1SUDO_LOGSRVD.CONF(5)        BSD File Formats Manual       SUDO_LOGSRVD.CONF(5)
2

NAME

4     sudo_logsrvd.conf — configuration for sudo_logsrvd
5

DESCRIPTION

7     The sudo_logsrvd.conf file is used to configure the sudo_logsrvd log
8     server.  It uses an INI-style format made up of sections in square brack‐
9     ets and “key = value” pairs specific to each section below the section
10     name.  Depending on the key, values may be integers, booleans, or
11     strings.  Section and key names are not case sensitive, but values are.
12
13     The pound sign (‘#’) is used to indicate a comment.  Both the comment
14     character and any text after it, up to the end of the line, are ignored.
15     Lines beginning with a semi-colon (‘;’) are also ignored.
16
17     Long lines can be continued with a backslash (‘\’) as the last character
18     on the line.  Leading white space is removed from the beginning of lines
19     even when the continuation character is used.
20
21     The EXAMPLES section contains a copy of the default sudo_logsrvd.conf
22     file.
23
24     The following configuration sections are recognized:
25
26      server
27      relay
28      iolog
29      eventlog
30      syslog
31      logfile
32
33     Each section is described in detail below.
34
35   server
36     The server section configures the address and port the server will listen
37     on.  The following keys are recognized:
38
39     listen_address = host[:port][(tls)]
40           The host name or IP address, optional port to listen on and an op‐
41           tional Transport Layer Security (TLS) flag in parentheses.
42
43           The host may be a host name, an IPv4 address, an IPv6 address in
44           square brackets or the wild card entry ‘*’.  A host setting of ‘*’
45           will cause sudo_logsrvd to listen on all configured network inter‐
46           faces.
47
48           If the optional tls flag is present, sudo_logsrvd will secure the
49           connection with TLS version 1.2 or 1.3.  Versions of TLS prior to
50           1.2 are not supported.  See sudo_logsrvd(8) for details on generat‐
51           ing TLS keys and certificates.
52
53           If a port is specified, it may either be a port number or a known
54           service name as defined by the system service name database.  If no
55           port is specified, port 30343 will be used for plaintext connec‐
56           tions and port 30344 will be used for TLS connections.
57
58           The default value is:
59                 listen_address = *:30343
60                 listen_address = *:30344(tls)
61           which will listen on all configured network interfaces for both
62           plaintext and TLS connections.  Multiple listen_address lines may
63           be specified to listen on more than one port or interface.
64
65     server_log = string
66           Where to log server warning and error messages.  Supported values
67           are none, stderr, syslog, or a path name beginning with the ‘/’
68           character.  A value of stderr is only effective when used in con‐
69           junction with the -n option.  The default value is syslog.
70
71     pid_file = path
72           The path to the file containing the process ID of the running
73           sudo_logsrvd.  If set to an empty value, or if sudo_logsrvd is run
74           with the -n option, no pid_file will be created.  If pid_file
75           refers to a symbolic link, it will be ignored.  The default value
76           is /run/sudo/sudo_logsrvd.pid.
77
78     tcp_keepalive = boolean
79           If true, sudo_logsrvd will enable the TCP keepalive socket option
80           on the client connection.  This enables the periodic transmission
81           of keepalive messages to the client.  If the client does not re‐
82           spond to a message in time, the connection will be closed.  De‐
83           faults to true.
84
85     timeout = number
86           The amount of time, in seconds, sudo_logsrvd will wait for the
87           client to respond.  A value of 0 will disable the timeout.  The de‐
88           fault value is 30.
89
90     tls_cacert = path
91           The path to a certificate authority bundle file, in PEM format, to
92           use instead of the system's default certificate authority database
93           when authenticating clients.  The default is to use
94           /etc/ssl/sudo/cacert.pem if it exists, otherwise the system's de‐
95           fault certificate authority database is used.
96
97     tls_cert = path
98           The path to the server's certificate file, in PEM format.  The de‐
99           fault value is /etc/ssl/sudo/certs/logsrvd_cert.pem.
100
101     tls_checkpeer = bool
102           If true, client certificates will be validated by sudo_logsrvd;
103           clients without a valid certificate will be unable to connect.  If
104           false, no validation of client certificates will be performed.  It
105           true and client certificates are created using a private certifi‐
106           cate authority, the tls_cacert setting must be set to a CA bundle
107           that contains the CA certificate used to generate the client cer‐
108           tificate.  The default value is false.
109
110     tls_ciphers_v12 = string
111           A list of ciphers to use for connections secured by TLS version 1.2
112           only, separated by a colon ‘:’.  See the CIPHER LIST FORMAT section
113           in openssl-ciphers(1) for full details.  The default value is
114           “HIGH:!aNULL” which consists of encryption cipher suites with key
115           lengths larger than 128 bits, and some cipher suites with 128-bit
116           keys.  Cipher suites that offer no authentication are excluded.
117
118     tls_ciphers_v13 = string
119           A list of ciphers to use for connections secured by TLS version 1.3
120           only, separated by a colon ‘:’.  Supported cipher suites depend on
121           the version of OpenSSL used, but should include the following:
122
