1SUDO_LOGSRVD.CONF(5) BSD File Formats Manual SUDO_LOGSRVD.CONF(5)
2
4 sudo_logsrvd.conf — configuration for sudo_logsrvd
5
7 The sudo_logsrvd.conf file is used to configure the sudo_logsrvd log
8 server. It uses an INI-style format made up of sections in square brack‐
9 ets and “key = value” pairs specific to each section below the section
10 name. Depending on the key, values may be integers, booleans, or
11 strings. Section and key names are not case sensitive, but values are.
12 The pound sign (‘#’) is used to indicate a comment. Both the comment
14 character and any text after it, up to the end of the line, are ignored.
15 Lines beginning with a semi-colon (‘;’) are also ignored.
16 Long lines can be continued with a backslash (‘\’) as the last character
18 on the line. Leading white space is removed from the beginning of lines
19 even when the continuation character is used.
20 The EXAMPLES section contains a copy of the default sudo_logsrvd.conf
22 file.
23 The following configuration sections are recognized:
25 • server
27 • relay
28 • iolog
29 • eventlog
30 • syslog
31 • logfile
32 Each section is described in detail below.
34 server
36 The server section configures the address and port the server will listen
37 on. The following keys are recognized:
38 listen_address = host[:port][(tls)]
40 The host name or IP address, optional port to listen on and an op‐
41 tional Transport Layer Security (TLS) flag in parentheses.
42 The host may be a host name, an IPv4 address, an IPv6 address in
44 square brackets or the wild card entry ‘*’. A host setting of ‘*’
45 will cause sudo_logsrvd to listen on all configured network inter‐
46 faces.
47 If the optional tls flag is present, sudo_logsrvd will secure the
49 connection with TLS version 1.2 or 1.3. Versions of TLS prior to
50 1.2 are not supported. See sudo_logsrvd(8) for details on generat‐
51 ing TLS keys and certificates.
52 If a port is specified, it may either be a port number or a known
54 service name as defined by the system service name database. If no
55 port is specified, port 30343 will be used for plaintext connec‐
56 tions and port 30344 will be used for TLS connections.
57 The default value is:
59 listen_address = *:30343
60 listen_address = *:30344(tls)
61 which will listen on all configured network interfaces for both
62 plaintext and TLS connections. Multiple listen_address lines may
63 be specified to listen on more than one port or interface.
64 server_log = string
66 Where to log server warning and error messages. Supported values
67 are none, stderr, syslog, or a path name beginning with the ‘/’
68 character. A value of stderr is only effective when used in con‐
69 junction with the -n option. The default value is syslog.
70 pid_file = path
72 The path to the file containing the process ID of the running
73 sudo_logsrvd. If set to an empty value, or if sudo_logsrvd is run
74 with the -n option, no pid_file will be created. If pid_file
75 refers to a symbolic link, it will be ignored. The default value
76 is /run/sudo/sudo_logsrvd.pid.
77 tcp_keepalive = boolean
79 If true, sudo_logsrvd will enable the TCP keepalive socket option
80 on the client connection. This enables the periodic transmission
81 of keepalive messages to the client. If the client does not re‐
82 spond to a message in time, the connection will be closed. De‐
83 faults to true.
84 timeout = number
86 The amount of time, in seconds, sudo_logsrvd will wait for the
87 client to respond. A value of 0 will disable the timeout. The de‐
88 fault value is 30.
89 tls_cacert = path
91 The path to a certificate authority bundle file, in PEM format, to
92 use instead of the system's default certificate authority database
93 when authenticating clients. The default is to use
94 /etc/ssl/sudo/cacert.pem if it exists, otherwise the system's de‐
95 fault certificate authority database is used.
96 tls_cert = path
98 The path to the server's certificate file, in PEM format. The de‐
99 fault value is /etc/ssl/sudo/certs/logsrvd_cert.pem.
100 tls_checkpeer = bool
102 If true, client certificates will be validated by sudo_logsrvd;
103 clients without a valid certificate will be unable to connect. If
104 false, no validation of client certificates will be performed. It
105 true and client certificates are created using a private certifi‐
106 cate authority, the tls_cacert setting must be set to a CA bundle
107 that contains the CA certificate used to generate the client cer‐
108 tificate. The default value is false.
