1 SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
6 sudoreplay - replay sudo session logs
8 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
9 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by [-
\b-h
\bh] [-
\b-d
\bd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by] [-
\b-f
\bf _
\bf_
\bi_
\bl_
\bt_
\be_
\br] [-
\b-m
\bm _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt] [-
\b-s
\bs
10 _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br] ID
12 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by [-
\b-h
\bh] [-
\b-d
\bd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by] -l [search expression]
14 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
15 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by plays back or lists the output logs created by s
\bsu
\bud
\bdo
\bo. When
16 replaying, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by can play the session back in real-time, or the
17 playback speed may be adjusted (faster or slower) based on the command
20 The _
\bI_
\bD should either be a six character sequence of digits and upper
21 case letters, e.g. 0100A5, or a pattern matching the _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be option
22 in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. When a command is run via s
\bsu
\bud
\bdo
\bo with _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
23 enabled in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, a TSID=ID string is logged via syslog or
24 to the s
\bsu
\bud
\bdo
\bo log file. The _
\bI_
\bD may also be determined using s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by's
27 In list mode, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by can be used to find the ID of a session based
28 on a number of criteria such as the user, tty or command run.
30 In replay mode, if the standard output has not been redirected,
31 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will act on the following keys:
34 Pause output; press any key to resume.
36 '<' Reduce the playback speed by one half.
38 '>' Double the playback speed.
40 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
41 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by accepts the following command line options:
43 -d _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by
44 Use _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by to for the session logs instead of the
45 default, _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo.
47 -f _
\bf_
\bi_
\bl_
\bt_
\be_
\br By default, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will play back the command's
48 standard output, standard error and tty output. The _
\b-_
\bf
49 option can be used to select which of these to output. The
50 _
\bf_
\bi_
\bl_
\bt_
\be_
\br argument is a comma-separated list, consisting of
51 one or more of following: _
\bs_
\bt_
\bd_
\bo_
\bu_
\bt, _
\bs_
\bt_
\bd_
\be_
\br_
\br, and _
\bt_
\bt_
\by_
\bo_
\bu_
\bt.
53 -h The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to print a short
54 help message to the standard output and exit.
56 -l [_
\bs_
\be_
\ba_
\br_
\bc_
\bh _
\be_
\bx_
\bp_
\br_
\be_
\bs_
\bs_
\bi_
\bo_
\bn]
57 Enable "list mode". In this mode, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will list
58 available session IDs. If a _
\bs_
\be_
\ba_
\br_
\bc_
\bh _
\be_
\bx_
\bp_
\br_
\be_
\bs_
\bs_
\bi_
\bo_
\bn is
59 specified, it will be used to restrict the IDs that are
60 displayed. An expression is composed of the following
63 command _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd _
\bp_
\ba_
\bt_
\bt_
\be_
\br_
\bn
64 Evaluates to true if the command run matches
65 _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd _
\bp_
\ba_
\bt_
\bt_
\be_
\br_
\bn. On systems with POSIX regular
66 expression support, the pattern may be an extended
67 regular expression. On systems without POSIX
68 regular expression support, a simple substring
69 match is performed instead.
71 cwd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by
72 Evaluates to true if the command was run with the
73 specified current working directory.
75 fromdate _
\bd_
\ba_
\bt_
\be
76 Evaluates to true if the command was run on or
77 after _
\bd_
\ba_
\bt_
\be. See "Date and time format" for a
78 description of supported date and time formats.
80 group _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp
81 Evaluates to true if the command was run with the
82 specified _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp. Note that unless a
83 _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp was explicitly specified when s
\bsu
\bud
\bdo
\bo was
84 run this field will be empty in the log.
86 runas _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bu_
\bs_
\be_
\br
87 Evaluates to true if the command was run as the
88 specified _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bu_
\bs_
\be_
\br. Note that s
\bsu
\bud
\bdo
\bo runs commands
89 as user _
\br_
\bo_
\bo_
\bt by default.
91 todate _
\bd_
\ba_
\bt_
\be
92 Evaluates to true if the command was run on or
93 prior to _
\bd_
\ba_
\bt_
\be. See "Date and time format" for a
94 description of supported date and time formats.
96 tty _
\bt_
\bt_
\by Evaluates to true if the command was run on the
97 specified terminal device. The _
\bt_
\bt_
\by should be
98 specified without the _
\b/_
\bd_
\be_
\bv_
\b/ prefix, e.g. _
\bt_
\bt_
\by_
\b0_
\b1
99 instead of _
\b/_
\bd_
\be_
\bv_
\b/_
\bt_
\bt_
\by_
\b0_
\b1.
