[sudo-users] disable logging successful commands to systemd journal
Todd C. Miller
Todd.Miller at courtesan.com
Wed Nov 30 14:06:04 MST 2016
On Wed, 30 Nov 2016 13:02:14 +0100, ilf wrote:
> By default, sudo logs every invocation to system logs.
>
> I would like to disable logging successful commands to systemd journal.
> But I would like to *keep* logs about unsuccessful attempts, like
> "pam_unix(sudo:auth): authentication failure" and "3 incorrect password
> attempts".
>
> Unfortunately, I cannot figure out from man-pages and
> /usr/share/doc/sudo/ how to do that.
By default, sudo logs via syslog. You can control the priorities
used for successful and unsuccessful sudo attempts using the
syslog_badpri and syslog_goodpri settings in sudoers. For example:
Defaults syslog_goodpri=debug
would log successful sudo commands at priority "debug" instead of
the default value of "notice".
Normally, what you would do is configure your syslog daemon to only
store logs for higher priority messages.
However, it doesn't appear that systemd/journald operates in this
way. If you are using journald in conjunction with a syslog daemon
you should be able to drop the sucessful sudo messages on the syslog
side.
I don't really use systemd so perhaps someone else will have a
better idea of how to make it do what you want.
- todd
More information about the sudo-users
mailing list