109 tls_ciphers_v12 = string
111 A list of ciphers to use for connections secured by TLS version 1.2
112 only, separated by a colon ‘:’. See the CIPHER LIST FORMAT section
113 in openssl-ciphers(1) for full details. The default value is
114 “HIGH:!aNULL” which consists of encryption cipher suites with key
115 lengths larger than 128 bits, and some cipher suites with 128-bit
116 keys. Cipher suites that offer no authentication are excluded.
117 tls_ciphers_v13 = string
119 A list of ciphers to use for connections secured by TLS version 1.3
120 only, separated by a colon ‘:’. Supported cipher suites depend on
121 the version of OpenSSL used, but should include the following:
122 TLS_AES_128_GCM_SHA256
124 TLS_AES_256_GCM_SHA384
125 TLS_CHACHA20_POLY1305_SHA256
126 TLS_AES_128_CCM_SHA256
127 TLS_AES_128_CCM_8_SHA256
128 The default cipher suite is “TLS_AES_256_GCM_SHA384”.
130 tls_dhparams = path
132 The path to a file containing custom Diffie-Hellman parameters in
133 PEM format. This file can be created with the following command:
134 openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
136 By default, sudo_logsrvd will use the OpenSSL defaults for Diffie-
138 Hellman key generation.
139 tls_key = path
141 The path to the server's private key file, in PEM format. The de‐
142 fault value is /etc/ssl/sudo/private/logsrvd_key.pem.
143 tls_verify = bool
145 If true, sudo_logsrvd will validate its own certificate at startup
146 time or when the configuration is changed. If false, no verifica‐
147 tion is performed of the server certificate. When using self-
148 signed certificates without a certificate authority, this setting
149 should be set to false. The default value is true.
150 relay
152 The relay section configures the optional logsrv relay host and port the
153 server will connect to. The TLS configuration keys are optional, by de‐
154 fault the corresponding keys in the server section will be used. They
155 are only present in this section to make it possible for the relay con‐
156 nection to use a different set of TLS parameters from the client-facing
157 server. The following keys are recognized:
158 connect_timeout = number
160 The amount of time, in seconds, sudo_logsrvd will wait for the con‐
161 nection to a relay_host (see below) to complete. Once the connec‐
162 tion is complete, the timeout setting controls the amount of time
163 sudo_logsrvd will wait for the relay to respond. A value of 0 will
164 disable the timeout. The default value is 30.
165 relay_dir = path
167 The directory in which log messages are temporarily stored before
168 they are sent to the relay host. Messages are stored in the wire
169 format specified by sudo_logsrv.proto(5) The default value is
170 /var/log/sudo_logsrvd.
171 relay_host = host[:port][(tls)]
173 The relay host name or IP address, optional port to connect to and
174 an optional Transport Layer Security (TLS) flag in parentheses.
175 The syntax is identical to listen_address in the server section
176 with one exception: the wild card ‘*’ syntax is not supported.
177 When this setting is enabled, messages from the client will be for‐
179 warded to one of the specified relay hosts instead of being stored
180 locally. The host could be running an instance of sudo_logsrvd or
181 another server that supports the sudo_logsrv.proto(5) protocol.
182 If multiple relay_host lines are specified, the first available re‐
184 lay host will be used.
185 retry_interval = number
187 The number of seconds to wait after a connection error before mak‐
188 ing a new attempt to forward a message to a relay host. The de‐
189 fault value is 30.
190 store_first = boolean
192 If true, sudo_logsrvd will store logs locally before relaying them.
193 Once the log is complete, a connection to the relay host is opened
194 and the log is relayed. If the network connection is interrupted
195 before the log can be fully transferred, it will be retransmitted
196 later. The default is to relay logs in real-time.
197 tcp_keepalive = boolean
199 If true, sudo_logsrvd will enable the TCP keepalive socket option
200 on the relay connection. This enables the periodic transmission of
201 keepalive messages to the relay server. If the relay does not re‐
202 spond to a message in time, the connection will be closed.