123                 TLS_AES_128_GCM_SHA256
124                 TLS_AES_256_GCM_SHA384
125                 TLS_CHACHA20_POLY1305_SHA256
126                 TLS_AES_128_CCM_SHA256
127                 TLS_AES_128_CCM_8_SHA256
128
129           The default cipher suite is “TLS_AES_256_GCM_SHA384”.
130
131     tls_dhparams = path
132           The path to a file containing custom Diffie-Hellman parameters in
133           PEM format.  This file can be created with the following command:
134
135           openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
136
137           By default, sudo_logsrvd will use the OpenSSL defaults for Diffie-
138           Hellman key generation.
139
140     tls_key = path
141           The path to the server's private key file, in PEM format.  The de‐
142           fault value is /etc/ssl/sudo/private/logsrvd_key.pem.
143
144     tls_verify = bool
145           If true, sudo_logsrvd will validate its own certificate at startup
146           time or when the configuration is changed.  If false, no verifica‐
147           tion is performed of the server certificate.  When using self-
148           signed certificates without a certificate authority, this setting
149           should be set to false.  The default value is true.
150
151   relay
152     The relay section configures the optional logsrv relay host and port the
153     server will connect to.  The TLS configuration keys are optional, by de‐
154     fault the corresponding keys in the server section will be used.  They
155     are only present in this section to make it possible for the relay con‐
156     nection to use a different set of TLS parameters from the client-facing
157     server.  The following keys are recognized:
158
159     connect_timeout = number
160           The amount of time, in seconds, sudo_logsrvd will wait for the con‐
161           nection to a relay_host (see below) to complete.  Once the connec‐
162           tion is complete, the timeout setting controls the amount of time
163           sudo_logsrvd will wait for the relay to respond.  A value of 0 will
164           disable the timeout.  The default value is 30.
165
166     relay_dir = path
167           The directory in which log messages are temporarily stored before
168           they are sent to the relay host.  Messages are stored in the wire
169           format specified by sudo_logsrv.proto(5) The default value is
170           /var/log/sudo_logsrvd.
171
172     relay_host = host[:port][(tls)]
173           The relay host name or IP address, optional port to connect to and
174           an optional Transport Layer Security (TLS) flag in parentheses.
175           The syntax is identical to listen_address in the server section
176           with one exception: the wild card ‘*’ syntax is not supported.
177
178           When this setting is enabled, messages from the client will be for‐
179           warded to one of the specified relay hosts instead of being stored
180           locally.  The host could be running an instance of sudo_logsrvd or
181           another server that supports the sudo_logsrv.proto(5) protocol.
182
183           If multiple relay_host lines are specified, the first available re‐
184           lay host will be used.
185
186     retry_interval = number
187           The number of seconds to wait after a connection error before mak‐
188           ing a new attempt to forward a message to a relay host.  The de‐
189           fault value is 30.
190
191     store_first = boolean
192           If true, sudo_logsrvd will store logs locally before relaying them.
193           Once the log is complete, a connection to the relay host is opened
194           and the log is relayed.  If the network connection is interrupted
195           before the log can be fully transferred, it will be retransmitted
196           later.  The default is to relay logs in real-time.
197
198     tcp_keepalive = boolean
199           If true, sudo_logsrvd will enable the TCP keepalive socket option
200           on the relay connection.  This enables the periodic transmission of
201           keepalive messages to the relay server.  If the relay does not re‐
202           spond to a message in time, the connection will be closed.
203
204     timeout = number
205           The amount of time, in seconds, sudo_logsrvd will wait for the re‐
206           lay server to respond after a connection has succeeded.  A value of
207           0 will disable the timeout.  The default value is 30.
208
209     tls_cacert = path
210           The path to a certificate authority bundle file, in PEM format, to
211           use instead of the system's default certificate authority database
212           when authenticating clients.  The default is to use the value spec‐
213           ified in the server section, or the system's default certificate
214           authority database if no value is set.
215
216     tls_cert = path
217           The path to the server's certificate file, in PEM format.  The de‐
218           fault is to use the value specified in the server section.
219
220     tls_checkpeer = bool
221           If true, the relay host's certificate will be validated by
222           sudo_logsrvd; connections to a relay without a valid certificate
223           will fail.  If false, no validation of relay certificates will be
224           performed.  It true and relay certificates are created using a pri‐
225           vate certificate authority, the tls_cacert setting must be set to a
226           CA bundle that contains the CA certificate used to generate the re‐
227           lay certificate.  The default is to use the value specified in the
228           server section.
229
230     tls_ciphers_v12 = string
231           A list of ciphers to use for connections secured by TLS version 1.2
232           only, separated by a colon ‘:’.  See the CIPHER LIST FORMAT section
233           in openssl-ciphers(1) for full details.  The default is to use the
234           value specified in the server section.
235
