[sudo-users] sudoreplay logs from syslog-server

Todd C. Miller Todd.Miller at courtesan.com
Wed Sep 7 11:24:36 EDT 2011

On Wed, 07 Sep 2011 09:18:59 CDT, Patrick Spinler wrote:

> If I may make a suggestion, an option might be to encode sessions into a
> printable ascii format, tag it with a session ID, and forward it to
> syslog.  Then sudoreply could have the decoding built into it.

Using syslog is problematic for a number of reasons.

The I/O logging logs every read and write to the terminal, which
can generate a large number of records, potentially split among
multiple files on the log server.

One approach would be to log locally until the command has completed
and and then send the entire log file but then we run up against
the fact that most syslog implementations have a small maximum
record size, so it would likely need to be split up into multiple
entries anyway.

Syslog uses UDP by default which doesn't guarantee delivery.  If
you lose any one of the parts of the I/O log you can end up with a
useless log file.

On the log server you would need a process to decode the log entries
from syslog format and write them to a format suitable for sudoreplay
to use.  If you use a syslog daemon that supports logging to a pipe
that would probably simplify things somewhat.

 - todd

More information about the sudo-users mailing list