203 timeout = number
205 The amount of time, in seconds, sudo_logsrvd will wait for the re‐
206 lay server to respond after a connection has succeeded. A value of
207 0 will disable the timeout. The default value is 30.
208 tls_cacert = path
210 The path to a certificate authority bundle file, in PEM format, to
211 use instead of the system's default certificate authority database
212 when authenticating clients. The default is to use the value spec‐
213 ified in the server section, or the system's default certificate
214 authority database if no value is set.
215 tls_cert = path
217 The path to the server's certificate file, in PEM format. The de‐
218 fault is to use the value specified in the server section.
219 tls_checkpeer = bool
221 If true, the relay host's certificate will be validated by
222 sudo_logsrvd; connections to a relay without a valid certificate
223 will fail. If false, no validation of relay certificates will be
224 performed. It true and relay certificates are created using a pri‐
225 vate certificate authority, the tls_cacert setting must be set to a
226 CA bundle that contains the CA certificate used to generate the re‐
227 lay certificate. The default is to use the value specified in the
228 server section.
229 tls_ciphers_v12 = string
231 A list of ciphers to use for connections secured by TLS version 1.2
232 only, separated by a colon ‘:’. See the CIPHER LIST FORMAT section
233 in openssl-ciphers(1) for full details. The default is to use the
234 value specified in the server section.
235 tls_ciphers_v13 = string
237 A list of ciphers to use for connections secured by TLS version 1.3
238 only, separated by a colon ‘:’. Supported cipher suites depend on
239 the version of OpenSSL used, see the server section for more infor‐
240 mation. The default is to use the value specified in the server
241 section.
242 tls_dhparams = path
244 The path to a file containing custom Diffie-Hellman parameters in
245 PEM format. The default is to use the value specified in the
246 server section.
247 tls_key = path
249 The path to the server's private key file, in PEM format. The de‐
250 fault is to use the value specified in the server section.
251 tls_verify = bool
253 If true, the server's certificate used for relaying will be veri‐
254 fied at startup. If false, no verification is performed of the
255 server certificate. When using self-signed certificates without a
256 certificate authority, this setting should be set to false. The
257 default is to use the value specified in the server section.
258 iolog
260 The iolog section configures I/O log parameters. These settings are
261 identical to the I/O configuration in sudoers(5). The following keys are
262 recognized:
263 iolog_compress = boolean
265 If set, I/O logs will be compressed using zlib. Enabling compres‐
266 sion can make it harder to view the logs in real-time as the pro‐
267 gram is executing due to buffering. The default value is false.
268 iolog_dir = path
270 The top-level directory to use when constructing the path name for
271 the I/O log directory. The session sequence number, if any, is
272 stored in the directory. The default value is /var/log/sudo-io.
273 The following percent (‘%’) escape sequences are supported:
275 %{seq}
277 expanded to a monotonically increasing base-36 sequence num‐
278 ber, such as 0100A5, where every two digits are used to form
279 a new directory, e.g., 01/00/A5
280 %{user}
282 expanded to the invoking user's login name
283 %{group}
285 expanded to the name of the invoking user's real group-ID
286 %{runas_user}
288 expanded to the login name of the user the command will be
289 run as (e.g., root)
290 %{runas_group}
292 expanded to the group name of the user the command will be
293 run as (e.g., wheel)
294 %{hostname}
296 expanded to the local host name without the domain name
297 %{command}
299 expanded to the base name of the command being run
300 In addition, any escape sequences supported by the system's
302 strftime(3) function will be expanded.
303 To include a literal ‘%’ character, the string ‘%%’ should be used.
305 iolog_file = path
307 The path name, relative to iolog_dir, in which to store I/O logs.
308 It is possible for iolog_file to contain directory components. The
309 default value is “%{seq}”.
310 See the iolog_dir setting above for a list of supported percent
312 (‘%’) escape sequences.
313 In addition to the escape sequences, path names that end in six or
315 more Xs will have the Xs replaced with a unique combination of dig‐
316 its and letters, similar to the mktemp(3) function.
317 If the path created by concatenating iolog_dir and iolog_file al‐
319 ready exists, the existing I/O log file will be truncated and over‐
320 written unless iolog_file ends in six or more Xs.
