1
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
1
SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m)
6
sudoreplay - replay sudo session logs
4
s�su�ud�do�or�re�ep�pl�la�ay�y - replay sudo session logs
8
6
S�SY�YN�NO�OP�PS�SI�IS�S
9
s�su�ud�do�or�re�ep�pl�la�ay�y [-�-h�h] [-�-d�d _�d_�i_�r_�e_�c_�t_�o_�r_�y] [-�-f�f _�f_�i_�l_�t_�e_�r] [-�-m�m _�m_�a_�x_�__�w_�a_�i_�t] [-�-s�s
10
_�s_�p_�e_�e_�d_�__�f_�a_�c_�t_�o_�r] ID
7
s�su�ud�do�or�re�ep�pl�la�ay�y [-�-h�h] [-�-d�d _�d_�i_�r_�e_�c_�t_�o_�r_�y] [-�-f�f _�f_�i_�l_�t_�e_�r] [-�-m�m _�m_�a_�x_�__�w_�a_�i_�t]
8
[-�-s�s _�s_�p_�e_�e_�d_�__�f_�a_�c_�t_�o_�r] ID
12
s�su�ud�do�or�re�ep�pl�la�ay�y [-�-h�h] [-�-d�d _�d_�i_�r_�e_�c_�t_�o_�r_�y] -l [search expression]
10
s�su�ud�do�or�re�ep�pl�la�ay�y [-�-h�h] [-�-d�d _�d_�i_�r_�e_�c_�t_�o_�r_�y] -�-l�l [search expression]
14
12
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
15
s�su�ud�do�or�re�ep�pl�la�ay�y plays back or lists the output logs created by s�su�ud�do�o. When
16
replaying, s�su�ud�do�or�re�ep�pl�la�ay�y can play the session back in real-time, or the
17
playback speed may be adjusted (faster or slower) based on the command
20
The _�I_�D should either be a six character sequence of digits and upper
21
case letters, e.g. 0100A5, or a pattern matching the _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option
22
in the _�s_�u_�d_�o_�e_�r_�s file. When a command is run via s�su�ud�do�o with _�l_�o_�g_�__�o_�u_�t_�p_�u_�t
23
enabled in the _�s_�u_�d_�o_�e_�r_�s file, a TSID=ID string is logged via syslog or
24
to the s�su�ud�do�o log file. The _�I_�D may also be determined using s�su�ud�do�or�re�ep�pl�la�ay�y's
27
In list mode, s�su�ud�do�or�re�ep�pl�la�ay�y can be used to find the ID of a session based
28
on a number of criteria such as the user, tty or command run.
30
In replay mode, if the standard output has not been redirected,
31
s�su�ud�do�or�re�ep�pl�la�ay�y will act on the following keys:
34
Pause output; press any key to resume.
36
'<' Reduce the playback speed by one half.
38
'>' Double the playback speed.
41
s�su�ud�do�or�re�ep�pl�la�ay�y accepts the following command line options:
43
-d _�d_�i_�r_�e_�c_�t_�o_�r_�y
44
Use _�d_�i_�r_�e_�c_�t_�o_�r_�y to for the session logs instead of the
13
s�su�ud�do�or�re�ep�pl�la�ay�y plays back or lists the output logs created by s�su�ud�do�o. When
14
replaying, s�su�ud�do�or�re�ep�pl�la�ay�y can play the session back in real-time, or the
15
playback speed may be adjusted (faster or slower) based on the command
18
The _�I_�D should either be a six character sequence of digits and upper case
19
letters, e.g. 0100A5, or a pattern matching the _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option in the
20
_�s_�u_�d_�o_�e_�r_�s file. When a command is run via s�su�ud�do�o with _�l_�o_�g_�__�o_�u_�t_�p_�u_�t enabled in
21
the _�s_�u_�d_�o_�e_�r_�s file, a TSID=ID string is logged via syslog or to the s�su�ud�do�o
22
log file. The _�I_�D may also be determined using s�su�ud�do�or�re�ep�pl�la�ay�y's list mode.
24
In list mode, s�su�ud�do�or�re�ep�pl�la�ay�y can be used to find the ID of a session based on
25
a number of criteria such as the user, tty or command run.