236     tls_ciphers_v13 = string
237           A list of ciphers to use for connections secured by TLS version 1.3
238           only, separated by a colon ‘:’.  Supported cipher suites depend on
239           the version of OpenSSL used, see the server section for more infor‐
240           mation.  The default is to use the value specified in the server
241           section.
242
243     tls_dhparams = path
244           The path to a file containing custom Diffie-Hellman parameters in
245           PEM format.  The default is to use the value specified in the
246           server section.
247
248     tls_key = path
249           The path to the server's private key file, in PEM format.  The de‐
250           fault is to use the value specified in the server section.
251
252     tls_verify = bool
253           If true, the server's certificate used for relaying will be veri‐
254           fied at startup.  If false, no verification is performed of the
255           server certificate.  When using self-signed certificates without a
256           certificate authority, this setting should be set to false.  The
257           default is to use the value specified in the server section.
258
259   iolog
260     The iolog section configures I/O log parameters.  These settings are
261     identical to the I/O configuration in sudoers(5).  The following keys are
262     recognized:
263
264     iolog_compress = boolean
265           If set, I/O logs will be compressed using zlib.  Enabling compres‐
266           sion can make it harder to view the logs in real-time as the pro‐
267           gram is executing due to buffering.  The default value is false.
268
269     iolog_dir = path
270           The top-level directory to use when constructing the path name for
271           the I/O log directory.  The session sequence number, if any, is
272           stored in the directory.  The default value is /var/log/sudo-io.
273
274           The following percent (‘%’) escape sequences are supported:
275
276           %{seq}
277                 expanded to a monotonically increasing base-36 sequence num‐
278                 ber, such as 0100A5, where every two digits are used to form
279                 a new directory, e.g., 01/00/A5
280
281           %{user}
282                 expanded to the invoking user's login name
283
284           %{group}
285                 expanded to the name of the invoking user's real group-ID
286
287           %{runas_user}
288                 expanded to the login name of the user the command will be
289                 run as (e.g., root)
290
291           %{runas_group}
292                 expanded to the group name of the user the command will be
293                 run as (e.g., wheel)
294
295           %{hostname}
296                 expanded to the local host name without the domain name
297
298           %{command}
299                 expanded to the base name of the command being run
300
301           In addition, any escape sequences supported by the system's
302           strftime(3) function will be expanded.
303
304           To include a literal ‘%’ character, the string ‘%%’ should be used.
305
306     iolog_file = path
307           The path name, relative to iolog_dir, in which to store I/O logs.
308           It is possible for iolog_file to contain directory components.  The
309           default value is “%{seq}”.
310
311           See the iolog_dir setting above for a list of supported percent
312           (‘%’) escape sequences.
313
314           In addition to the escape sequences, path names that end in six or
315           more Xs will have the Xs replaced with a unique combination of dig‐
316           its and letters, similar to the mktemp(3) function.
317
318           If the path created by concatenating iolog_dir and iolog_file al‐
319           ready exists, the existing I/O log file will be truncated and over‐
320           written unless iolog_file ends in six or more Xs.
321
322     iolog_flush = boolean
323           If set, I/O log data is flushed to disk after each write instead of
324           buffering it.  This makes it possible to view the logs in real-time
325           as the program is executing but may significantly reduce the effec‐
326           tiveness of I/O log compression.  I/O logs are always flushed be‐
327           fore sending a commit point to the client regardless of this set‐
328           ting.  The default value is true.
329
330     iolog_group = name
331           The group name to look up when setting the group-ID on new I/O log
332           files and directories.  If iolog_group is not set, the primary
333           group-ID of the user specified by iolog_user is used. If neither
334           iolog_group nor iolog_user are set, I/O log files and directories
335           are created with group-ID 0.
336
337     iolog_mode = mode
338           The file mode to use when creating I/O log files.  Mode bits for
339           read and write permissions for owner, group, or other are honored,
340           everything else is ignored.  The file permissions will always in‐
341           clude the owner read and write bits, even if they are not present
342           in the specified mode.  When creating I/O log directories, search
343           (execute) bits are added to match the read and write bits specified
344           by iolog_mode.  The default value is 0600.
345
346     iolog_user = name
347           The user name to look up when setting the owner of new I/O log
348           files and directories.  If iolog_group is set, it will be used in‐
349           stead of the user's primary group-ID.  By default, I/O log files
350           and directories are created with user and group-ID 0.
351
352     log_passwords = bool
353           Most programs that require a user's password will disable echo be‐
354           fore reading the password to avoid displaying the plaintext pass‐
355           word on the screen.  However, if terminal input is being logged,
356           the password will still be present in the I/O log.  If