321 iolog_flush = boolean
323 If set, I/O log data is flushed to disk after each write instead of
324 buffering it. This makes it possible to view the logs in real-time
325 as the program is executing but may significantly reduce the effec‐
326 tiveness of I/O log compression. I/O logs are always flushed be‐
327 fore sending a commit point to the client regardless of this set‐
328 ting. The default value is true.
329 iolog_group = name
331 The group name to look up when setting the group-ID on new I/O log
332 files and directories. If iolog_group is not set, the primary
333 group-ID of the user specified by iolog_user is used. If neither
334 iolog_group nor iolog_user are set, I/O log files and directories
335 are created with group-ID 0.
336 iolog_mode = mode
338 The file mode to use when creating I/O log files. Mode bits for
339 read and write permissions for owner, group, or other are honored,
340 everything else is ignored. The file permissions will always in‐
341 clude the owner read and write bits, even if they are not present
342 in the specified mode. When creating I/O log directories, search
343 (execute) bits are added to match the read and write bits specified
344 by iolog_mode. The default value is 0600.
345 iolog_user = name
347 The user name to look up when setting the owner of new I/O log
348 files and directories. If iolog_group is set, it will be used in‐
349 stead of the user's primary group-ID. By default, I/O log files
350 and directories are created with user and group-ID 0.
351 log_passwords = bool
353 Most programs that require a user's password will disable echo be‐
354 fore reading the password to avoid displaying the plaintext pass‐
355 word on the screen. However, if terminal input is being logged,
356 the password will still be present in the I/O log. If
357 log_passwords is set to false, sudo_logsrvd will attempt to prevent
358 passwords from being logged. It does this by using the regular ex‐
359 pressions in passprompt_regex to match a password prompt in the
360 terminal output buffer. When a match is found, input characters in
361 the I/O log will be replaced with ‘*’ until either a line feed or
362 carriage return is found in the terminal input or a new terminal
363 output buffer is received. If, however, a program displays charac‐
364 ters as the user types them (such as sudo when the pwfeedback op‐
365 tion is set), only the first character of the password will be re‐
366 placed in the I/O log. The default value is true.
367 maxseq = number
369 The maximum sequence number that will be substituted for the
370 “%{seq}” escape in the I/O log file (see the iolog_dir description
371 above for more information). While the value substituted for
372 “%{seq}” is in base 36, maxseq itself should be expressed in deci‐
373 mal. Values larger than 2176782336 (which corresponds to the base
374 36 sequence number “ZZZZZZ”) will be silently truncated to
375 2176782336. The default value is 2176782336.
376 passprompt_regex = string
378 One or more POSIX extended regular expressions used to match pass‐
379 word prompts in the terminal output when log_passwords is disabled.
380 As an extension, if the regular expression begins with “(?i)”, it
381 will be matched in a case-insensitive manner. Multiple
382 passprompt_regex settings may be specified. Each regular expres‐
383 sion is limited to 1024 characters. The default value is
384 “[Pp]assword[: ]*”.
385 eventlog
387 The eventlog section configures how (and if) security policy events are
388 logged.
389 log_type = string
391 Where to log accept, reject, and alert events reported by the pol‐
392 icy. Supported values are syslog, logfile, and none. The default
393 value is syslog.
394 log_exit = boolean
396 If true, sudo_logsrvd will log an event when a command exits or is
397 terminated by a signal. Defaults to false.
398 log_format = string
400 The event log format. Supported log formats are “sudo” for tradi‐
401 tional sudo-style logs and “json” for JSON-format logs. The JSON
402 log entries contain the full contents of the accept, reject, exit
403 and alert messages. The default value is sudo.
404 syslog
406 The syslog section configures how events are logged via syslog(3).
407 facility = string
409 Syslog facility if syslog is being used for logging. Defaults to
410 authpriv.
411 The following syslog facilities are supported: authpriv (if your OS
413 supports it), auth, daemon, user, local0, local1, local2, local3,
414 local4, local5, local6, and local7.
415 accept_priority = string
417 Syslog priority to use when the user is allowed to run a command
418 and authentication is successful. Defaults to notice.