27
In replay mode, if the standard output has not been redirected,
28
s�su�ud�do�or�re�ep�pl�la�ay�y will act on the following keys:
30
` ' (space) Pause output; press any key to resume.
32
`<' Reduce the playback speed by one half.
34
`>' Double the playback speed.
36
The options are as follows:
38
-�-d�d _�d_�i_�r_�e_�c_�t_�o_�r_�y Use _�d_�i_�r_�e_�c_�t_�o_�r_�y to for the session logs instead of the
45
39
default, _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o.
47
-f _�f_�i_�l_�t_�e_�r By default, s�su�ud�do�or�re�ep�pl�la�ay�y will play back the command's
48
standard output, standard error and tty output. The _�-_�f
41
-�-f�f _�f_�i_�l_�t_�e_�r By default, s�su�ud�do�or�re�ep�pl�la�ay�y will play back the command's
42
standard output, standard error and tty output. The -�-f�f
49
43
option can be used to select which of these to output. The
50
44
_�f_�i_�l_�t_�e_�r argument is a comma-separated list, consisting of
51
45
one or more of following: _�s_�t_�d_�o_�u_�t, _�s_�t_�d_�e_�r_�r, and _�t_�t_�y_�o_�u_�t.
53
-h The -�-h�h (_�h_�e_�l_�p) option causes s�su�ud�do�or�re�ep�pl�la�ay�y to print a short
47
-�-h�h The -�-h�h (_�h_�e_�l_�p) option causes s�su�ud�do�or�re�ep�pl�la�ay�y to print a short
54
48
help message to the standard output and exit.
56
-l [_�s_�e_�a_�r_�c_�h _�e_�x_�p_�r_�e_�s_�s_�i_�o_�n]
57
Enable "list mode". In this mode, s�su�ud�do�or�re�ep�pl�la�ay�y will list
50
-�-l�l [_�s_�e_�a_�r_�c_�h _�e_�x_�p_�r_�e_�s_�s_�i_�o_�n]
51
Enable ``list mode''. In this mode, s�su�ud�do�or�re�ep�pl�la�ay�y will list
58
52
available sessions in a format similar to the s�su�ud�do�o log file
59
53
format, sorted by file name (or sequence number). If a
60
54
_�s_�e_�a_�r_�c_�h _�e_�x_�p_�r_�e_�s_�s_�i_�o_�n is specified, it will be used to restrict
61
55
the IDs that are displayed. An expression is composed of
62
56
the following predicates:
64
command _�c_�o_�m_�m_�a_�n_�d _�p_�a_�t_�t_�e_�r_�n
58
command _�p_�a_�t_�t_�e_�r_�n
65
59
Evaluates to true if the command run matches
66
_�c_�o_�m_�m_�a_�n_�d _�p_�a_�t_�t_�e_�r_�n. On systems with POSIX regular
67
expression support, the pattern may be an extended
68
regular expression. On systems without POSIX
69
regular expression support, a simple substring
70
match is performed instead.
60
_�p_�a_�t_�t_�e_�r_�n. On systems with POSIX regular expression
61
support, the pattern may be an extended regular
62
expression. On systems without POSIX regular
63
expression support, a simple substring match is
72
66
cwd _�d_�i_�r_�e_�c_�t_�o_�r_�y
73
67
Evaluates to true if the command was run with the
110
105
Predicates may be combined using _�a_�n_�d, _�o_�r and _�! operators as
111
well as '(' and ')' for grouping (note that parentheses
112
must generally be escaped from the shell). The _�a_�n_�d
113
operator is optional, adjacent predicates have an implied
114
_�a_�n_�d unless separated by an _�o_�r.
106
well as `(' and `)' grouping (note that parentheses must
107
generally be escaped from the shell). The _�a_�n_�d operator is
108
optional, adjacent predicates have an implied _�a_�n_�d unless
109
separated by an _�o_�r.
