When I/O logging is enabled, sudo will run the command in a pseudo-
terminal and log all user input and/or output, depending on which
options are enabled. I/O can be logged either to the local machine
or to a remote log server. For local logs, I/O is logged to the
directory specified by the iolog_dir option (/var/log/sudo-io by
default) using a unique session ID that is included in the sudo log
line, prefixed with 'TSID='. The iolog_file option may be used to
control the format of the session ID. For remote logs, the
log_servers setting is used to specify one or more log servers
running sudo_logsrvd or another server that implements the protocol
described by sudo_logsrv.proto(5).
For both local and remote I/O logs, each log is stored in a
separate directory that contains the following files:
log A text file containing information about the command.
The first line consists of the following colon-delimited
fields: the time the command was run, the name of the
user who ran sudo, the name of the target user, the name
of the target group (optional), the terminal that sudo
was run from, and the number of lines and columns of the
terminal. The second and third lines contain the working
directory the command was run from and the path name of
the command itself (with arguments if present).
log.json A JSON-formatted file containing information about the
command. This is similar to the log file but contains
additional information and is easily extensible. The
log.json file will be used by sudoreplay(8) in preference
to the log file if it exists. The file may contain the
following elements:
timestamp
A JSON object containing time the command was
run. It consists of two values, seconds and
nanoseconds.
columns The number of columns of the terminal the
command ran on, or zero if no terminal was
present.
command The fully-qualified path of the command that
was run.
lines The number of lines of the terminal the command
ran on, or zero if no terminal was present.
runargv A JSON array representing the command's
argument vector as passed to the execve()
system call.
runenv A JSON array representing the command's
environment as passed to the execve() system
call.
rungid The group ID the command ran as. This element
is only present when the user specifies a group
on the command line.
rungroup The name of the group the command ran as. This
element is only present when the user specifies
a group on the command line.
runuid The user ID the command ran as.
runuser The name of the user the command ran as.
submitcwd
The current working directory at the time sudo
was run.
submithost
The name of the host the command was run on.
submituser
The name of the user who ran the command via
sudo.
ttyname The path name of the terminal the user invoked
sudo from. If the command was run in a pseudo-
terminal, ttyname will be different from the
terminal the command actually ran in.
timing Timing information used to replay the session. Each line
consists of the I/O log entry type and amount of time
since the last entry, followed by type-specific data.
The I/O log entry types and their corresponding type-
specific data are:
0 standard input, number of bytes in the entry
1 standard output, number of bytes in the entry
2 standard error, number of bytes in the entry
3 terminal input, number of bytes in the entry
4 terminal output, number of bytes in the entry
5 window change, new number lines and columns
6 bug compatibility for sudo 1.8.7 terminal output
7 command suspend or resume, signal received
ttyin Raw input from the user's terminal, exactly as it was
received. No post-processing is performed. For manual
viewing, you may wish to convert carriage return
characters in the log to line feeds. For example:
'gunzip -c ttyin | tr "\r" "\n"'
stdin The standard input when no terminal is present, or input
redirected from a pipe or file.
ttyout Output from the pseudo-terminal (what the command writes
to the screen). Note that terminal-specific post-
processing is performed before the data is logged. This
means that, for example, line feeds are usually converted
to line feed/carriage return pairs and tabs may be
expanded to spaces.
stdout The standard output when no terminal is present, or
output redirected to a pipe or file.
stderr The standard error redirected to a pipe or file.
All files other than log are compressed in gzip format unless the
compress_io flag has been disabled. Due to buffering, it is not
normally possible to display the I/O logs in real-time as the
program is executing. The I/O log data will not be complete until
the program run by sudo has exited or has been terminated by a
signal. The iolog_flush flag can be used to disable buffering, in
which case I/O log data is written to disk as soon as it is
available. The output portion of an I/O log file can be viewed
with the sudoreplay(8) utility, which can also be used to list or
search the available logs.
Note that user input may contain sensitive information such as
passwords (even if they are not echoed to the screen), which will
be stored in the log file unencrypted. In most cases, logging the
command output via log_output or LOG_OUTPUT is all that is
required.
Since each session's I/O logs are stored in a separate directory,
traditional log rotation utilities cannot be used to limit the
number of I/O logs. The simplest way to limit the number of I/O is
by setting the maxseq option to the maximum number of logs you wish
to store. Once the I/O log sequence number reaches maxseq, it will
be reset to zero and sudoers will truncate and re-use any existing
I/O logs.
