1SUDOREPLAY(8) BSD System Manager's Manual SUDOREPLAY(8)
2
4 sudoreplay — replay sudo session logs
5
7 sudoreplay [-FhnRS] [-d dir] [-f filter] [-m num] [-s num] ID[@offset]
8
9 sudoreplay [-h] [-d dir] -l [search expression]
10
12 sudoreplay plays back or lists the output logs created by sudo. When re‐
13 playing, sudoreplay can play the session back in real-time, or the play‐
14 back speed may be adjusted (faster or slower) based on the command line
15 options.
16
17 The ID should either be a six character sequence of digits and upper case
18 letters, e.g., “0100A5” or a path name. The ID may include an optional
19 @offset suffix which may be used to start replaying at a specific time
20 offset. The @offset is specified as a number in seconds since the start
21 of the session with an optional decimal fraction.
22
23 Path names may be relative to the I/O log directory /var/log/sudo-io (un‐
24 less overridden by the -d option) or fully qualified, beginning with a
25 ‘/’ character. When a command is run via sudo with log_output enabled in
26 the sudoers file, a “TSID=ID” string is logged via syslog(3) or to the
27 sudo log file. The ID may also be determined using sudoreplay's list
28 mode.
29
30 In list mode, sudoreplay can be used to find the ID of a session based on
31 a number of criteria such as the user, tty, or command run.
32
33 In replay mode, if the standard input and output are connected to a ter‐
34 minal and the -n option is not specified, sudoreplay will operate inter‐
35 actively. In interactive mode, sudoreplay will attempt to adjust the
36 terminal size to match that of the session and write directly to the ter‐
37 minal (not all terminals support this). Additionally, it will poll the
38 keyboard and act on the following keys:
39
40 ‘\n’ or ‘\r’ Skip to the next replay event; useful for long pauses.
41
42 ‘ ’ (space) Pause output; press any key to resume.
43
44 ‘<’ Reduce the playback speed by one half.
45
46 ‘>’ Double the playback speed.
47
48 The session can be interrupted via control-C. When the session has fin‐
49 ished, the terminal is restored to its original size if it was changed
50 during playback.
51
52 The options are as follows:
53
54 -d dir, --directory=dir
55 Store session logs in dir instead of the default,
56 /var/log/sudo-io.
57
58 -f filter, --filter=filter
59 Select which I/O type(s) to display. By default, sudoreplay
60 will display the command's standard output, standard error,
61 and tty output. The filter argument is a comma-separated
62 list, consisting of one or more of following: stdin, stdout,
63 stderr, ttyin, and ttyout.
64
65 -F, --follow
66 Enable “follow mode”. When replaying a session, sudoreplay
67 will ignore end-of-file and keep replaying until the log is
68 complete. This can be used to replay a session that is still
69 in progress, similar to “tail -f”. An I/O log file is con‐
70 sidered to be complete when the write bits have been cleared
71 on the session's timing file. Versions of sudo prior to
72 1.9.1 do not clear the write bits upon completion.
73
74 -h, --help Display a short help message to the standard output and exit.
75
76 -l, --list [search expression]
77 Enable “list mode”. In this mode, sudoreplay will list
78 available sessions in a format similar to the sudo log file
79 format, sorted by file name (or sequence number). If a
80 search expression is specified, it will be used to restrict
81 the IDs that are displayed. An expression is composed of the
82 following predicates:
83
84 command pattern
85 Evaluates to true if the command run matches the
86 POSIX extended regular expression pattern.
87
88 cwd directory
89 Evaluates to true if the command was run with the
90 specified current working directory.
91
92 fromdate date
93 Evaluates to true if the command was run on or after
94 date. See Date and time format for a description of
95 supported date and time formats.
96
97 group runas_group
98 Evaluates to true if the command was run with the
99 specified runas_group. Unless a runas_group was ex‐
100 plicitly specified when sudo was run this field will
101 be empty in the log.
102
103 host hostname
104 Evaluates to true if the command was run on the spec‐
105 ified hostname.
106
107 runas runas_user
108 Evaluates to true if the command was run as the spec‐
109 ified runas_user. By default, sudo runs commands as
110 the root user.
111
112 todate date
113 Evaluates to true if the command was run on or prior
114 to date. See Date and time format for a description
115 of supported date and time formats.
116
117 tty tty name
118 Evaluates to true if the command was run on the spec‐
119 ified terminal device. The tty name should be speci‐
120 fied without the /dev/ prefix, e.g., tty01 instead of
121 /dev/tty01.
122
123 user user name
124 Evaluates to true if the ID matches a command run by
125 user name.
126
127 Predicates may be abbreviated to the shortest unique string.
128
129 Predicates may be combined using and, or, and ! operators as
130 well as ‘(’ and ‘)’ grouping (parentheses must generally be
131 escaped from the shell). The and operator is optional, adja‐
132 cent predicates have an implied and unless separated by an
133 or.
134
135 -m, --max-wait max_wait
136 Specify an upper bound on how long to wait between key
137 presses or output data. By default, sudoreplay will accu‐
138 rately reproduce the delays between key presses or program
139 output. However, this can be tedious when the session in‐
140 cludes long pauses. When the -m option is specified,
141 sudoreplay will limit these pauses to at most max_wait sec‐
142 onds. The value may be specified as a floating point number,
143 e.g., 2.5. A max_wait of zero or less will eliminate the
144 pauses entirely.
145
146 -n, --non-interactive
147 Do not prompt for user input or attempt to re-size the termi‐
148 nal. The session is written to the standard output, not di‐
149 rectly to the user's terminal.
