{
    "mode": "info",
    "parameter": "sudo_logsrvd.conf",
    "section": "",
    "url": "https://www.chedong.com/phpMan.php/info/sudo_logsrvd.conf/json",
    "generated": "2026-07-05T13:01:36Z",
    "sections": {
        "NAME": {
            "content": "sudologsrvd.conf -- configuration for sudologsrvd\n",
            "subsections": []
        },
        "DESCRIPTION": {
            "content": "The sudologsrvd.conf file is used to configure the sudologsrvd log\nserver.  It uses an INI-style format made up of sections in square brack-\nets and \"key = value\" pairs specific to each section below the section\nname.  Depending on the key, values may be integers, booleans, or\nstrings.  Section and key names are not case sensitive, but values are.\n\nThe pound sign ('#') is used to indicate a comment.  Both the comment\ncharacter and any text after it, up to the end of the line, are ignored.\nLines beginning with a semi-colon (';') are also ignored.\n\nLong lines can be continued with a backslash ('\\') as the last character\non the line.  Note that leading white space is removed from the beginning\nof lines even when the continuation character is used.\n\nThe EXAMPLES section contains a copy of the default sudologsrvd.conf\nfile.\n\nThe following configuration sections are recognized:\n\no   server\no   relay\no   iolog\no   eventlog\no   syslog\no   logfile\n\nEach section is described in detail below.\n\nserver\nThe server section configures the address and port the server will listen\non.  The following keys are recognized:\n\nlistenaddress = host[:port][(tls)]\nThe host name or IP address, optional port to listen on and an\noptional Transport Layer Security (TLS) flag in parentheses.\n\nThe host may be a host name, an IPv4 address, an IPv6 address\nin square brackets or the wild card entry '*'.  A host setting\nof '*' will cause sudologsrvd to listen on all configured net-\nwork interfaces.\n\nIf the optional tls flag is present, sudologsrvd will secure\nthe connection with TLS version 1.2 or 1.3.  Versions of TLS\nprior to 1.2 are not supported.  See sudologsrvd(8) for de-\ntails on generating TLS keys and certificates.\n\nIf a port is specified, it may either be a port number or a\nknown service name as defined by the system service name data-\nbase.  If no port is specified, port 30343 will be used for\nplaintext connections and port 30344 will be used for TLS con-\nnections.\n\nThe default value is:\nlistenaddress = *:30343\nlistenaddress = *:30344(tls)\nwhich will listen on all configured network interfaces for both\nplaintext and TLS connections.  Multiple listenaddress lines\nmay be specified to listen on more than one port or interface.\n\nserverlog = string\nWhere to log server warning and error messages.  Supported val-\nues are none, stderr, syslog, or a path name beginning with the\n'/' character.  Note that a value of stderr is only effective\nwhen used in conjunction with the -n option.  The default value\nis syslog.\n\npidfile = path\nThe path to the file containing the process ID of the running\nsudologsrvd.  If set to an empty value, or if sudologsrvd is\nrun with the -n option, no pidfile will be created.  If\npidfile refers to a symbolic link, it will be ignored.  The\ndefault value is /run/sudo/sudologsrvd.pid.\n\ntcpkeepalive = boolean\nIf true, sudologsrvd will enable the TCP keepalive socket op-\ntion on the client connection.  This enables the periodic\ntransmission of keepalive messages to the client.  If the\nclient does not respond to a message in time, the connection\nwill be closed.  Defaults to true.\n\ntimeout = number\nThe amount of time, in seconds, sudologsrvd will wait for the\nclient to respond.  A value of 0 will disable the timeout.  The\ndefault value is 30.\n\ntlscacert = path\nThe path to a certificate authority bundle file, in PEM format,\nto use instead of the system's default certificate authority\ndatabase when authenticating clients.  The default is to use\n/etc/ssl/sudo/cacert.pem if it exists, otherwise the system's\ndefault certificate authority database is used.\n\ntlscert = path\nThe path to the server's certificate file, in PEM format.  The\ndefault value is /etc/ssl/sudo/certs/logsrvdcert.pem.\n\ntlscheckpeer = bool\nIf true, client certificates will be validated by sudologsrvd;\nclients without a valid certificate will be unable to connect.\nIf false, no validation of client certificates will be per-\nformed.  It true and client certificates are created using a\nprivate certificate authority, the tlscacert setting must be\nset to a CA bundle that contains the CA certificate used to\ngenerate the client certificate.  The default value is false.\n\ntlsciphersv12 = string\nA list of ciphers to use for connections secured by TLS version\n1.2 only, separated by a colon ':'.  See the CIPHER LIST FORMAT\nsection in openssl-ciphers(1) for full details.  The default\nvalue is HIGH:!aNULL which consists of encryption cipher suites\nwith key lengths larger than 128 bits, and some cipher suites\nwith 128-bit keys.  Cipher suites that offer no authentication\nare excluded.\n\ntlsciphersv13 = string\nA list of ciphers to use for connections secured by TLS version\n1.3 only, separated by a colon ':'.  