419 The following syslog priorities are supported: alert, crit, debug,
421 emerg, err, info, notice, warning, and none. Setting it to a value
422 of none will disable logging of successful commands.
423 reject_priority = string
425 Syslog priority to use when the user is not allowed to run a com‐
426 mand or when authentication is unsuccessful. Defaults to alert.
427 See accept_priority for the list of supported syslog priorities.
429 alert_priority = string
431 Syslog priority to use for event log alert messages received from
432 the client. Defaults to alert.
433 See accept_priority for the list of supported syslog priorities.
435 maxlen = number
437 On many systems, syslog(3) has a relatively small log buffer. IETF
438 RFC 5424 states that syslog servers must support messages of at
439 least 480 bytes and should support messages up to 2048 bytes. By
440 default, sudo_logsrvd creates log messages up to 960 bytes which
441 corresponds to the historic BSD syslog implementation which used a
442 1024 byte buffer to store the message, date, hostname, and program
443 name.
444 To prevent syslog messages from being truncated, sudo_logsrvd will
446 split up sudo-style log messages that are larger than maxlen bytes.
447 When a message is split, additional parts will include the string
448 “(command continued)” after the user name and before the continued
449 command line arguments. JSON-format log entries are never split
450 and are not affected by maxlen.
451 server_facility = string
453 Syslog facility if syslog is being used for server warning mes‐
454 sages. See above for a list of supported facilities. Defaults to
455 daemon
456 logfile
458 The logfile section consists of settings related to logging to a plain
459 file (not syslog).
460 path = string
462 The path to the file-based event log. This path must be fully-
463 qualified and start with a ‘/’ character. The default value is
464 /var/log/sudo.log.
465 time_format = string
467 The string used when formatting the date and time for file-based
468 event logs. Formatting is performed via the system's strftime(3)
469 function so any escape sequences supported by that function will be
470 expanded. The default value is “%h %e %T” which produces dates
471 like “Oct 3 07:15:24” in the ‘C’ locale.
472
474 /etc/sudo_logsrvd.conf Sudo log server configuration file
475
477 #
478 # sudo logsrv daemon configuration
479 #
480 [server]
482 # The host name or IP address and port to listen on with an optional TLS
483 # flag. If no port is specified, port 30343 will be used for plaintext
484 # connections and port 30344 will be used to TLS connections.
485 # The following forms are accepted:
486 # listen_address = hostname(tls)
487 # listen_address = hostname:port(tls)
488 # listen_address = IPv4_address(tls)
489 # listen_address = IPv4_address:port(tls)
490 # listen_address = [IPv6_address](tls)
491 # listen_address = [IPv6_address]:port(tls)
492 #
493 # The (tls) suffix should be omitted for plaintext connections.
494 #
495 # Multiple listen_address settings may be specified.
496 # The default is to listen on all addresses.
497 #listen_address = *:30343
498 #listen_address = *:30344(tls)
499 # The file containing the ID of the running sudo_logsrvd process.
501 #pid_file = /run/sudo/sudo_logsrvd.pid
502 # Where to log server warnings: none, stderr, syslog, or a path name.
504 #server_log = syslog
505 # If true, enable the SO_KEEPALIVE socket option on client connections.
507 # Defaults to true.
508 #tcp_keepalive = true
509 # The amount of time, in seconds, the server will wait for the client to
511 # respond. A value of 0 will disable the timeout. The default value is 30.
512 #timeout = 30
513 # If true, the server will validate its own certificate at startup.
515 # Defaults to true.
516 #tls_verify = true
517 # If true, client certificates will be validated by the server;
519 # clients without a valid certificate will be unable to connect.
520 # By default, client certs are not checked.
521 #tls_checkpeer = false
522 # Path to a certificate authority bundle file in PEM format to use
524 # instead of the system's default certificate authority database.
525 #tls_cacert = /etc/ssl/sudo/cacert.pem
526 # Path to the server's certificate file in PEM format.
528 # Required for TLS connections.
529 #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
530 # Path to the server's private key file in PEM format.
532 # Required for TLS connections.