116
-m _�m_�a_�x_�__�w_�a_�i_�t Specify an upper bound on how long to wait between key
117
presses or output data. By default, s�su�ud�do�o_�_r�re�ep�pl�la�ay�y will
111
-�-m�m _�m_�a_�x_�__�w_�a_�i_�t Specify an upper bound on how long to wait between key
112
presses or output data. By default, s�su�ud�do�or�re�ep�pl�la�ay�y will
118
113
accurately reproduce the delays between key presses or
119
114
program output. However, this can be tedious when the
120
session includes long pauses. When the _�-_�m option is
115
session includes long pauses. When the -�-m�m option is
121
116
specified, s�su�ud�do�or�re�ep�pl�la�ay�y will limit these pauses to at most
122
117
_�m_�a_�x_�__�w_�a_�i_�t seconds. The value may be specified as a floating
123
point number, .e.g. _�2_�._�5.
118
point number, e.g. _�2_�._�5.
125
-s _�s_�p_�e_�e_�d_�__�f_�a_�c_�t_�o_�r
120
-�-s�s _�s_�p_�e_�e_�d_�__�f_�a_�c_�t_�o_�r
126
121
This option causes s�su�ud�do�or�re�ep�pl�la�ay�y to adjust the number of
127
122
seconds it will wait between key presses or program output.
128
123
This can be used to slow down or speed up the display. For
129
124
example, a _�s_�p_�e_�e_�d_�__�f_�a_�c_�t_�o_�r of _�2 would make the output twice as
130
fast whereas a _�s_�p_�e_�e_�d_�__�f_�a_�c_�t_�o_�r of <.5> would make the output
125
fast whereas a _�s_�p_�e_�e_�d_�__�f_�a_�c_�t_�o_�r of _�._�5 would make the output
133
-V The -�-V�V (version) option causes s�su�ud�do�or�re�ep�pl�la�ay�y to print its
128
-�-V�V The -�-V�V (_�v_�e_�r_�s_�i_�o_�n) option causes s�su�ud�do�or�re�ep�pl�la�ay�y to print its
134
129
version number and exit.
136
131
D�Da�at�te�e a�an�nd�d t�ti�im�me�e f�fo�or�rm�ma�at�t
137
The time and date may be specified multiple ways, common formats
140
HH:MM:SS am MM/DD/CCYY timezone
141
24 hour time may be used in place of am/pm.
143
HH:MM:SS am Month, Day Year timezone
144
24 hour time may be used in place of am/pm, and month and day
145
names may be abbreviated. Note that month and day of the week
146
names must be specified in English.
151
DD Month CCYY HH:MM:SS
152
The month name may be abbreviated.
154
Either time or date may be omitted, the am/pm and timezone are
155
optional. If no date is specified, the current day is assumed; if no
156
time is specified, the first second of the specified date is used. The
157
less significant parts of both time and date may also be omitted, in
158
which case zero is assumed. For example, the following are all valid:
160
The following are all valid time and date specifications:
162
now The current time and date.
165
Exactly one day from now.
174
The first second of the next Friday.
177
The current time but the first day of the coming week.
180
The current time but 14 days ago.
183
10:01 am, September 17, 2009.
186
10:01 am on the current day.
188
10 10:00 am on the current day.
191
00:00 am, September 17, 2009.
193
10:01 am Sep 17, 2009
194
10:01 am, September 17, 2009.
132
The time and date may be specified multiple ways, common formats include:
134
HH:MM:SS am MM/DD/CCYY timezone
135
24 hour time may be used in place of am/pm.
137
HH:MM:SS am Month, Day Year timezone
138
24 hour time may be used in place of am/pm, and month and day
139
names may be abbreviated. Note that month and day of the week
140
names must be specified in English.
145
DD Month CCYY HH:MM:SS
146
The month name may be abbreviated.
148
Either time or date may be omitted, the am/pm and timezone are optional.
149
If no date is specified, the current day is assumed; if no time is
150
specified, the first second of the specified date is used. The less
151
significant parts of both time and date may also be omitted, in which
152
case zero is assumed.
154
The following are all valid time and date specifications:
156
now The current time and date.
159
Exactly one day from now.
168
The first second of the next Friday.
171
The current time but the first day of the coming week.
174
The current time but 14 days ago.
177
10:01 am, September 17, 2009.
180
10:01 am on the current day.
182
10 10:00 am on the current day.
185
00:00 am, September 17, 2009.
187
10:01 am Sep 17, 2009
188
10:01 am, September 17, 2009.