Supported cipher suites\ndepend on the version of OpenSSL used, but should include the\nfollowing:\n\nTLSAES128GCMSHA256\nTLSAES256GCMSHA384\nTLSCHACHA20POLY1305SHA256\nTLSAES128CCMSHA256\nTLSAES128CCM8SHA256\n\nThe default cipher suite is TLSAES256GCMSHA384.\n\ntlsdhparams = path\nThe path to a file containing custom Diffie-Hellman parameters\nin PEM format.  This file can be created with the following\ncommand:\n\nopenssl dhparam -out /etc/sudologsrvddhparams.pem 2048\n\nBy default, sudologsrvd will use the OpenSSL defaults for\nDiffie-Hellman key generation.\n\ntlskey = path\nThe path to the server's private key file, in PEM format.  The\ndefault value is /etc/ssl/sudo/private/logsrvdkey.pem.\n\ntlsverify = bool\nIf true, sudologsrvd.conf will validate its own certificate at\nstartup time or when the configuration is changed.  If false,\nno verification is performed of the server certificate.  When\nusing self-signed certificates without a certificate authority,\nthis setting should be set to false.  The default value is\ntrue.\n\nrelay\nThe relay section configures the optional logsrv relay host and port the\nserver will connect to.  The TLS configuration keys are optional, by de-\nfault the corresponding keys in the server section will be used.  They\nare only present in this section to make it possible for the relay con-\nnection to use a different set of TLS parameters from the client-facing\nserver.  The following keys are recognized:\n\nconnecttimeout = number\nThe amount of time, in seconds, sudologsrvd will wait for the\nconnection to a relayhost (see below) to complete.  Once the\nconnection is complete, the timeout setting controls the amount\nof time sudologsrvd will wait for the relay to respond.  A\nvalue of 0 will disable the timeout.  The default value is 30.\n\nrelaydir = path\nThe directory in which log messages are temporarily stored be-\nfore they are sent to the relay host.  Messages are stored in\nthe wire format specified by sudologsrv.proto(5) The default\nvalue is /var/log/sudologsrvd.\n\nrelayhost = host[:port][(tls)]\nThe relay host name or IP address, optional port to connect to\nand an optional Transport Layer Security (TLS) flag in paren-\ntheses.  The syntax is identical to listenaddress in the\nserver section with one exception: the wild card '*' syntax is\nnot supported.\n\nWhen this setting is enabled, messages from the client will be\nforwarded to one of the specified relay hosts instead of being\nstored locally.  The host could be running an instance of\nsudologsrvd or another server that supports the\nsudologsrv.proto(5) protocol.\n\nIf multiple relayhost lines are specified, the first available\nrelay host will be used.\n\nretryinterval = number\nThe number of seconds to wait after a connection error before\nmaking a new attempt to forward a message to a relay host.  The\ndefault value is 30 seconds.\n\nstorefirst = boolean\nIf true, sudologsrvd will store logs locally before relaying\nthem.  Once the log is complete, a connection to the relay host\nis opened and the log is relayed.  If the network connection is\ninterrupted before the log can be fully transferred, it will be\nretransmitted later.  The default is to relay logs in real-\ntime.\n\ntcpkeepalive = boolean\nIf true, sudologsrvd will enable the TCP keepalive socket op-\ntion on the relay connection.  This enables the periodic trans-\nmission of keepalive messages to the relay server.  If the re-\nlay does not respond to a message in time, the connection will\nbe closed.\n\ntimeout = number\nThe amount of time, in seconds, sudologsrvd will wait for the\nrelay server to respond after a connection has succeeded.  A\nvalue of 0 will disable the timeout.  The default value is 30.\n\ntlscacert = path\nThe path to a certificate authority bundle file, in PEM format,\nto use instead of the system's default certificate authority\ndatabase when authenticating clients.  The default is to use\nthe value specified in the server section, or the system's de-\nfault certificate authority database if no value is set.\n\ntlscert = path\nThe path to the server's certificate file, in PEM format.  The\ndefault is to use the value specified in the server section.\n\ntlscheckpeer = bool\nIf true, the relay host's certificate will be validated by\nsudologsrvd; connections to a relay without a valid certifi-\ncate will fail.  If false, no validation of relay certificates\nwill be performed.  It true and relay certificates are created\nusing a private certificate authority, the tlscacert setting\nmust be set to a CA bundle that contains the CA certificate\nused to generate the relay certificate.  The default is to use\nthe value specified in the server section.\n\ntlsciphersv12 = string\nA list of ciphers to use for connections secured by TLS version\n1.2 only, separated by a colon ':'.  See the CIPHER LIST FORMAT\nsection in openssl-ciphers(1) for full details.  The default is\nto use the value specified in the server section.\n\ntlsciphersv13 = string\nA list of ciphers to use for connections secured by TLS version\n1.3 only, separated by a colon ':'.  Supported cipher suites\ndepend on the version of OpenSSL used, see the server section\nfor more information.  The default is to use the value speci-\nfied in the server section.