533 #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
534 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
536 # This setting is only effective if the negotiated protocol is TLS version
537 # 1.2. The default cipher list is HIGH:!aNULL.
538 #tls_ciphers_v12 = HIGH:!aNULL
539 # TLS cipher list if the negotiated protocol is TLS version 1.3.
541 # The default cipher list is TLS_AES_256_GCM_SHA384.
542 #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
543 # Path to the Diffie-Hellman parameter file in PEM format.
545 # If not set, the server will use the OpenSSL defaults.
546 #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
547 [relay]
549 # The host name or IP address and port to send logs to in relay mode.
550 # The syntax is identical to listen_address with the exception of
551 # the wild card ('*') syntax. When this setting is enabled, logs will
552 # be relayed to the specified host instead of being stored locally.
553 # This setting is not enabled by default.
554 #relay_host = relayhost.dom.ain
555 #relay_host = relayhost.dom.ain(tls)
556 # The amount of time, in seconds, the server will wait for a connection
558 # to the relay server to complete. A value of 0 will disable the timeout.
559 # The default value is 30.
560 #connect_timeout = 30
561 # The directory to store messages in before they are sent to the relay.
563 # Messages are stored in wire format.
564 # The default value is /var/log/sudo_logsrvd.
565 #relay_dir = /var/log/sudo_logsrvd
566 # The number of seconds to wait after a connection error before
568 # making a new attempt to forward a message to a relay host.
569 # The default value is 30.
570 #retry_interval = 30
571 # Whether to store the log before relaying it. If true, enable store
573 # and forward mode. If false, the client connection is immediately
574 # relayed. Defaults to false.
575 #store_first = true
576 # If true, enable the SO_KEEPALIVE socket option on relay connections.
578 # Defaults to true.
579 #tcp_keepalive = true
580 # The amount of time, in seconds, the server will wait for the relay to
582 # respond. A value of 0 will disable the timeout. The default value is 30.
583 #timeout = 30
584 # If true, the server's relay certificate will be verified at startup.
586 # The default is to use the value in the [server] section.
587 #tls_verify = true
588 # Whether to verify the relay's certificate for TLS connections.
590 # The default is to use the value in the [server] section.
591 #tls_checkpeer = false
592 # Path to a certificate authority bundle file in PEM format to use
594 # instead of the system's default certificate authority database.
595 # The default is to use the value in the [server] section.
596 #tls_cacert = /etc/ssl/sudo/cacert.pem
597 # Path to the server's certificate file in PEM format.
599 # The default is to use the certificate in the [server] section.
600 #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
601 # Path to the server's private key file in PEM format.
603 # The default is to use the key in the [server] section.
604 #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
605 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
607 # this setting is only effective if the negotiated protocol is TLS version
608 # 1.2. The default is to use the value in the [server] section.
609 #tls_ciphers_v12 = HIGH:!aNULL
610 # TLS cipher list if the negotiated protocol is TLS version 1.3.
612 # The default is to use the value in the [server] section.
613 #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
614 # Path to the Diffie-Hellman parameter file in PEM format.
616 # The default is to use the value in the [server] section.
617 #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
618 [iolog]
620 # The top-level directory to use when constructing the path name for the
621 # I/O log directory. The session sequence number, if any, is stored here.
622 #iolog_dir = /var/log/sudo-io
623 # The path name, relative to iolog_dir, in which to store I/O logs.
625 # It is possible for iolog_file to contain directory components.
626 #iolog_file = %{seq}
627 # If set, I/O logs will be compressed using zlib. Enabling compression can
629 # make it harder to view the logs in real-time as the program is executing.
630 #iolog_compress = false
631 # If set, I/O log data is flushed to disk after each write instead of
633 # buffering it. This makes it possible to view the logs in real-time
634 # as the program is executing but reduces the effectiveness of compression.
635 #iolog_flush = true
636 # The group to use when creating new I/O log files and directories.
638 # If iolog_group is not set, the primary group-ID of the user specified
639 # by iolog_user is used. If neither iolog_group nor iolog_user
640 # are set, I/O log files and directories are created with group-ID 0.
