summaryrefslogtreecommitdiffstats
path: root/docs/sudo_logsrvd.conf.mdoc.in
blob: 8fee88c34d8166cc97fdc445fd8f5b1ca2d3f292 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 16, 2023
.Dt SUDO_LOGSRVD.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_logsrvd.conf
.Nd configuration for sudo_logsrvd
.Sh DESCRIPTION
The
.Nm sudo_logsrvd.conf
file is used to configure the
.Nm sudo_logsrvd
log server.
It uses an INI-style format made up of sections in square brackets and
.Dq key = value
pairs specific to each section below the section name.
Depending on the key, values may be integers, booleans, or strings.
Section and key names are not case sensitive, but values are.
.Pp
The pound sign
.Pq Ql #
is used to indicate a comment.
Both the comment character and any text after it, up to the end of
the line, are ignored.
Lines beginning with a semi-colon
.Pq Ql \&;
are also ignored.
.Pp
Long lines can be continued with a backslash
.Pq Ql \e
as the last character on the line.
Leading white space is removed from the beginning of lines
even when the continuation character is used.
.Pp
The
.Sx EXAMPLES
section contains a copy of the default
.Nm
file.
.Pp
The following configuration sections are recognized:
.Pp
.Bl -bullet -compact -offset 1n -width 1n
.It
server
.It
relay
.It
iolog
.It
eventlog
.It
syslog
.It
logfile
.El
.Pp
Each section is described in detail below.
.Ss server
The
.Em server
section configures the address and port the server will listen on.
The following keys are recognized:
.Bl -tag -width 4n
.It listen_address = host Ns Oo : Ns port Oc Ns Op (tls)
The host name or IP address, optional port to listen on and
an optional Transport Layer Security (TLS) flag in parentheses.
.Pp
The host may be a host name, an IPv4 address, an IPv6 address
in square brackets or the wild card entry
.Ql * .
A host setting of
.Ql *
will cause
.Nm sudo_logsrvd
to listen on all configured network interfaces.
.Pp
If the optional tls flag is present,
.Nm sudo_logsrvd
will secure the connection with TLS version 1.2 or 1.3.
Versions of TLS prior to 1.2 are not supported.
See
.Xr sudo_logsrvd @mansectsu@
for details on generating TLS keys and certificates.
.Pp
If a port is specified, it may either be a port number or a known
service name as defined by the system service name database.
If no port is specified, port 30343 will be used for plaintext
connections and port 30344 will be used for TLS connections.
.Pp
The default value is:
.Bd -literal -compact -offset indent
listen_address = *:30343
listen_address = *:30344(tls)
.Ed
which will listen on all configured network interfaces for both
plaintext and TLS connections.
Multiple
.Em listen_address
lines may be specified to listen on more than one port or interface.
.It server_log = string
Where to log server warning and error messages.
Supported values are
.Em none ,
.Em stderr ,
.Em syslog ,
or a path name beginning with the
.Ql /
character.
A value of
.Em stderr
is only effective when used in conjunction with the
.Fl n
option.
The default value is
.Em syslog .
.It pid_file = path
The path to the file containing the process ID of the running
.Nm sudo_logsrvd .
If set to an empty value, or if
.Nm sudo_logsrvd
is run with the
.Fl n
option, no
.Em pid_file
will be created.
If
.Em pid_file
refers to a symbolic link, it will be ignored.
The default value is
.Pa @rundir@/sudo_logsrvd.pid .
.It tcp_keepalive = boolean
If true,
.Nm sudo_logsrvd
will enable the TCP keepalive socket option on the client connection.
This enables the periodic transmission of keepalive messages to the client.
If the client does not respond to a message in time, the connection will
be closed.
Defaults to
.Em true .
.It timeout = number
The amount of time, in seconds,
.Nm sudo_logsrvd
will wait for the client to respond.
A value of 0 will disable the timeout.
The default value is
.Em 30 .
.It tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
when authenticating clients.
The default is to use
.Pa /etc/ssl/sudo/cacert.pem
if it exists, otherwise the system's default certificate authority
database is used.
.It tls_cert = path