\n\ntlsdhparams = path\nThe path to a file containing custom Diffie-Hellman parameters\nin PEM format.  The default is to use the value specified in\nthe server section.\n\ntlskey = path\nThe path to the server's private key file, in PEM format.  The\ndefault is to use the value specified in the server section.\n\ntlsverify = bool\nIf true, the server's certificate used for relaying will be\nverified at startup.  If false, no verification is performed of\nthe server certificate.  When using self-signed certificates\nwithout a certificate authority, this setting should be set to\nfalse.  The default is to use the value specified in the server\nsection.\n\niolog\nThe iolog section configures I/O log parameters.  These settings are\nidentical to the I/O configuration in sudoers(5).  The following keys are\nrecognized:\n\niologcompress = boolean\nIf set, I/O logs will be compressed using zlib.  Enabling com-\npression can make it harder to view the logs in real-time as\nthe program is executing due to buffering.  The default value\nis false.\n\niologdir = path\nThe top-level directory to use when constructing the path name\nfor the I/O log directory.  The session sequence number, if\nany, is stored in the directory.  The default value is\n/var/log/sudo-io.\n\nThe following percent ('%') escape sequences are supported:\n\n%{seq}\nexpanded to a monotonically increasing base-36 sequence\nnumber, such as 0100A5, where every two digits are used\nto form a new directory, e.g., 01/00/A5\n\n%{user}\nexpanded to the invoking user's login name\n\n%{group}\nexpanded to the name of the invoking user's real group-ID\n\n%{runasuser}\nexpanded to the login name of the user the command will\nbe run as (e.g., root)\n\n%{runasgroup}\nexpanded to the group name of the user the command will\nbe run as (e.g., wheel)\n\n%{hostname}\nexpanded to the local host name without the domain name\n\n%{command}\nexpanded to the base name of the command being run\n\nIn addition, any escape sequences supported by the system's\nstrftime(3) function will be expanded.\n\nTo include a literal '%' character, the string '%%' should be\nused.\n\niologfile = path\nThe path name, relative to iologdir, in which to store I/O\nlogs.  Note that iologfile may contain directory components.\nThe default value is %{seq}.\n\nSee the iologdir setting above for a list of supported percent\n('%') escape sequences.\n\nIn addition to the escape sequences, path names that end in six\nor more Xs will have the Xs replaced with a unique combination\nof digits and letters, similar to the mktemp(3) function.\n\nIf the path created by concatenating iologdir and iologfile\nalready exists, the existing I/O log file will be truncated and\noverwritten unless iologfile ends in six or more Xs.\n\niologflush = boolean\nIf set, I/O log data is flushed to disk after each write in-\nstead of buffering it.  This makes it possible to view the logs\nin real-time as the program is executing but may significantly\nreduce the effectiveness of I/O log compression.  I/O logs are\nalways flushed before sending a commit point to the client re-\ngardless of this setting.  The default value is true.\n\niologgroup = name\nThe group name to look up when setting the group-ID on new I/O\nlog files and directories.  If iologgroup is not set, the pri-\nmary group-ID of the user specified by iologuser is used. If\nneither iologgroup nor iologuser are set, I/O log files and\ndirectories are created with group-ID 0.\n\niologmode = mode\nThe file mode to use when creating I/O log files.  Mode bits\nfor read and write permissions for owner, group, or other are\nhonored, everything else is ignored.  The file permissions will\nalways include the owner read and write bits, even if they are\nnot present in the specified mode.  When creating I/O log di-\nrectories, search (execute) bits are added to match the read\nand write bits specified by iologmode.  The default value is\n0600.\n\niologuser = name\nThe user name to look up when setting the owner of new I/O log\nfiles and directories.  If iologgroup is set, it will be used\ninstead of the user's primary group-ID.  By default, I/O log\nfiles and directories are created with user and group-ID 0.\n\nmaxseq = number\nThe maximum sequence number that will be substituted for the\n\"%{seq}\" escape in the I/O log file (see the iologdir descrip-\ntion above for more information).  While the value substituted\nfor \"%{seq}\" is in base 36, maxseq itself should be expressed\nin decimal.  Values larger than 2176782336 (which corresponds\nto the base 36 sequence number \"ZZZZZZ\") will be silently trun-\ncated to 2176782336.  The default value is 2176782336.\n\neventlog\nThe eventlog section configures how (and if) security policy events are\nlogged.\n\nlogtype = string\nWhere to log accept, reject, and alert events reported by the pol-\nicy.  Supported values are syslog, logfile, and none.  The default\nvalue is syslog.\n\nlogexit = boolean\nIf true, sudologsrvd will log an event when a command exits or is\nterminated by a signal.  Defaults to false.\n\nlogformat = string\nThe event log format.  Supported log formats are \"sudo\" for tradi-\ntional sudo-style logs and \"json\" for JSON-format logs.  The JSON\nlog entries contain the full contents of the accept, reject, exit\nand alert messages.  