357           log_passwords is set to false, sudo_logsrvd will attempt to prevent
358           passwords from being logged.  It does this by using the regular ex‐
359           pressions in passprompt_regex to match a password prompt in the
360           terminal output buffer.  When a match is found, input characters in
361           the I/O log will be replaced with ‘*’ until either a line feed or
362           carriage return is found in the terminal input or a new terminal
363           output buffer is received.  If, however, a program displays charac‐
364           ters as the user types them (such as sudo when the pwfeedback op‐
365           tion is set), only the first character of the password will be re‐
366           placed in the I/O log.  The default value is true.
367
368     maxseq = number
369           The maximum sequence number that will be substituted for the
370           “%{seq}” escape in the I/O log file (see the iolog_dir description
371           above for more information).  While the value substituted for
372           “%{seq}” is in base 36, maxseq itself should be expressed in deci‐
373           mal.  Values larger than 2176782336 (which corresponds to the base
374           36 sequence number “ZZZZZZ”) will be silently truncated to
375           2176782336.  The default value is 2176782336.
376
377     passprompt_regex = string
378           One or more POSIX extended regular expressions used to match pass‐
379           word prompts in the terminal output when log_passwords is disabled.
380           As an extension, if the regular expression begins with “(?i)”, it
381           will be matched in a case-insensitive manner.  Multiple
382           passprompt_regex settings may be specified.  Each regular expres‐
383           sion is limited to 1024 characters.  The default value is
384           “[Pp]assword[: ]*”.
385
386   eventlog
387     The eventlog section configures how (and if) security policy events are
388     logged.
389
390     log_type = string
391           Where to log accept, reject, and alert events reported by the pol‐
392           icy.  Supported values are syslog, logfile, and none.  The default
393           value is syslog.
394
395     log_exit = boolean
396           If true, sudo_logsrvd will log an event when a command exits or is
397           terminated by a signal.  Defaults to false.
398
399     log_format = string
400           The event log format.  Supported log formats are “sudo” for tradi‐
401           tional sudo-style logs and “json” for JSON-format logs.  The JSON
402           log entries contain the full contents of the accept, reject, exit
403           and alert messages.  The default value is sudo.
404
405   syslog
406     The syslog section configures how events are logged via syslog(3).
407
408     facility = string
409           Syslog facility if syslog is being used for logging.  Defaults to
410           authpriv.
411
412           The following syslog facilities are supported: authpriv (if your OS
413           supports it), auth, daemon, user, local0, local1, local2, local3,
414           local4, local5, local6, and local7.
415
416     accept_priority = string
417           Syslog priority to use when the user is allowed to run a command
418           and authentication is successful.  Defaults to notice.
419
420           The following syslog priorities are supported: alert, crit, debug,
421           emerg, err, info, notice, warning, and none.  Setting it to a value
422           of none will disable logging of successful commands.
423
424     reject_priority = string
425           Syslog priority to use when the user is not allowed to run a com‐
426           mand or when authentication is unsuccessful.  Defaults to alert.
427
428           See accept_priority for the list of supported syslog priorities.
429
430     alert_priority = string
431           Syslog priority to use for event log alert messages received from
432           the client.  Defaults to alert.
433
434           See accept_priority for the list of supported syslog priorities.
435
436     maxlen = number
437           On many systems, syslog(3) has a relatively small log buffer.  IETF
438           RFC 5424 states that syslog servers must support messages of at
439           least 480 bytes and should support messages up to 2048 bytes.  By
440           default, sudo_logsrvd creates log messages up to 960 bytes which
441           corresponds to the historic BSD syslog implementation which used a
442           1024 byte buffer to store the message, date, hostname, and program
443           name.
444
445           To prevent syslog messages from being truncated, sudo_logsrvd will
446           split up sudo-style log messages that are larger than maxlen bytes.
447           When a message is split, additional parts will include the string
448           “(command continued)” after the user name and before the continued
449           command line arguments.  JSON-format log entries are never split
450           and are not affected by maxlen.
451
452     server_facility = string
453           Syslog facility if syslog is being used for server warning mes‐
454           sages.  See above for a list of supported facilities.  Defaults to
455           daemon
456
457   logfile
458     The logfile section consists of settings related to logging to a plain
459     file (not syslog).
460
461     path = string
462           The path to the file-based event log.  This path must be fully-
463           qualified and start with a ‘/’ character.  The default value is
464           /var/log/sudo.log.
465
466     time_format = string
467           The string used when formatting the date and time for file-based
468           event logs.  Formatting is performed via the system's strftime(3)
469           function so any escape sequences supported by that function will be
470           expanded.  The default value is “%h %e %T” which produces dates
471           like “Oct 3 07:15:24” in the ‘C’ locale.
472