197
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o The default I/O log directory.
191
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o The default I/O log directory.
199
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�l_�o_�g
193
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�l_�o_�g
200
194
Example session log info.
202
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�s_�t_�d_�i_�n
196
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�s_�t_�d_�i_�n
203
197
Example session standard input log.
205
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�s_�t_�d_�o_�u_�t
199
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�s_�t_�d_�o_�u_�t
206
200
Example session standard output log.
208
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�s_�t_�d_�e_�r_�r
202
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�s_�t_�d_�e_�r_�r
209
203
Example session standard error log.
211
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�t_�t_�y_�i_�n
205
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�t_�t_�y_�i_�n
212
206
Example session tty input file.
214
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�t_�t_�y_�o_�u_�t
208
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�t_�t_�y_�o_�u_�t
215
209
Example session tty output file.
217
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�t_�i_�m_�i_�n_�g
211
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o_�/_�0_�0_�/_�0_�0_�/_�0_�1_�/_�t_�i_�m_�i_�n_�g
218
212
Example session timing file.
220
Note that the _�s_�t_�d_�i_�n, _�s_�t_�d_�o_�u_�t and _�s_�t_�d_�e_�r_�r files will be empty unless s�su�ud�do�o
221
was used as part of a pipeline for a particular command.
214
Note that the _�s_�t_�d_�i_�n, _�s_�t_�d_�o_�u_�t and _�s_�t_�d_�e_�r_�r files will be empty unless s�su�ud�do�o
215
was used as part of a pipeline for a particular command.
223
217
E�EX�XA�AM�MP�PL�LE�ES�S
224
List sessions run by user _�m_�i_�l_�l_�e_�r_�t:
226
sudoreplay -l user millert
228
List sessions run by user _�b_�o_�b with a command containing the string vi:
230
sudoreplay -l user bob command vi
232
List sessions run by user _�j_�e_�f_�f that match a regular expression:
234
sudoreplay -l user jeff command '/bin/[a-z]*sh'
236
List sessions run by jeff or bob on the console:
238
sudoreplay -l ( user jeff or user bob ) tty console
218
List sessions run by user _�m_�i_�l_�l_�e_�r_�t:
220
# sudoreplay -l user millert
222
List sessions run by user _�b_�o_�b with a command containing the string vi:
224
# sudoreplay -l user bob command vi
226
List sessions run by user _�j_�e_�f_�f that match a regular expression:
228
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
230
List sessions run by jeff or bob on the console:
232
# sudoreplay -l ( user jeff or user bob ) tty console
240
234
S�SE�EE�E A�AL�LS�SO�O
241
_�s_�u_�d_�o(1m), _�s_�c_�r_�i_�p_�t(1)
237
A�AU�UT�TH�HO�OR�RS�S
247
If you feel you have found a bug in s�su�ud�do�or�re�ep�pl�la�ay�y, please submit a bug
248
report at http://www.sudo.ws/sudo/bugs/
241
If you feel you have found a bug in s�su�ud�do�or�re�ep�pl�la�ay�y, please submit a bug
242
report at http://www.sudo.ws/sudo/bugs/
250
244
S�SU�UP�PP�PO�OR�RT�T
251
Limited free support is available via the sudo-users mailing list, see
252
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
245
Limited free support is available via the sudo-users mailing list, see
246
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
255
249
D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
256
s�su�ud�do�or�re�ep�pl�la�ay�y is provided ``AS IS'' and any express or implied warranties,
257
including, but not limited to, the implied warranties of
258
merchantability and fitness for a particular purpose are disclaimed.
259
See the LICENSE file distributed with s�su�ud�do�o or
260
http://www.sudo.ws/sudo/license.html for complete details.
264
1.8.5 April 16, 2012 SUDOREPLAY(1m)
250
s�su�ud�do�or�re�ep�pl�la�ay�y is provided ``AS IS'' and any express or implied warranties,
251
including, but not limited to, the implied warranties of merchantability
252
and fitness for a particular purpose are disclaimed. See the LICENSE
253
file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for
256
Sudo 1.8.6 July 12, 2012 Sudo 1.8.6
added
removed
doc/sudoreplay.cat