The default value is sudo.\n\nsyslog\nThe syslog section configures how events are logged via syslog(3).\n\nfacility = string\nSyslog facility if syslog is being used for logging.  Defaults to\nauthpriv.\n\nThe following syslog facilities are supported: authpriv (if your OS\nsupports it), auth, daemon, user, local0, local1, local2, local3,\nlocal4, local5, local6, and local7.\n\nacceptpriority = string\nSyslog priority to use when the user is allowed to run a command\nand authentication is successful.  Defaults to notice.\n\nThe following syslog priorities are supported: alert, crit, debug,\nemerg, err, info, notice, warning, and none.  Setting it to a value\nof none will disable logging of successful commands.\n\nrejectpriority = string\nSyslog priority to use when the user is not allowed to run a com-\nmand or when authentication is unsuccessful.  Defaults to alert.\n\nSee acceptpriority for the list of supported syslog priorities.\n\nalertpriority = string\nSyslog priority to use for event log alert messages received from\nthe client.  Defaults to alert.\n\nSee acceptpriority for the list of supported syslog priorities.\n\nmaxlen = number\nOn many systems, syslog(3) has a relatively small log buffer.  IETF\nRFC 5424 states that syslog servers must support messages of at\nleast 480 bytes and should support messages up to 2048 bytes.  By\ndefault, sudologsrvd creates log messages up to 960 bytes which\ncorresponds to the historic BSD syslog implementation which used a\n1024 byte buffer to store the message, date, hostname, and program\nname.\n\nTo prevent syslog messages from being truncated, sudologsrvd will\nsplit up sudo-style log messages that are larger than maxlen bytes.\nWhen a message is split, additional parts will include the string\n\"(command continued)\" after the user name and before the continued\ncommand line arguments.  JSON-format log entries are never split\nand are not affected by maxlen.\n\nserverfacility = string\nSyslog facility if syslog is being used for server warning mes-\nsages.  See above for a list of supported facilities.  Defaults to\ndaemon\n\nlogfile\nThe logfile section consists of settings related to logging to a plain\nfile (not syslog).\n\npath = string\nThe path to the file-based event log.  This path must be fully-\nqualified and start with a '/' character.  The default value is\n/var/log/sudo.log.\n\ntimeformat = string\nThe string used when formatting the date and time for file-based\nevent logs.  Formatting is performed via the system's strftime(3)\nfunction so any escape sequences supported by that function will be\nexpanded.  The default value is \"%h %e %T\" which produces dates\nlike \"Oct 3 07:15:24\" in the C locale.\n",
            "subsections": []
        },
        "FILES": {
            "content": "/etc/sudologsrvd.conf    Sudo log server configuration file\n",
            "subsections": []
        },
        "EXAMPLES": {
            "content": "#\n# sudo logsrv daemon configuration\n#\n\n[server]\n# The host name or IP address and port to listen on with an optional TLS\n# flag.  If no port is specified, port 30343 will be used for plaintext\n# connections and port 30344 will be used to TLS connections.\n# The following forms are accepted:\n#   listenaddress = hostname(tls)\n#   listenaddress = hostname:port(tls)\n#   listenaddress = IPv4address(tls)\n#   listenaddress = IPv4address:port(tls)\n#   listenaddress = [IPv6address](tls)\n#   listenaddress = [IPv6address]:port(tls)\n#\n# The (tls) suffix should be omitted for plaintext connections.\n#\n# Multiple listenaddress settings may be specified.\n# The default is to listen on all addresses.\n#listenaddress = *:30343\n#listenaddress = *:30344(tls)\n\n# The file containing the ID of the running sudologsrvd process.\n#pidfile = /run/sudo/sudologsrvd.pid\n\n# Where to log server warnings: none, stderr, syslog, or a path name.\n#serverlog = syslog\n\n# If true, enable the SOKEEPALIVE socket option on client connections.\n# Defaults to true.\n#tcpkeepalive = true\n\n# The amount of time, in seconds, the server will wait for the client to\n# respond.  A value of 0 will disable the timeout.  The default value is 30.\n#timeout = 30\n\n# If true, the server will validate its own certificate at startup.\n# Defaults to true.\n#tlsverify = true\n\n# If true, client certificates will be validated by the server;\n# clients without a valid certificate will be unable to connect.\n# By default, client certs are not checked.\n#tlscheckpeer = false\n\n# Path to a certificate authority bundle file in PEM format to use\n# instead of the system's default certificate authority database.\n#tlscacert = /etc/ssl/sudo/cacert.pem\n\n# Path to the server's certificate file in PEM format.\n# Required for TLS connections.\n#tlscert = /etc/ssl/sudo/certs/logsrvdcert.pem\n\n# Path to the server's private key file in PEM format.\n# Required for TLS connections.\n#tlskey = /etc/ssl/sudo/private/logsrvdkey.pem\n\n# TLS cipher list (see \"CIPHER LIST FORMAT\" in the openssl-ciphers manual).\n# NOTE that this setting is only effective if the negotiated protocol\n# is TLS version 1.2.\n# The default cipher list is HIGH:!aNULL.\n#tlsciphersv12 = HIGH:!aNULL\n\n# TLS cipher list if the negotiated protocol is TLS version 1.3.