FILES

474     /etc/sudo_logsrvd.conf    Sudo log server configuration file
475

EXAMPLES

477     #
478     # sudo logsrv daemon configuration
479     #
480
481     [server]
482     # The host name or IP address and port to listen on with an optional TLS
483     # flag.  If no port is specified, port 30343 will be used for plaintext
484     # connections and port 30344 will be used to TLS connections.
485     # The following forms are accepted:
486     #   listen_address = hostname(tls)
487     #   listen_address = hostname:port(tls)
488     #   listen_address = IPv4_address(tls)
489     #   listen_address = IPv4_address:port(tls)
490     #   listen_address = [IPv6_address](tls)
491     #   listen_address = [IPv6_address]:port(tls)
492     #
493     # The (tls) suffix should be omitted for plaintext connections.
494     #
495     # Multiple listen_address settings may be specified.
496     # The default is to listen on all addresses.
497     #listen_address = *:30343
498     #listen_address = *:30344(tls)
499
500     # The file containing the ID of the running sudo_logsrvd process.
501     #pid_file = /run/sudo/sudo_logsrvd.pid
502
503     # Where to log server warnings: none, stderr, syslog, or a path name.
504     #server_log = syslog
505
506     # If true, enable the SO_KEEPALIVE socket option on client connections.
507     # Defaults to true.
508     #tcp_keepalive = true
509
510     # The amount of time, in seconds, the server will wait for the client to
511     # respond.  A value of 0 will disable the timeout.  The default value is 30.
512     #timeout = 30
513
514     # If true, the server will validate its own certificate at startup.
515     # Defaults to true.
516     #tls_verify = true
517
518     # If true, client certificates will be validated by the server;
519     # clients without a valid certificate will be unable to connect.
520     # By default, client certs are not checked.
521     #tls_checkpeer = false
522
523     # Path to a certificate authority bundle file in PEM format to use
524     # instead of the system's default certificate authority database.
525     #tls_cacert = /etc/ssl/sudo/cacert.pem
526
527     # Path to the server's certificate file in PEM format.
528     # Required for TLS connections.
529     #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
530
531     # Path to the server's private key file in PEM format.
532     # Required for TLS connections.
533     #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
534
535     # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
536     # This setting is only effective if the negotiated protocol is TLS version
537     # 1.2.  The default cipher list is HIGH:!aNULL.
538     #tls_ciphers_v12 = HIGH:!aNULL
539
540     # TLS cipher list if the negotiated protocol is TLS version 1.3.
541     # The default cipher list is TLS_AES_256_GCM_SHA384.
542     #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
543
544     # Path to the Diffie-Hellman parameter file in PEM format.
545     # If not set, the server will use the OpenSSL defaults.
546     #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
547
548     [relay]
549     # The host name or IP address and port to send logs to in relay mode.
550     # The syntax is identical to listen_address with the exception of
551     # the wild card ('*') syntax.  When this setting is enabled, logs will
552     # be relayed to the specified host instead of being stored locally.
553     # This setting is not enabled by default.
554     #relay_host = relayhost.dom.ain
555     #relay_host = relayhost.dom.ain(tls)
556
557     # The amount of time, in seconds, the server will wait for a connection
558     # to the relay server to complete.  A value of 0 will disable the timeout.
559     # The default value is 30.
560     #connect_timeout = 30
561
562     # The directory to store messages in before they are sent to the relay.
563     # Messages are stored in wire format.
564     # The default value is /var/log/sudo_logsrvd.
565     #relay_dir = /var/log/sudo_logsrvd
566
567     # The number of seconds to wait after a connection error before
568     # making a new attempt to forward a message to a relay host.
569     # The default value is 30.
570     #retry_interval = 30
