[sudo-users] disable logging successful commands to systemd journal

Todd C. Miller Todd.Miller at courtesan.com
Wed Nov 30 14:06:04 MST 2016

On Wed, 30 Nov 2016 13:02:14 +0100, ilf wrote:

> By default, sudo logs every invocation to system logs.
> I would like to disable logging successful commands to systemd journal.
> But I would like to *keep* logs about unsuccessful attempts, like
> "pam_unix(sudo:auth): authentication failure" and "3 incorrect password
> attempts".
> Unfortunately, I cannot figure out from man-pages and
> /usr/share/doc/sudo/ how to do that.

By default, sudo logs via syslog.  You can control the priorities
used for successful and unsuccessful sudo attempts using the
syslog_badpri and syslog_goodpri settings in sudoers.  For example:

Defaults syslog_goodpri=debug

would log successful sudo commands at priority "debug" instead of
the default value of "notice".

Normally, what you would do is configure your syslog daemon to only
store logs for higher priority messages.

However, it doesn't appear that systemd/journald operates in this
way.  If you are using journald in conjunction with a syslog daemon
you should be able to drop the sucessful sudo messages on the syslog

I don't really use systemd so perhaps someone else will have a
better idea of how to make it do what you want.

 - todd

More information about the sudo-users mailing list