\n# The default cipher list is TLSAES256GCMSHA384.\n#tlsciphersv13 = TLSAES256GCMSHA384\n\n# Path to the Diffie-Hellman parameter file in PEM format.\n# If not set, the server will use the OpenSSL defaults.\n#tlsdhparams = /etc/ssl/sudo/logsrvddhparams.pem\n\n[relay]\n# The host name or IP address and port to send logs to in relay mode.\n# The syntax is identical to listenaddress with the exception of\n# the wild card ('*') syntax.  When this setting is enabled, logs will\n# be relayed to the specified host instead of being stored locally.\n# This setting is not enabled by default.\n#relayhost = relayhost.dom.ain\n#relayhost = relayhost.dom.ain(tls)\n\n# The amount of time, in seconds, the server will wait for a connection\n# to the relay server to complete.  A value of 0 will disable the timeout.\n# The default value is 30.\n#connecttimeout = 30\n\n# The directory to store messages in before they are sent to the relay.\n# Messages are stored in wire format.\n# The default value is /var/log/sudologsrvd.\n#relaydir = /var/log/sudologsrvd\n\n# The number of seconds to wait after a connection error before\n# making a new attempt to forward a message to a relay host.\n# The default value is 30.\n#retryinterval = 30\n\n# Whether to store the log before relaying it.  If true, enable store\n# and forward mode.  If false, the client connection is immediately\n# relayed.  Defaults to false.\n#storefirst = true\n\n# If true, enable the SOKEEPALIVE socket option on relay connections.\n# Defaults to true.\n#tcpkeepalive = true\n\n# The amount of time, in seconds, the server will wait for the relay to\n# respond.  A value of 0 will disable the timeout.  The default value is 30.\n#timeout = 30\n\n# If true, the server's relay certificate will be verified at startup.\n# The default is to use the value in the [server] section.\n#tlsverify = true\n\n# Whether to verify the relay's certificate for TLS connections.\n# The default is to use the value in the [server] section.\n#tlscheckpeer = false\n\n# Path to a certificate authority bundle file in PEM format to use\n# instead of the system's default certificate authority database.\n# The default is to use the value in the [server] section.\n#tlscacert = /etc/ssl/sudo/cacert.pem\n\n# Path to the server's certificate file in PEM format.\n# The default is to use the certificate in the [server] section.\n#tlscert = /etc/ssl/sudo/certs/logsrvdcert.pem\n\n# Path to the server's private key file in PEM format.\n# The default is to use the key in the [server] section.\n#tlskey = /etc/ssl/sudo/private/logsrvdkey.pem\n\n# TLS cipher list (see \"CIPHER LIST FORMAT\" in the openssl-ciphers manual).\n# NOTE that this setting is only effective if the negotiated protocol\n# is TLS version 1.2.\n# The default is to use the value in the [server] section.\n#tlsciphersv12 = HIGH:!aNULL\n\n# TLS cipher list if the negotiated protocol is TLS version 1.3.\n# The default is to use the value in the [server] section.\n#tlsciphersv13 = TLSAES256GCMSHA384\n\n# Path to the Diffie-Hellman parameter file in PEM format.\n# The default is to use the value in the [server] section.\n#tlsdhparams = /etc/ssl/sudo/logsrvddhparams.pem\n\n[iolog]\n# The top-level directory to use when constructing the path name for the\n# I/O log directory.  The session sequence number, if any, is stored here.\n#iologdir = /var/log/sudo-io\n\n# The path name, relative to iologdir, in which to store I/O logs.\n# Note that iologfile may contain directory components.\n#iologfile = %{seq}\n\n# If set, I/O logs will be compressed using zlib.  Enabling compression can\n# make it harder to view the logs in real-time as the program is executing.\n#iologcompress = false\n\n# If set, I/O log data is flushed to disk after each write instead of\n# buffering it.  This makes it possible to view the logs in real-time\n# as the program is executing but reduces the effectiveness of compression.\n#iologflush = true\n\n# The group to use when creating new I/O log files and directories.\n# If iologgroup is not set, the primary group-ID of the user specified\n# by iologuser is used.  If neither iologgroup nor iologuser\n# are set, I/O log files and directories are created with group-ID 0.\n#iologgroup = wheel\n\n# The user to use when setting the user-ID and group-ID of new I/O\n# log files and directories.  If iologgroup is set, it will be used\n# instead of the user's primary group-ID.  By default, I/O log files\n# and directories are created with user and group-ID 0.\n#iologuser = root\n\n# The file mode to use when creating I/O log files.  The file permissions\n# will always include the owner read and write bits, even if they are\n# not present in the specified mode.  When creating I/O log directories,\n# search (execute) bits are added to match the read and write bits\n# specified by iologmode.\n#iologmode = 0600\n\n# The maximum sequence number that will be substituted for the \"%{seq}\"\n# escape in the I/O log file.  While the value substituted for \"%{seq}\"\n# is in base 36, maxseq itself should be expressed in decimal.  Values\n# larger than 2176782336 (which corresponds to the base 36 sequence\n# number \"ZZZZZZ\") will be silently truncated to 2176782336.\n#maxseq = 2176782336\n\n[eventlog]\n# Where to log accept, reject, exit, and alert events.