---

   sudoers    ( 5 )

---

I/O LOG FILES

When I/O logging is enabled, sudo will run the command in a pseudo- terminal and log all user input and/or output, depending on which options are enabled. I/O can be logged either to the local machine or to a remote log server. For local logs, I/O is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the sudo log line, prefixed with 'TSID='. The iolog_file option may be used to control the format of the session ID. For remote logs, the log_servers setting is used to specify one or more log servers running sudo_logsrvd or another server that implements the protocol described by sudo_logsrv.proto(5).

For both local and remote I/O logs, each log is stored in a separate directory that contains the following files:

log A text file containing information about the command. The first line consists of the following colon-delimited fields: the time the command was run, the name of the user who ran sudo, the name of the target user, the name of the target group (optional), the terminal that sudo was run from, and the number of lines and columns of the terminal. The second and third lines contain the working directory the command was run from and the path name of the command itself (with arguments if present).

log.json A JSON-formatted file containing information about the command. This is similar to the log file but contains additional information and is easily extensible. The log.json file will be used by sudoreplay(8) in preference to the log file if it exists. The file may contain the following elements:

timestamp A JSON object containing time the command was run. It consists of two values, seconds and nanoseconds.

columns The number of columns of the terminal the command ran on, or zero if no terminal was present.

command The fully-qualified path of the command that was run.

lines The number of lines of the terminal the command ran on, or zero if no terminal was present.

runargv A JSON array representing the command's argument vector as passed to the execve() system call.

runenv A JSON array representing the command's environment as passed to the execve() system call.

rungid The group ID the command ran as. This element is only present when the user specifies a group on the command line.

rungroup The name of the group the command ran as. This element is only present when the user specifies a group on the command line.

runuid The user ID the command ran as.

runuser The name of the user the command ran as.

submitcwd The current working directory at the time sudo was run.

submithost The name of the host the command was run on.

submituser The name of the user who ran the command via sudo.

ttyname The path name of the terminal the user invoked sudo from. If the command was run in a pseudo- terminal, ttyname will be different from the terminal the command actually ran in.

timing Timing information used to replay the session. Each line consists of the I/O log entry type and amount of time since the last entry, followed by type-specific data. The I/O log entry types and their corresponding type- specific data are:

0 standard input, number of bytes in the entry 1 standard output, number of bytes in the entry 2 standard error, number of bytes in the entry 3 terminal input, number of bytes in the entry 4 terminal output, number of bytes in the entry 5 window change, new number lines and columns 6 bug compatibility for sudo 1.8.7 terminal output 7 command suspend or resume, signal received

ttyin Raw input from the user's terminal, exactly as it was received. No post-processing is performed. For manual viewing, you may wish to convert carriage return characters in the log to line feeds. For example: 'gunzip -c ttyin | tr "\r" "\n"'

stdin The standard input when no terminal is present, or input redirected from a pipe or file.

ttyout Output from the pseudo-terminal (what the command writes to the screen). Note that terminal-specific post- processing is performed before the data is logged. This means that, for example, line feeds are usually converted to line feed/carriage return pairs and tabs may be expanded to spaces.

stdout The standard output when no terminal is present, or output redirected to a pipe or file.

stderr The standard error redirected to a pipe or file.

All files other than log are compressed in gzip format unless the compress_io flag has been disabled. Due to buffering, it is not normally possible to display the I/O logs in real-time as the program is executing. The I/O log data will not be complete until the program run by sudo has exited or has been terminated by a signal. The iolog_flush flag can be used to disable buffering, in which case I/O log data is written to disk as soon as it is available. The output portion of an I/O log file can be viewed with the sudoreplay(8) utility, which can also be used to list or search the available logs.

Note that user input may contain sensitive information such as passwords (even if they are not echoed to the screen), which will be stored in the log file unencrypted. In most cases, logging the command output via log_output or LOG_OUTPUT is all that is required.

Since each session's I/O logs are stored in a separate directory, traditional log rotation utilities cannot be used to limit the number of I/O logs. The simplest way to limit the number of I/O is by setting the maxseq option to the maximum number of logs you wish to store. Once the I/O log sequence number reaches maxseq, it will be reset to zero and sudoers will truncate and re-use any existing I/O logs.