The path to the server's certificate file, in PEM format.
The default value is
.Pa /etc/ssl/sudo/certs/logsrvd_cert.pem .
.It tls_checkpeer = bool
If true, client certificates will be validated by
.Nm sudo_logsrvd ;
clients without a valid certificate will be unable to connect.
If false, no validation of client certificates will be performed.
It true and client certificates are created using a private certificate
authority, the
.Em tls_cacert
setting must be set to a CA bundle that contains the CA certificate
used to generate the client certificate.
The default value is
.Em false .
.It tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only,
separated by a colon
.Ql :\& .
See the
.Sx CIPHER LIST FORMAT
section in
.Xr openssl-ciphers 1
for full details.
The default value is
.Dq HIGH:!aNULL
which consists of encryption cipher suites with key lengths larger than
128 bits, and some cipher suites with 128-bit keys.
Cipher suites that offer no authentication are excluded.
.It tls_ciphers_v13 = string
A list of ciphers to use for connections secured by TLS version 1.3 only,
separated by a colon
.Ql :\& .
Supported cipher suites depend on the version of OpenSSL used,
but should include the following:
.Pp
.Bl -tag -compact -width 4n -offset indent
.It TLS_AES_128_GCM_SHA256
.It TLS_AES_256_GCM_SHA384
.It TLS_CHACHA20_POLY1305_SHA256
.It TLS_AES_128_CCM_SHA256
.It TLS_AES_128_CCM_8_SHA256
.El
.Pp
The default cipher suite is
.Dq TLS_AES_256_GCM_SHA384 .
.It tls_dhparams = path
The path to a file containing custom Diffie-Hellman parameters in PEM format.
This file can be created with the following command:
.Bd -literal
openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
.Ed
.Pp
By default,
.Nm sudo_logsrvd
will use the OpenSSL defaults for Diffie-Hellman key generation.
.It tls_key = path
The path to the server's private key file, in PEM format.
The default value is
.Pa /etc/ssl/sudo/private/logsrvd_key.pem .
.It tls_verify = bool
If true,
.Nm sudo_logsrvd
will validate its own certificate at startup time or when the
configuration is changed.
If false, no verification is performed of the server certificate.
When using self-signed certificates without a certificate authority,
this setting should be set to false.
The default value is
.Em true .
.El
.Ss relay
The
.Em relay
section configures the optional logsrv relay host and port the server will
connect to.
The TLS configuration keys are optional, by default the corresponding
keys in the
.Sx server
section will be used.
They are only present in this section to make it possible for the relay
connection to use a different set of TLS parameters from the client-facing
server.
The following keys are recognized:
.Bl -tag -width 4n
.It connect_timeout = number
The amount of time, in seconds,
.Nm sudo_logsrvd
will wait for the connection to a
.Em relay_host
(see below) to complete.
Once the connection is complete, the
.Em timeout
setting controls the amount of time
.Nm sudo_logsrvd
will wait for the relay to respond.
A value of 0 will disable the timeout.
The default value is
.Em 30 .
.It relay_dir = path
The directory in which log messages are temporarily stored before they
are sent to the relay host.
Messages are stored in the wire format specified by
.Xr sudo_logsrv.proto @mansectform@
The default value is
.Pa @relay_dir@ .
.It relay_host = host Ns Oo : Ns port Oc Ns Op (tls)
The relay host name or IP address, optional port to connect to and
an optional Transport Layer Security (TLS) flag in parentheses.
The syntax is identical to
.Em listen_address
in the
.Sx server
section with one exception: the wild card
.Ql *
syntax is not supported.
.Pp
When this setting is enabled, messages from the client will be forwarded
to one of the specified relay hosts instead of being stored locally.
The
.Ar host
could be running an instance of
.Nm sudo_logsrvd
or another server that supports the
.Xr sudo_logsrv.proto @mansectform@
protocol.
.Pp
If multiple
.Em relay_host
lines are specified, the first available relay host will be used.
.It retry_interval = number
The number of seconds to wait after a connection error before making