\n# Accepted values are syslog, logfile, or none.\n# Defaults to syslog\n#logtype = syslog\n\n# Whether to log an event when a command exits or is terminated by a signal.\n# Defaults to false\n#logexit = true\n\n# Event log format.\n# Currently only sudo-style event logs are supported.\n#logformat = sudo\n\n[syslog]\n# The maximum length of a syslog payload.\n# On many systems, syslog(3) has a relatively small log buffer.\n# IETF RFC 5424 states that syslog servers must support messages\n# of at least 480 bytes and should support messages up to 2048 bytes.\n# Messages larger than this value will be split into multiple messages.\n#maxlen = 960\n\n# The syslog facility to use for event log messages.\n# The following syslog facilities are supported: authpriv (if your OS\n# supports it), auth, daemon, user, local0, local1, local2, local3,\n# local4, local5, local6, and local7.\n#facility = authpriv\n\n# Syslog priority to use for event log accept messages, when the command\n# is allowed by the security policy.  The following syslog priorities are\n# supported: alert, crit, debug, emerg, err, info, notice, warning, none.\n#acceptpriority = notice\n\n# Syslog priority to use for event log reject messages, when the command\n# is not allowed by the security policy.\n#rejectpriority = alert\n\n# Syslog priority to use for event log alert messages reported by the\n# client.\n#alertpriority = alert\n\n# The syslog facility to use for server warning messages.\n# Defaults to daemon.\n#serverfacility = daemon\n\n[logfile]\n# The path to the file-based event log.\n# This path must be fully-qualified and start with a '/' character.\n#path = /var/log/sudo\n\n# The format string used when formatting the date and time for\n# file-based event logs.  Formatting is performed via strftime(3) so\n# any format string supported by that function is allowed.\n#timeformat = %h %e %T\n",
            "subsections": []
        },
        "SEE ALSO": {
            "content": "strftime(3), sudo.conf(5), sudoers(5), sudo(8), sudologsrvd(8)\n",
            "subsections": []
        },
        "HISTORY": {
            "content": "See the HISTORY file in the sudo distribution (https://www.sudo.ws/his-\ntory.html) for a brief history of sudo.\n",
            "subsections": []
        },
        "AUTHORS": {
            "content": "Many people have worked on sudo over the years; this version consists of\ncode written primarily by:\n\nTodd C. Miller\n\nSee the CONTRIBUTORS file in the sudo distribution\n(https://www.sudo.ws/contributors.html) for an exhaustive list of people\nwho have contributed to sudo.\n",
            "subsections": []
        },
        "BUGS": {
            "content": "If you feel you have found a bug in sudo, please submit a bug report at\nhttps://bugzilla.sudo.ws/\n",
            "subsections": []
        },
        "SUPPORT": {
            "content": "Limited free support is available via the sudo-users mailing list, see\nhttps://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search\nthe archives.\n",
            "subsections": []
        },
        "DISCLAIMER": {
            "content": "sudo is provided \"AS IS\" and any express or implied warranties, includ-\ning, but not limited to, the implied warranties of merchantability and\nfitness for a particular purpose are disclaimed.  See the LICENSE file\ndistributed with sudo or https://www.sudo.ws/license.html for complete\ndetails.\n",
            "subsections": []
        },
        "Sudo 1.9.9                     January 19, 2022                     Sudo 1.9.9": {
            "content": "",
            "subsections": []
        }
    },
    "summary": "sudologsrvd.conf -- configuration for sudologsrvd",
    "flags": [],
    "examples": [
        "# sudo logsrv daemon configuration",
        "[server]",
        "# The host name or IP address and port to listen on with an optional TLS",
        "# flag.  If no port is specified, port 30343 will be used for plaintext",
        "# connections and port 30344 will be used to TLS connections.",
        "# The following forms are accepted:",
        "#   listenaddress = hostname(tls)",
        "#   listenaddress = hostname:port(tls)",
        "#   listenaddress = IPv4address(tls)",
        "#   listenaddress = IPv4address:port(tls)",
        "#   listenaddress = [IPv6address](tls)",
        "#   listenaddress = [IPv6address]:port(tls)",
        "# The (tls) suffix should be omitted for plaintext connections.",
        "# Multiple listenaddress settings may be specified.",
        "# The default is to listen on all addresses.",
        "#listenaddress = *:30343",
        "#listenaddress = *:30344(tls)",
        "# The file containing the ID of the running sudologsrvd process.",
        "#pidfile = /run/sudo/sudologsrvd.pid",
        "# Where to log server warnings: none, stderr, syslog, or a path name.",
        "#serverlog = syslog",
        "# If true, enable the SOKEEPALIVE socket option on client connections.",
        "# Defaults to true.",
        "#tcpkeepalive = true",
        "# The amount of time, in seconds, the server will wait for the client to",
        "# respond.  A value of 0 will disable the timeout.  The default value is 30.",
        "#timeout = 30",
