SUDO_SENDLOG(8) BSD System Manager's Manual SUDO_SENDLOG(8)
NAME
sudo_sendlog -- send sudo I/O log to log server
SYNOPSIS
sudo_sendlog [-AnV] [-b ca_bundle] [-c cert_file] [-h host] [-i iolog-id]
[-k key_file] [-p port] [-r restart-point]
[-R reject-reason] [-t number] path
DESCRIPTION
sudo_sendlog can be used to send the existing sudoers I/O log path to a
remote log server such as sudo_logsrvd(8) for central storage.
The options are as follows:
-A, --accept-only
Only send the accept event, not the I/O associated with the
log. This can be used to test the logging of accept events
without any associated I/O.
-b, --ca-bundle
The path to a certificate authority bundle file, in PEM for-
mat, to use instead of the system's default certificate au-
thority database when authenticating the log server. The de-
fault is to use the system's default certificate authority
database.
-c, --cert The path to the client's certificate file in PEM format.
This setting is required when the connection to the remote
log server is secured with TLS.
--help Display a short help message to the standard output and exit.
-h, --host Connect to the specified host instead of localhost.
-i, --iolog-id
Use the specified iolog-id when restarting a log transfer.
The iolog-id is reported by the server when it creates the
remote I/O log. This option may only be used in conjunction
with the -r option.
-k, --key The path to the client's private key file in PEM format.
This setting is required when the connection to the remote
log server is secured with TLS.
-n, --no-verify
If specified, the server's certificate will not be verified
during the TLS handshake. By default, sudo_sendlog verifies
that the server's certificate is valid and that it contains
either the server's host name or its IP address. This set-
ting is only supported when the connection to the remote log
server is secured with TLS.
-p, --port Use the specified network port when connecting to the log
server instead of the default, port 30344.
-r, --restart
Restart an interrupted connection to the log server. The
specified restart-point is used to tell the server the point
in time at which to continue the log. The restart-point is
specified in the form "seconds,nanoseconds" and is usually
the last commit point received from the server. The -i op-
tion must also be specified when restarting a transfer.
-R, --reject
Send a reject event for the command using the specified
reject-reason, even though it was actually accepted locally.
This can be used to test the logging of reject events; no I/O
will be sent.
-t, --test Open number simultaneous connections to the log server and
send the specified I/O log file on each one. This option is
useful for performance testing.
-V, --version
Print the sudo_sendlog version and exit.
Debugging sendlog
sudo_sendlog supports a flexible debugging framework that is configured
via Debug lines in the sudo.conf(5) file.
For more information on configuring sudo.conf(5), please refer to its
manual.
FILES
/etc/sudo.conf Sudo front end configuration
SEE ALSO
sudo.conf(5), sudo(8), sudo_logsrvd(8)
AUTHORS
Many people have worked on sudo over the years; this version consists of
code written primarily by:
Todd C. Miller
See the CONTRIBUTORS file in the sudo distribution
(https://www.sudo.ws/contributors.html) for an exhaustive list of people
who have contributed to sudo.
BUGS
If you feel you have found a bug in sudo_sendlog, please submit a bug re-
port at https://bugzilla.sudo.ws/
SUPPORT
Limited free support is available via the sudo-users mailing list, see
https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
DISCLAIMER
sudo_sendlog is provided "AS IS" and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with sudo or https://www.sudo.ws/license.html for com-
plete details.
Sudo 1.9.5p2 May 12, 2020 Sudo 1.9.5p2