[sudo-users] sudoreplay logs from syslog-server

JR Aquino JR.Aquino at citrix.com
Wed Sep 7 11:30:22 EDT 2011

On Sep 7, 2011, at 7:18 AM, Patrick Spinler wrote:

> On 09/07/2011 07:07 AM, Todd C. Miller wrote:
>> On Wed, 07 Sep 2011 10:14:08 +0200, Sebastian Ohliger wrote:
>>> is it possible with sudoreplay to replay sessions logged to an
>>> syslog-server?  We're using sudo with local logging on each server
>>> and sometimes user starts an top or nmon and he forget his session...
>>> Now we're implementing a new concept for user management, for
>>> sudo I don't wan't to store logs local.
>> The session logs are not plain text and so are not really suitable
>> for syslog, which is why they are currently only logged locally.
>> Remote logging of session would require a separate log daemon.
>> The sourceforge project sslogger comes with a dameon, slogd that
>> could probably be used if a sudo I/O logging plugin was written for
>> it.
> Todd:
> Logging sessions via  syslog would also be a desirable feature in our
> setup.  We centralize our syslogs as a auditing feature, and this could
> only help.
> If I may make a suggestion, an option might be to encode sessions into a
> printable ascii format, tag it with a session ID, and forward it to
> syslog.  Then sudoreply could have the decoding built into it.
> I'd be willing to help out here, if I could wriggle enough free tuits,
> and if you thought the concept was acceptable, I'd not mind working on a
> patch to submit.
> -- Pat

Pat, I have looked into this as we are also interested in centralization, and as I have a great deal of experience with custom syslog solutions...

Since Sudo is stepping in with its own vtty, it stores the data in a binary format. The record of events are not merely ascii text, but rather, the recording of the exact keystrokes including the speed at which they were typed, and backspace/delete sequences.  I do not believe it is possible to articulate this data in its current form into ascii.

What I have settled on, is the idea that the files can be monitored by a daemon, and transferred to a central location after each one is fully written.  They can be transferred into a similar directory hierarchy to syslog-ng, whereby the sub-domain/servername/dated-filename-sudoio.log would live.

>From there sudoreplay can be used on the central server itself to review questionable time periods similar to the inspection of video surveillance tapes.

I am interested in assisting in any effort to help centralize Sudo's IO logs, though I am not confident that it will / can be done with syslog.

Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aquino at citrixonline.com

More information about the sudo-users mailing list