a new attempt to forward a message to a relay host.
The default value is
.Em 30 .
.It store_first = boolean
If true,
.Nm sudo_logsrvd
will store logs locally before relaying them.
Once the log is complete, a connection to the relay host is opened
and the log is relayed.
If the network connection is interrupted before the log can be fully
transferred, it will be retransmitted later.
The default is to relay logs in real-time.
.It tcp_keepalive = boolean
If true,
.Nm sudo_logsrvd
will enable the TCP keepalive socket option on the relay connection.
This enables the periodic transmission of keepalive messages to the relay
server.
If the relay does not respond to a message in time, the connection will
be closed.
.It timeout = number
The amount of time, in seconds,
.Nm sudo_logsrvd
will wait for the relay server to respond after a connection has succeeded.
A value of 0 will disable the timeout.
The default value is
.Em 30 .
.It tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
when authenticating clients.
The default is to use the value specified in the
.Sx server
section, or the system's default certificate authority database if
no value is set.
.It tls_cert = path
The path to the server's certificate file, in PEM format.
The default is to use the value specified in the
.Sx server
section.
.It tls_checkpeer = bool
If true, the relay host's certificate will be validated by
.Nm sudo_logsrvd ;
connections to a relay without a valid certificate will fail.
If false, no validation of relay certificates will be performed.
It true and relay certificates are created using a private certificate
authority, the
.Em tls_cacert
setting must be set to a CA bundle that contains the CA certificate
used to generate the relay certificate.
The default is to use the value specified in the
.Sx server
section.
.It tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only,
separated by a colon
.Ql :\& .
See the
.Sx CIPHER LIST FORMAT
section in
.Xr openssl-ciphers 1
for full details.
The default is to use the value specified in the
.Sx server
section.
.It tls_ciphers_v13 = string
A list of ciphers to use for connections secured by TLS version 1.3 only,
separated by a colon
.Ql :\& .
Supported cipher suites depend on the version of OpenSSL used,
see the
.Sx server
section for more information.
The default is to use the value specified in the
.Sx server
section.
.It tls_dhparams = path
The path to a file containing custom Diffie-Hellman parameters in PEM format.
The default is to use the value specified in the
.Sx server
section.
.It tls_key = path
The path to the server's private key file, in PEM format.
The default is to use the value specified in the
.Sx server
section.
.It tls_verify = bool
If true, the server's certificate used for relaying will be verified at startup.
If false, no verification is performed of the server certificate.
When using self-signed certificates without a certificate authority,
this setting should be set to false.
The default is to use the value specified in the
.Sx server
section.
.El
.Ss iolog
The
.Em iolog
section configures I/O log parameters.
These settings are identical to the I/O configuration in
.Xr sudoers @mansectform@ .
The following keys are recognized:
.Bl -tag -width 4n
.It iolog_compress = boolean
If set, I/O logs will be compressed using
.Sy zlib .
Enabling compression can make it harder to view the logs in real-time as
the program is executing due to buffering.
The default value is
.Em false .
.It iolog_dir = path
The top-level directory to use when constructing the path
name for the I/O log directory.
The session sequence number, if any, is stored in the directory.
The default value is
.Pa @iolog_dir@ .
.Pp
The following percent
.Pq Ql %
escape sequences are supported:
.Bl -tag -width 4n
.It %{seq}
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
where every two digits are used to form a new directory, e.g.,
.Pa 01/00/A5
.It %{user}
expanded to the invoking user's login name
.It %{group}
expanded to the name of the invoking user's real group-ID
.It %{runas_user}
expanded to the login name of the user the command will