571
572     # Whether to store the log before relaying it.  If true, enable store
573     # and forward mode.  If false, the client connection is immediately
574     # relayed.  Defaults to false.
575     #store_first = true
576
577     # If true, enable the SO_KEEPALIVE socket option on relay connections.
578     # Defaults to true.
579     #tcp_keepalive = true
580
581     # The amount of time, in seconds, the server will wait for the relay to
582     # respond.  A value of 0 will disable the timeout.  The default value is 30.
583     #timeout = 30
584
585     # If true, the server's relay certificate will be verified at startup.
586     # The default is to use the value in the [server] section.
587     #tls_verify = true
588
589     # Whether to verify the relay's certificate for TLS connections.
590     # The default is to use the value in the [server] section.
591     #tls_checkpeer = false
592
593     # Path to a certificate authority bundle file in PEM format to use
594     # instead of the system's default certificate authority database.
595     # The default is to use the value in the [server] section.
596     #tls_cacert = /etc/ssl/sudo/cacert.pem
597
598     # Path to the server's certificate file in PEM format.
599     # The default is to use the certificate in the [server] section.
600     #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
601
602     # Path to the server's private key file in PEM format.
603     # The default is to use the key in the [server] section.
604     #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
605
606     # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
607     # this setting is only effective if the negotiated protocol is TLS version
608     # 1.2.  The default is to use the value in the [server] section.
609     #tls_ciphers_v12 = HIGH:!aNULL
610
611     # TLS cipher list if the negotiated protocol is TLS version 1.3.
612     # The default is to use the value in the [server] section.
613     #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
614
615     # Path to the Diffie-Hellman parameter file in PEM format.
616     # The default is to use the value in the [server] section.
617     #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
618
619     [iolog]
620     # The top-level directory to use when constructing the path name for the
621     # I/O log directory.  The session sequence number, if any, is stored here.
622     #iolog_dir = /var/log/sudo-io
623
624     # The path name, relative to iolog_dir, in which to store I/O logs.
625     # It is possible for iolog_file to contain directory components.
626     #iolog_file = %{seq}
627
628     # If set, I/O logs will be compressed using zlib.  Enabling compression can
629     # make it harder to view the logs in real-time as the program is executing.
630     #iolog_compress = false
631
632     # If set, I/O log data is flushed to disk after each write instead of
633     # buffering it.  This makes it possible to view the logs in real-time
634     # as the program is executing but reduces the effectiveness of compression.
635     #iolog_flush = true
636
637     # The group to use when creating new I/O log files and directories.
638     # If iolog_group is not set, the primary group-ID of the user specified
639     # by iolog_user is used.  If neither iolog_group nor iolog_user
640     # are set, I/O log files and directories are created with group-ID 0.
641     #iolog_group = wheel
642
643     # The user to use when setting the user-ID and group-ID of new I/O
644     # log files and directories.  If iolog_group is set, it will be used
645     # instead of the user's primary group-ID.  By default, I/O log files
646     # and directories are created with user and group-ID 0.
647     #iolog_user = root
648
649     # The file mode to use when creating I/O log files.  The file permissions
650     # will always include the owner read and write bits, even if they are
651     # not present in the specified mode.  When creating I/O log directories,
652     # search (execute) bits are added to match the read and write bits
653     # specified by iolog_mode.
654     #iolog_mode = 0600
655
656     # If disabled, sudo_logsrvd will attempt to avoid logging plaintext