150
151 -R, --no-resize
152 Do not attempt to re-size the terminal to match the terminal
153 size of the session.
154
155 -S, --suspend-wait
156 Wait while the command was suspended. By default, sudoreplay
157 will ignore the time interval between when the command was
158 suspended and when it was resumed. If the -S option is spec‐
159 ified, sudoreplay will wait instead.
160
161 -s, --speed speed_factor
162 This option causes sudoreplay to adjust the number of seconds
163 it will wait between key presses or program output. This can
164 be used to slow down or speed up the display. For example, a
165 speed_factor of 2 would make the output twice as fast whereas
166 a speed_factor of .5 would make the output twice as slow.
167
168 -V, --version
169 Print the sudoreplay versions version number and exit.
170
171 Date and time format
172 The time and date may be specified multiple ways, common formats include:
173
174 HH:MM:SS am MM/DD/CCYY timezone
175 24 hour time may be used in place of am/pm.
176
177 HH:MM:SS am Month, Day Year timezone
178 24 hour time may be used in place of am/pm, and month and day
179 names may be abbreviated. Month and day of the week names must
180 be specified in English.
181
182 CCYY-MM-DD HH:MM:SS
183 ISO time format
184
185 DD Month CCYY HH:MM:SS
186 The month name may be abbreviated.
187
188 Either time or date may be omitted, the am/pm and timezone are optional.
189 If no date is specified, the current day is assumed; if no time is speci‐
190 fied, the first second of the specified date is used. The less signifi‐
191 cant parts of both time and date may also be omitted, in which case zero
192 is assumed.
193
194 The following are all valid time and date specifications:
195
196 now The current time and date.
197
198 tomorrow
199 Exactly one day from now.
200
201 yesterday
202 24 hours ago.
203
204 2 hours ago
205 2 hours ago.
206
207 next Friday
208 The first second of the Friday in the next (upcoming) week. Not
209 to be confused with “this Friday” which would match the Friday of
210 the current week.
211
212 last week
213 The current time but 7 days ago. This is equivalent to “a week
214 ago”.
215
216 a fortnight ago
217 The current time but 14 days ago.
218
219 10:01 am 9/17/2009
220 10:01 am, September 17, 2009.
221
222 10:01 am
223 10:01 am on the current day.
224
225 10 10:00 am on the current day.
226
227 9/17/2009
228 00:00 am, September 17, 2009.
229
230 10:01 am Sep 17, 2009
231 10:01 am, September 17, 2009.
232
233 Relative time specifications do not always work as expected. For exam‐
234 ple, the “next” qualifier is intended to be used in conjunction with a
235 day such as “next Monday”. When used with units of weeks, months, years,
236 etc the result will be one more than expected. For example, “next week”
237 will result in a time exactly two weeks from now, which is probably not
238 what was intended. This will be addressed in a future version of
239 sudoreplay.
240
241 Debugging sudoreplay
242 sudoreplay versions 1.8.4 and higher support a flexible debugging frame‐
243 work that is configured via Debug lines in the sudo.conf(5) file.
244
245 For more information on configuring sudo.conf(5), refer to its manual.
246
248 /etc/sudo.conf Debugging framework configuration
249
250 /var/log/sudo-io The default I/O log directory.
251
252 /var/log/sudo-io/00/00/01/log
253 Example session log info.
254
255 /var/log/sudo-io/00/00/01/log.json
256 Example session log info (JSON format).
257
258 /var/log/sudo-io/00/00/01/stdin
259 Example session standard input log.
260
261 /var/log/sudo-io/00/00/01/stdout
262 Example session standard output log.
263
264 /var/log/sudo-io/00/00/01/stderr
265 Example session standard error log.
266
267 /var/log/sudo-io/00/00/01/ttyin
268 Example session tty input file.
269
270 /var/log/sudo-io/00/00/01/ttyout
271 Example session tty output file.
272
273 /var/log/sudo-io/00/00/01/timing
274 Example session timing file.
275
276 The stdin, stdout and stderr files will be empty unless sudo was used as
277 part of a pipeline for a particular command.
278
280 List sessions run by user millert:
281
282 # sudoreplay -l user millert
283
284 List sessions run by user bob with a command containing the string vi:
285
286 # sudoreplay -l user bob command vi
287
288 List sessions run by user jeff that match a regular expression:
289
290 # sudoreplay -l user jeff command '/bin/[a-z]*sh'
291
292 List sessions run by jeff or bob on the console:
293
294 # sudoreplay -l ( user jeff or user bob ) tty console
295
297 script(1), sudo.conf(5), sudo(8)
298
300 Many people have worked on sudo over the years; this version consists of
301 code written primarily by:
302
303 Todd C. Miller
304
305 See the CONTRIBUTORS.md file in the sudo distribution
306 (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
307 ple who have contributed to sudo.
308
310 If you believe you have found a bug in sudoreplay, you can submit a bug
311 report at https://bugzilla.sudo.ws/
312
314 Limited free support is available via the sudo-users mailing list, see
315 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
316 the archives.
317
319 sudoreplay is provided “AS IS” and any express or implied warranties, in‐
320 cluding, but not limited to, the implied warranties of merchantability
321 and fitness for a particular purpose are disclaimed. See the LICENSE.md
322 file distributed with sudo or https://www.sudo.ws/about/license/ for com‐
323 plete details.
324
325Sudo 1.9.12p2 September 13, 2022 Sudo 1.9.12p2