be run as (e.g., root)
.It %{runas_group}
expanded to the group name of the user the command will
be run as (e.g., wheel)
.It %{hostname}
expanded to the local host name without the domain name
.It %{command}
expanded to the base name of the command being run
.El
.Pp
In addition, any escape sequences supported by the system's
.Xr strftime 3
function will be expanded.
.Pp
To include a literal
.Ql %
character, the string
.Ql %%
should be used.
.It iolog_file = path
The path name, relative to
.Em iolog_dir ,
in which to store I/O logs.
It is possible for
.Em iolog_file
to contain directory components.
The default value is
.Dq %{seq} .
.Pp
See the
.Em iolog_dir
setting above for a list of supported percent
.Pq Ql %
escape sequences.
.Pp
In addition to the escape sequences, path names that end in six or
more
.Em X Ns s
will have the
.Em X Ns s
replaced with a unique combination of digits and letters, similar to the
.Xr mktemp 3
function.
.Pp
If the path created by concatenating
.Em iolog_dir
and
.Em iolog_file
already exists, the existing I/O log file will be truncated and
overwritten unless
.Em iolog_file
ends in six or
more
.Em X Ns s .
.It iolog_flush = boolean
If set, I/O log data is flushed to disk after each write instead of
buffering it.
This makes it possible to view the logs in real-time as the program is
executing but may significantly reduce the effectiveness
of I/O log compression.
I/O logs are always flushed before sending a commit point to the client
regardless of this setting.
The default value is
.Em true .
.It iolog_group = name
The group name to look up when setting the group-ID on new I/O log
files and directories.
If
.Em iolog_group
is not set,
the primary group-ID of the user specified by
.Em iolog_user is used.
If neither
.Em iolog_group
nor
.Em iolog_user
are set, I/O log files and directories are created with group-ID 0.
.It iolog_mode = mode
The file mode to use when creating I/O log files.
Mode bits for read and write permissions for owner, group, or other
are honored, everything else is ignored.
The file permissions will always include the owner read and
write bits, even if they are not present in the specified mode.
When creating I/O log directories, search (execute) bits are added
to match the read and write bits specified by
.Em iolog_mode .
The default value is
.Em 0600 .
.It iolog_user = name
The user name to look up when setting the owner of new
I/O log files and directories.
If
.Em iolog_group
is set, it will be used instead of the user's primary group-ID.
By default, I/O log files and directories are created with user and
group-ID 0.
.It log_passwords = bool
Most programs that require a user's password will disable echo before
reading the password to avoid displaying the plaintext password on
the screen.
However, if terminal input is being logged,
the password will still be present in the I/O log.
If
.Em log_passwords
is set to
.Em false ,
.Nm sudo_logsrvd
will attempt to prevent passwords from being logged.
It does this by using the regular expressions in
.Em passprompt_regex
to match a password prompt in the terminal output buffer.
When a match is found, input characters in the I/O log will be replaced with
.Ql *
until either a line feed or carriage return is found in the terminal input
or a new terminal output buffer is received.
If, however, a program displays characters as the user types them
(such as
.Nm sudo
when the
.Em pwfeedback
option is set), only the
first character of the password will be replaced in the I/O log.
The default value is
.Em true .
.It maxseq = number
The maximum sequence number that will be substituted for the
.Dq %{seq}
escape in the I/O log file (see the
.Em iolog_dir
description above for more information).
While the value substituted for
.Dq %{seq}
is in base 36,
.Em maxseq
itself should be expressed in decimal.
Values larger than 2176782336 (which corresponds to the
base 36 sequence number
.Dq ZZZZZZ )
will be silently truncated to 2176782336.
The default value is
.Em 2176782336 .
.It passprompt_regex = string
One or more POSIX extended regular expressions used to
match password prompts in the terminal output when
