/sudo-io/00/00/01/ttyout
271 Example session tty output file.
272 /var/log/sudo-io/00/00/01/timing
274 Example session timing file.
275 Note that the stdin, stdout and stderr files will be empty unless sudo
277 was used as part of a pipeline for a particular command.
278
280 List sessions run by user millert:
281 # sudoreplay -l user millert
283 List sessions run by user bob with a command containing the string vi:
285 # sudoreplay -l user bob command vi
287 List sessions run by user jeff that match a regular expression:
289 # sudoreplay -l user jeff command '/bin/[a-z]*sh'
291 List sessions run by jeff or bob on the console:
293 # sudoreplay -l ( user jeff or user bob ) tty console
295
297 script(1), sudo.conf(5), sudo(8)
298
300 Many people have worked on sudo over the years; this version consists of
301 code written primarily by:
302 Todd C. Miller
304 See the CONTRIBUTORS file in the sudo distribution
306 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
307 who have contributed to sudo.
308
310 If you feel you have found a bug in sudoreplay, please submit a bug re‐
311 port at https://bugzilla.sudo.ws/
312
314 Limited free support is available via the sudo-users mailing list, see
315 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
316 the archives.
317
319 sudoreplay is provided “AS IS” and any express or implied warranties, in‐
320 cluding, but not limited to, the implied warranties of merchantability
321 and fitness for a particular purpose are disclaimed. See the LICENSE
322 file distributed with sudo or https://www.sudo.ws/license.html for com‐
323 plete details.
324Sudo 1.9.8p2 August 13, 2021 Sudo 1.9.8p2