        "# If true, the server will validate its own certificate at startup.",
        "# Defaults to true.",
        "#tlsverify = true",
        "# If true, client certificates will be validated by the server;",
        "# clients without a valid certificate will be unable to connect.",
        "# By default, client certs are not checked.",
        "#tlscheckpeer = false",
        "# Path to a certificate authority bundle file in PEM format to use",
        "# instead of the system's default certificate authority database.",
        "#tlscacert = /etc/ssl/sudo/cacert.pem",
        "# Path to the server's certificate file in PEM format.",
        "# Required for TLS connections.",
        "#tlscert = /etc/ssl/sudo/certs/logsrvdcert.pem",
        "# Path to the server's private key file in PEM format.",
        "# Required for TLS connections.",
        "#tlskey = /etc/ssl/sudo/private/logsrvdkey.pem",
        "# TLS cipher list (see \"CIPHER LIST FORMAT\" in the openssl-ciphers manual).",
        "# NOTE that this setting is only effective if the negotiated protocol",
        "# is TLS version 1.2.",
        "# The default cipher list is HIGH:!aNULL.",
        "#tlsciphersv12 = HIGH:!aNULL",
        "# TLS cipher list if the negotiated protocol is TLS version 1.3.",
        "# The default cipher list is TLSAES256GCMSHA384.",
        "#tlsciphersv13 = TLSAES256GCMSHA384",
        "# Path to the Diffie-Hellman parameter file in PEM format.",
        "# If not set, the server will use the OpenSSL defaults.",
        "#tlsdhparams = /etc/ssl/sudo/logsrvddhparams.pem",
        "[relay]",
        "# The host name or IP address and port to send logs to in relay mode.",
        "# The syntax is identical to listenaddress with the exception of",
        "# the wild card ('*') syntax.  When this setting is enabled, logs will",
        "# be relayed to the specified host instead of being stored locally.",
        "# This setting is not enabled by default.",
        "#relayhost = relayhost.dom.ain",
        "#relayhost = relayhost.dom.ain(tls)",
        "# The amount of time, in seconds, the server will wait for a connection",
        "# to the relay server to complete.  A value of 0 will disable the timeout.",
        "# The default value is 30.",
        "#connecttimeout = 30",
        "# The directory to store messages in before they are sent to the relay.",
        "# Messages are stored in wire format.",
        "# The default value is /var/log/sudologsrvd.",
        "#relaydir = /var/log/sudologsrvd",
        "# The number of seconds to wait after a connection error before",
        "# making a new attempt to forward a message to a relay host.",
        "# The default value is 30.",
        "#retryinterval = 30",
        "# Whether to store the log before relaying it.  If true, enable store",
        "# and forward mode.  If false, the client connection is immediately",
        "# relayed.  Defaults to false.",
        "#storefirst = true",
        "# If true, enable the SOKEEPALIVE socket option on relay connections.",
        "# Defaults to true.",
        "#tcpkeepalive = true",
        "# The amount of time, in seconds, the server will wait for the relay to",
        "# respond.  A value of 0 will disable the timeout.  The default value is 30.",
        "#timeout = 30",
        "# If true, the server's relay certificate will be verified at startup.",
        "# The default is to use the value in the [server] section.",
        "#tlsverify = true",
        "# Whether to verify the relay's certificate for TLS connections.",
        "# The default is to use the value in the [server] section.",
        "#tlscheckpeer = false",
        "# Path to a certificate authority bundle file in PEM format to use",
        "# instead of the system's default certificate authority database.",
        "# The default is to use the value in the [server] section.",
        "#tlscacert = /etc/ssl/sudo/cacert.pem",
        "# Path to the server's certificate file in PEM format.",
        "# The default is to use the certificate in the [server] section.",
        "#tlscert = /etc/ssl/sudo/certs/logsrvdcert.pem",
        "# Path to the server's private key file in PEM format.",
        "# The default is to use the key in the [server] section.",
        "#tlskey = /etc/ssl/sudo/private/logsrvdkey.pem",
        "# TLS cipher list (see \"CIPHER LIST FORMAT\" in the openssl-ciphers manual).",
        "# NOTE that this setting is only effective if the negotiated protocol",
        "# is TLS version 1.2.",
        "# The default is to use the value in the [server] section.",
        "#tlsciphersv12 = HIGH:!aNULL",
        "# TLS cipher list if the negotiated protocol is TLS version 1.3.",
        "# The default is to use the value in the [server] section.",
        "#tlsciphersv13 = TLSAES256GCMSHA384",
        "# Path to the Diffie-Hellman parameter file in PEM format.",
        "# The default is to use the value in the [server] section.",
        "#tlsdhparams = /etc/ssl/sudo/logsrvddhparams.pem",
        "[iolog]",
        "# The top-level directory to use when constructing the path name for the",
        "# I/O log directory.  The session sequence number, if any, is stored here.",
        "#iologdir = /var/log/sudo-io",