657     # password in the terminal input using passprompt_regex.
658     #log_passwords = true
659
660     # The maximum sequence number that will be substituted for the "%{seq}"
661     # escape in the I/O log file.  While the value substituted for "%{seq}"
662     # is in base 36, maxseq itself should be expressed in decimal.  Values
663     # larger than 2176782336 (which corresponds to the base 36 sequence
664     # number "ZZZZZZ") will be silently truncated to 2176782336.
665     #maxseq = 2176782336
666
667     # One or more POSIX extended regular expressions used to match
668     # password prompts in the terminal output when log_passwords is
669     # disabled.  Multiple passprompt_regex settings may be specified.
670     #passprompt_regex = [Pp]assword[: ]*
671     #passprompt_regex = [Pp]assword for [a-z0-9]+: *
672
673     [eventlog]
674     # Where to log accept, reject, exit, and alert events.
675     # Accepted values are syslog, logfile, or none.
676     # Defaults to syslog
677     #log_type = syslog
678
679     # Whether to log an event when a command exits or is terminated by a signal.
680     # Defaults to false
681     #log_exit = true
682
683     # Event log format.
684     # Currently only sudo-style event logs are supported.
685     #log_format = sudo
686
687     [syslog]
688     # The maximum length of a syslog payload.
689     # On many systems, syslog(3) has a relatively small log buffer.
690     # IETF RFC 5424 states that syslog servers must support messages
691     # of at least 480 bytes and should support messages up to 2048 bytes.
692     # Messages larger than this value will be split into multiple messages.
693     #maxlen = 960
694
695     # The syslog facility to use for event log messages.
696     # The following syslog facilities are supported: authpriv (if your OS
697     # supports it), auth, daemon, user, local0, local1, local2, local3,
698     # local4, local5, local6, and local7.
699     #facility = authpriv
700
701     # Syslog priority to use for event log accept messages, when the command
702     # is allowed by the security policy.  The following syslog priorities are
703     # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
704     #accept_priority = notice
705
706     # Syslog priority to use for event log reject messages, when the command
707     # is not allowed by the security policy.
708     #reject_priority = alert
709
710     # Syslog priority to use for event log alert messages reported by the
711     # client.
712     #alert_priority = alert
713
714     # The syslog facility to use for server warning messages.
715     # Defaults to daemon.
716     #server_facility = daemon
717
718     [logfile]
719     # The path to the file-based event log.
720     # This path must be fully-qualified and start with a '/' character.
721     #path = /var/log/sudo.log
722
723     # The format string used when formatting the date and time for
724     # file-based event logs.  Formatting is performed via strftime(3) so
725     # any format string supported by that function is allowed.
726     #time_format = %h %e %T
727

SEE ALSO

729     strftime(3), sudo.conf(5), sudoers(5), sudo(8), sudo_logsrvd(8)
730

AUTHORS

732     Many people have worked on sudo over the years; this version consists of
733     code written primarily by:
734
735           Todd C. Miller
736
737     See the CONTRIBUTORS.md file in the sudo distribution
738     (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
739     ple who have contributed to sudo.
740

BUGS

742     If you believe you have found a bug in sudo, you can submit a bug report
743     at https://bugzilla.sudo.ws/
744

SUPPORT

746     Limited free support is available via the sudo-users mailing list, see
747     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
748     the archives.
749

DISCLAIMER

751     sudo is provided “AS IS” and any express or implied warranties, includ‐
752     ing, but not limited to, the implied warranties of merchantability and
753     fitness for a particular purpose are disclaimed.  See the LICENSE.md file
754     distributed with sudo or https://www.sudo.ws/about/license/ for complete
755     details.
756
757Sudo 1.9.14p3                  January 16, 2023                  Sudo 1.9.14p3
Impressum