.Em log_passwords
is disabled.
As an extension, if the regular expression begins with
.Dq (?i) ,
it will be matched in a case-insensitive manner.
Multiple
.Em passprompt_regex
settings may be specified.
Each regular expression is limited to 1024 characters.
The default value is
.Dq [Pp]assword[: ]* .
.El
.Ss eventlog
The
.Em eventlog
section configures how (and if) security policy events are logged.
.Bl -tag -width 4n
.It log_type = string
Where to log accept, reject, and alert events reported by the policy.
Supported values are
.Em syslog ,
.Em logfile ,
and
.Em none .
The default value is
.Em syslog .
.It log_exit = boolean
If true,
.Nm sudo_logsrvd
will log an event when a command exits or is terminated by a signal.
Defaults to
.Em false .
.It log_format = string
The event log format.
Supported log formats are
.Dq sudo
for traditional sudo-style logs and
.Dq json
for JSON-format logs.
The JSON log entries contain the full contents of the accept, reject, exit
and alert messages.
The default value is
.Em sudo .
.El
.Ss syslog
The
.Em syslog
section configures how events are logged via
.Xr syslog 3 .
.Bl -tag -width 4n
.It facility = string
Syslog facility if syslog is being used for logging.
Defaults to
.Em @logfac@ .
.Pp
The following syslog facilities are supported:
.Sy authpriv
(if your
OS supports it),
.Sy auth ,
.Sy daemon ,
.Sy user ,
.Sy local0 ,
.Sy local1 ,
.Sy local2 ,
.Sy local3 ,
.Sy local4 ,
.Sy local5 ,
.Sy local6 ,
and
.Sy local7 .
.It accept_priority = string
Syslog priority to use when the user is allowed to run a command and
authentication is successful.
Defaults to
.Em @goodpri@ .
.Pp
The following syslog priorities are supported:
.Sy alert ,
.Sy crit ,
.Sy debug ,
.Sy emerg ,
.Sy err ,
.Sy info ,
.Sy notice ,
.Sy warning ,
and
.Sy none .
Setting it to a value of
.Sy none
will disable logging of successful commands.
.It reject_priority = string
Syslog priority to use when the user is not allowed to run a command or
when authentication is unsuccessful.
Defaults to
.Em @badpri@ .
.Pp
See
.Em accept_priority
for the list of supported syslog priorities.
.It alert_priority = string
Syslog priority to use for event log alert messages received from the client.
Defaults to
.Em @badpri@ .
.Pp
See
.Em accept_priority
for the list of supported syslog priorities.
.It maxlen = number
On many systems,
.Xr syslog 3
has a relatively small log buffer.
IETF RFC 5424 states that syslog servers must support messages of
at least 480 bytes and should support messages up to 2048 bytes.
By default,
.Nm sudo_logsrvd
creates log messages up to 960 bytes which corresponds to the
historic
.Bx
syslog implementation which used a 1024 byte buffer
to store the message, date, hostname, and program name.
.Pp
To prevent syslog messages from being truncated,
.Nm sudo_logsrvd
will split up sudo-style log messages that are larger than
.Em maxlen
bytes.
When a message is split, additional parts will include the string
.Dq Pq command continued
after the user name and before the continued command line arguments.
JSON-format log entries are never split and are not affected by
.Em maxlen .
.It server_facility = string
Syslog facility if syslog is being used for server warning messages.
See above for a list of supported facilities.
Defaults to
.Em daemon
.El
.Ss logfile
The
.Em logfile
section consists of settings related to logging to a plain file
(not syslog).
.Bl -tag -width 4n
.It path = string
The path to the file-based event log.
This path must be fully-qualified and start with a
.Sq /
character.
The default value is
.Pa @logpath@ .
.It time_format = string
The string used when formatting the date and time for file-based event logs.
Formatting is performed via the system's
.Xr strftime 3
function so any escape sequences supported by that function will be expanded.
The default value is
.Dq "%h %e %T"
which produces dates like
.Dq Oct  3 07:15:24
in the
.Ql C
locale.
.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo_logsrvd.conf
Sudo log server configuration file
.El
.Sh EXAMPLES
.Bd -literal
#
# sudo logsrv daemon configuration
#