641 #iolog_group = wheel
642 # The user to use when setting the user-ID and group-ID of new I/O
644 # log files and directories. If iolog_group is set, it will be used
645 # instead of the user's primary group-ID. By default, I/O log files
646 # and directories are created with user and group-ID 0.
647 #iolog_user = root
648 # The file mode to use when creating I/O log files. The file permissions
650 # will always include the owner read and write bits, even if they are
651 # not present in the specified mode. When creating I/O log directories,
652 # search (execute) bits are added to match the read and write bits
653 # specified by iolog_mode.
654 #iolog_mode = 0600
655 # If disabled, sudo_logsrvd will attempt to avoid logging plaintext
657 # password in the terminal input using passprompt_regex.
658 #log_passwords = true
659 # The maximum sequence number that will be substituted for the "%{seq}"
661 # escape in the I/O log file. While the value substituted for "%{seq}"
662 # is in base 36, maxseq itself should be expressed in decimal. Values
663 # larger than 2176782336 (which corresponds to the base 36 sequence
664 # number "ZZZZZZ") will be silently truncated to 2176782336.
665 #maxseq = 2176782336
666 # One or more POSIX extended regular expressions used to match
668 # password prompts in the terminal output when log_passwords is
669 # disabled. Multiple passprompt_regex settings may be specified.
670 #passprompt_regex = [Pp]assword[: ]*
671 #passprompt_regex = [Pp]assword for [a-z0-9]+: *
672 [eventlog]
674 # Where to log accept, reject, exit, and alert events.
675 # Accepted values are syslog, logfile, or none.
676 # Defaults to syslog
677 #log_type = syslog
678 # Whether to log an event when a command exits or is terminated by a signal.
680 # Defaults to false
681 #log_exit = true
682 # Event log format.
684 # Currently only sudo-style event logs are supported.
685 #log_format = sudo
686 [syslog]
688 # The maximum length of a syslog payload.
689 # On many systems, syslog(3) has a relatively small log buffer.
690 # IETF RFC 5424 states that syslog servers must support messages
691 # of at least 480 bytes and should support messages up to 2048 bytes.
692 # Messages larger than this value will be split into multiple messages.
693 #maxlen = 960
694 # The syslog facility to use for event log messages.
696 # The following syslog facilities are supported: authpriv (if your OS
697 # supports it), auth, daemon, user, local0, local1, local2, local3,
698 # local4, local5, local6, and local7.
699 #facility = authpriv
700 # Syslog priority to use for event log accept messages, when the command
702 # is allowed by the security policy. The following syslog priorities are
703 # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
704 #accept_priority = notice
705 # Syslog priority to use for event log reject messages, when the command
707 # is not allowed by the security policy.
708 #reject_priority = alert
709 # Syslog priority to use for event log alert messages reported by the
711 # client.
712 #alert_priority = alert
713 # The syslog facility to use for server warning messages.
715 # Defaults to daemon.
716 #server_facility = daemon
717 [logfile]
719 # The path to the file-based event log.
720 # This path must be fully-qualified and start with a '/' character.
721 #path = /var/log/sudo.log
722 # The format string used when formatting the date and time for
724 # file-based event logs. Formatting is performed via strftime(3) so
725 # any format string supported by that function is allowed.
726 #time_format = %h %e %T
727
729 strftime(3), sudo.conf(5), sudoers(5), sudo(8), sudo_logsrvd(8)
730
732 Many people have worked on sudo over the years; this version consists of
733 code written primarily by:
734 Todd C. Miller
736 See the CONTRIBUTORS.md file in the sudo distribution
738 (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
739 ple who have contributed to sudo.
740
742 If you believe you have found a bug in sudo, you can submit a bug report
743 at https://bugzilla.sudo.ws/
744
746 Limited free support is available via the sudo-users mailing list, see
747 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
748 the archives.
749
751 sudo is provided “AS IS” and any express or implied warranties, includ‐
752 ing, but not limited to, the implied warranties of merchantability and
753 fitness for a particular purpose are disclaimed. See the LICENSE.md file
754 distributed with sudo or https://www.sudo.ws/about/license/ for complete
755 details.
756Sudo 1.9.14p3 January 16, 2023 Sudo 1.9.14p3