        "# The path name, relative to iologdir, in which to store I/O logs.",
        "# Note that iologfile may contain directory components.",
        "#iologfile = %{seq}",
        "# If set, I/O logs will be compressed using zlib.  Enabling compression can",
        "# make it harder to view the logs in real-time as the program is executing.",
        "#iologcompress = false",
        "# If set, I/O log data is flushed to disk after each write instead of",
        "# buffering it.  This makes it possible to view the logs in real-time",
        "# as the program is executing but reduces the effectiveness of compression.",
        "#iologflush = true",
        "# The group to use when creating new I/O log files and directories.",
        "# If iologgroup is not set, the primary group-ID of the user specified",
        "# by iologuser is used.  If neither iologgroup nor iologuser",
        "# are set, I/O log files and directories are created with group-ID 0.",
        "#iologgroup = wheel",
        "# The user to use when setting the user-ID and group-ID of new I/O",
        "# log files and directories.  If iologgroup is set, it will be used",
        "# instead of the user's primary group-ID.  By default, I/O log files",
        "# and directories are created with user and group-ID 0.",
        "#iologuser = root",
        "# The file mode to use when creating I/O log files.  The file permissions",
        "# will always include the owner read and write bits, even if they are",
        "# not present in the specified mode.  When creating I/O log directories,",
        "# search (execute) bits are added to match the read and write bits",
        "# specified by iologmode.",
        "#iologmode = 0600",
        "# The maximum sequence number that will be substituted for the \"%{seq}\"",
        "# escape in the I/O log file.  While the value substituted for \"%{seq}\"",
        "# is in base 36, maxseq itself should be expressed in decimal.  Values",
        "# larger than 2176782336 (which corresponds to the base 36 sequence",
        "# number \"ZZZZZZ\") will be silently truncated to 2176782336.",
        "#maxseq = 2176782336",
        "[eventlog]",
        "# Where to log accept, reject, exit, and alert events.",
        "# Accepted values are syslog, logfile, or none.",
        "# Defaults to syslog",
        "#logtype = syslog",
        "# Whether to log an event when a command exits or is terminated by a signal.",
        "# Defaults to false",
        "#logexit = true",
        "# Event log format.",
        "# Currently only sudo-style event logs are supported.",
        "#logformat = sudo",
        "[syslog]",
        "# The maximum length of a syslog payload.",
        "# On many systems, syslog(3) has a relatively small log buffer.",
        "# IETF RFC 5424 states that syslog servers must support messages",
        "# of at least 480 bytes and should support messages up to 2048 bytes.",
        "# Messages larger than this value will be split into multiple messages.",
        "#maxlen = 960",
        "# The syslog facility to use for event log messages.",
        "# The following syslog facilities are supported: authpriv (if your OS",
        "# supports it), auth, daemon, user, local0, local1, local2, local3,",
        "# local4, local5, local6, and local7.",
        "#facility = authpriv",
        "# Syslog priority to use for event log accept messages, when the command",
        "# is allowed by the security policy.  The following syslog priorities are",
        "# supported: alert, crit, debug, emerg, err, info, notice, warning, none.",
        "#acceptpriority = notice",
        "# Syslog priority to use for event log reject messages, when the command",
        "# is not allowed by the security policy.",
        "#rejectpriority = alert",
        "# Syslog priority to use for event log alert messages reported by the",
        "# client.",
        "#alertpriority = alert",
        "# The syslog facility to use for server warning messages.",
        "# Defaults to daemon.",
        "#serverfacility = daemon",
        "[logfile]",
        "# The path to the file-based event log.",
        "# This path must be fully-qualified and start with a '/' character.",
        "#path = /var/log/sudo",
        "# The format string used when formatting the date and time for",
        "# file-based event logs.  Formatting is performed via strftime(3) so",
        "# any format string supported by that function is allowed.",
        "#timeformat = %h %e %T"
    ],
    "see_also": [
        {
            "name": "strftime",
            "section": "3",
            "url": "https://www.chedong.com/phpMan.php/man/strftime/3/json"
        },
        {
            "name": "sudo.conf",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/sudo.conf/5/json"
        },
        {
            "name": "sudoers",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/sudoers/5/json"
        },
        {
            "name": "sudo",
            "section": "8",
            "url": "https://www.chedong.com/phpMan.php/man/sudo/8/json"
        },
        {
            "name": "sudologsrvd",
            "section": "8",
            "url": "https://www.chedong.com/phpMan.php/man/sudologsrvd/8/json"
        }
    ]
}