[server]
# The host name or IP address and port to listen on with an optional TLS
# flag.  If no port is specified, port 30343 will be used for plaintext
# connections and port 30344 will be used to TLS connections.
# The following forms are accepted:
#   listen_address = hostname(tls)
#   listen_address = hostname:port(tls)
#   listen_address = IPv4_address(tls)
#   listen_address = IPv4_address:port(tls)
#   listen_address = [IPv6_address](tls)
#   listen_address = [IPv6_address]:port(tls)
#
# The (tls) suffix should be omitted for plaintext connections.
#
# Multiple listen_address settings may be specified.
# The default is to listen on all addresses.
#listen_address = *:30343
#listen_address = *:30344(tls)

# The file containing the ID of the running sudo_logsrvd process.
#pid_file = @rundir@/sudo_logsrvd.pid

# Where to log server warnings: none, stderr, syslog, or a path name.
#server_log = syslog

# If true, enable the SO_KEEPALIVE socket option on client connections.
# Defaults to true.
#tcp_keepalive = true

# The amount of time, in seconds, the server will wait for the client to
# respond.  A value of 0 will disable the timeout.  The default value is 30.
#timeout = 30

# If true, the server will validate its own certificate at startup.
# Defaults to true.
#tls_verify = true

# If true, client certificates will be validated by the server;
# clients without a valid certificate will be unable to connect.
# By default, client certs are not checked.
#tls_checkpeer = false

# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
#tls_cacert = /etc/ssl/sudo/cacert.pem

# Path to the server's certificate file in PEM format.
# Required for TLS connections.
#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem

# Path to the server's private key file in PEM format.
# Required for TLS connections.
#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem

# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# This setting is only effective if the negotiated protocol is TLS version
# 1.2.  The default cipher list is HIGH:!aNULL.
#tls_ciphers_v12 = HIGH:!aNULL

# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default cipher list is TLS_AES_256_GCM_SHA384.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384

# Path to the Diffie-Hellman parameter file in PEM format.
# If not set, the server will use the OpenSSL defaults.
#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem

[relay]
# The host name or IP address and port to send logs to in relay mode.
# The syntax is identical to listen_address with the exception of
# the wild card ('*') syntax.  When this setting is enabled, logs will
# be relayed to the specified host instead of being stored locally.
# This setting is not enabled by default.
#relay_host = relayhost.dom.ain
#relay_host = relayhost.dom.ain(tls)

# The amount of time, in seconds, the server will wait for a connection
# to the relay server to complete.  A value of 0 will disable the timeout.
# The default value is 30.
#connect_timeout = 30

# The directory to store messages in before they are sent to the relay.
# Messages are stored in wire format.
# The default value is @relay_dir@.
#relay_dir = @relay_dir@

# The number of seconds to wait after a connection error before
# making a new attempt to forward a message to a relay host.
# The default value is 30.
#retry_interval = 30

# Whether to store the log before relaying it.  If true, enable store
# and forward mode.  If false, the client connection is immediately
# relayed.  Defaults to false.
#store_first = true

# If true, enable the SO_KEEPALIVE socket option on relay connections.
# Defaults to true.
#tcp_keepalive = true

# The amount of time, in seconds, the server will wait for the relay to
# respond.  A value of 0 will disable the timeout.  The default value is 30.
#timeout = 30

# If true, the server's relay certificate will be verified at startup.
# The default is to use the value in the [server] section.
#tls_verify = true

# Whether to verify the relay's certificate for TLS connections.
# The default is to use the value in the [server] section.
#tls_checkpeer = false

# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
# The default is to use the value in the [server] section.
#tls_cacert = /etc/ssl/sudo/cacert.pem

# Path to the server's certificate file in PEM format.
# The default is to use the certificate in the [server] section.
#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem

# Path to the server's private key file in PEM format.
# The default is to use the key in the [server] section.
#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem

# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# this setting is only effective if the negotiated protocol is TLS version
# 1.2.  The default is to use the value in the [server] section.
#tls_ciphers_v12 = HIGH:!aNULL

# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default is to use the value in the [server] section.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384

# Path to the Diffie-Hellman parameter file in PEM format.
# The default is to use the value in the [server] section.
#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem

[iolog]
# The top-level directory to use when constructing the path name for the
# I/O log directory.  The session sequence number, if any, is stored here.
#iolog_dir = @iolog_dir@

# The path name, relative to iolog_dir, in which to store I/O logs.
# It is possible for iolog_file to contain directory components.
#iolog_file = %{seq}

# If set, I/O logs will be compressed using zlib.  Enabling compression can
# make it harder to view the logs in real-time as the program is executing.
#iolog_compress = false

# If set, I/O log data is flushed to disk after each write instead of
# buffering it.  This makes it possible to view the logs in real-time
# as the program is executing but reduces the effectiveness of compression.
#iolog_flush = true

# The group to use when creating new I/O log files and directories.
# If iolog_group is not set, the primary group-ID of the user specified
# by iolog_user is used.  If neither iolog_group nor iolog_user
# are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel

# The user to use when setting the user-ID and group-ID of new I/O
# log files and directories.  If iolog_group is set, it will be used
# instead of the user's primary group-ID.  By default, I/O log files
# and directories are created with user and group-ID 0.
#iolog_user = root

# The file mode to use when creating I/O log files.  The file permissions
# will always include the owner read and write bits, even if they are
# not present in the specified mode.  When creating I/O log directories,
# search (execute) bits are added to match the read and write bits
# specified by iolog_mode.
#iolog_mode = 0600

# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
# password in the terminal input using passprompt_regex.
#log_passwords = true

# The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file.  While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal.  Values
# larger than 2176782336 (which corresponds to the base 36 sequence
# number "ZZZZZZ") will be silently truncated to 2176782336.
#maxseq = 2176782336

# One or more POSIX extended regular expressions used to match
# password prompts in the terminal output when log_passwords is
# disabled.  Multiple passprompt_regex settings may be specified.
#passprompt_regex = [Pp]assword[: ]*
#passprompt_regex = [Pp]assword for [a-z0-9]+: *

[eventlog]
# Where to log accept, reject, exit, and alert events.
# Accepted values are syslog, logfile, or none.
# Defaults to syslog
#log_type = syslog

# Whether to log an event when a command exits or is terminated by a signal.
# Defaults to false
#log_exit = true

# Event log format.
# Currently only sudo-style event logs are supported.
#log_format = sudo

[syslog]
# The maximum length of a syslog payload.
# On many systems, syslog(3) has a relatively small log buffer.
# IETF RFC 5424 states that syslog servers must support messages
# of at least 480 bytes and should support messages up to 2048 bytes.
# Messages larger than this value will be split into multiple messages.
#maxlen = 960

# The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3,
# local4, local5, local6, and local7.
#facility = @logfac@

# Syslog priority to use for event log accept messages, when the command
# is allowed by the security policy.  The following syslog priorities are
# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
#accept_priority = @goodpri@

# Syslog priority to use for event log reject messages, when the command
# is not allowed by the security policy.
#reject_priority = @badpri@

# Syslog priority to use for event log alert messages reported by the
# client.
#alert_priority = @badpri@

# The syslog facility to use for server warning messages.
# Defaults to daemon.
#server_facility = daemon

[logfile]
# The path to the file-based event log.
# This path must be fully-qualified and start with a '/' character.
#path = @logpath@

# The format string used when formatting the date and time for
# file-based event logs.  Formatting is performed via strftime(3) so
# any format string supported by that function is allowed.
#time_format = %h %e %T
.Ed
.Sh SEE ALSO
.Xr strftime 3 ,
.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrvd @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS.md file in the
.Nm sudo
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm sudo ,
you can submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
.Nm sudo
or https://www.sudo.ws/about/license/ for complete details.