101 user _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be
102 Evaluates to true if the ID matches a command run
103 by _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be.
105 Predicates may be abbreviated to the shortest unique string
106 (currently all predicates may be shortened to a single
109 Predicates may be combined using _
\ba_
\bn_
\bd, _
\bo_
\br and _
\b! operators as
110 well as '(' and ')' for grouping (note that parentheses
111 must generally be escaped from the shell). The _
\ba_
\bn_
\bd
112 operator is optional, adjacent predicates have an implied
113 _
\ba_
\bn_
\bd unless separated by an _
\bo_
\br.
115 -m _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt Specify an upper bound on how long to wait between key
116 presses or output data. By default, s
\bsu
\bud
\bdo
\bo_
\b_r
\bre
\bep
\bpl
\bla
\bay
\by will
117 accurately reproduce the delays between key presses or
118 program output. However, this can be tedious when the
119 session includes long pauses. When the _
\b-_
\bm option is
120 specified, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will limit these pauses to at most
121 _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt seconds. The value may be specified as a floating
122 point number, .e.g. _
\b2_
\b._
\b5.
124 -s _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br
125 This option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to adjust the number of
126 seconds it will wait between key presses or program output.
127 This can be used to slow down or speed up the display. For
128 example, a _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br of _
\b2 would make the output twice as
129 fast whereas a _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br of <.5> would make the output
132 -V The -
\b-V
\bV (version) option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to print its
133 version number and exit.
135 D
\bDa
\bat
\bte
\be a
\ban
\bnd
\bd t
\bti
\bim
\bme
\be f
\bfo
\bor
\brm
\bma
\bat
\bt
136 The time and date may be specified multiple ways, common formats
139 HH:MM:SS am MM/DD/CCYY timezone
140 24 hour time may be used in place of am/pm.
142 HH:MM:SS am Month, Day Year timezone
143 24 hour time may be used in place of am/pm, and month and day
144 names may be abbreviated. Note that month and day of the week
145 names must be specified in English.
150 DD Month CCYY HH:MM:SS
151 The month name may be abbreviated.
153 Either time or date may be omitted, the am/pm and timezone are
154 optional. If no date is specified, the current day is assumed; if no
155 time is specified, the first second of the specified date is used. The
156 less significant parts of both time and date may also be omitted, in
157 which case zero is assumed. For example, the following are all valid:
159 The following are all valid time and date specifications:
161 now The current time and date.
164 Exactly one day from now.
173 The first second of the next Friday.
176 The current time but the first day of the coming week.
179 The current time but 14 days ago.
182 10:01 am, September 17, 2009.
185 10:01 am on the current day.
187 10 10:00 am on the current day.
190 00:00 am, September 17, 2009.
192 10:01 am Sep 17, 2009
193 10:01 am, September 17, 2009.
196 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo The default I/O log directory.
198 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bl_
\bo_
\bg
199 Example session log info.
201 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\bi_
\bn
202 Example session standard input log.
204 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\bo_
\bu_
\bt
205 Example session standard output log.
207 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\be_
\br_
\br
208 Example session standard error log.
210 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bt_
\by_
\bi_
\bn
211 Example session tty input file.
213 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bt_
\by_
\bo_
\bu_
\bt
214 Example session tty output file.
216 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bi_
\bm_
\bi_
\bn_
\bg
217 Example session timing file.
219 Note that the _
\bs_
\bt_
\bd_
\bi_
\bn, _
\bs_
\bt_
\bd_
\bo_
\bu_
\bt and _
\bs_
\bt_
\bd_
\be_
\br_
\br files will be empty unless s
\bsu
\bud
\bdo
\bo
220 was used as part of a pipeline for a particular command.
222 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
223 List sessions run by user _
\bm_
\bi_
\bl_
\bl_
\be_
\br_
\bt:
225 sudoreplay -l user millert
227 List sessions run by user _
\bb_
\bo_
\bb with a command containing the string vi:
229 sudoreplay -l user bob command vi
231 List sessions run by user _
\bj_
\be_
\bf_
\bf that match a regular expression:
233 sudoreplay -l user jeff command '/bin/[a-z]*sh'
235 List sessions run by jeff or bob on the console:
237 sudoreplay -l ( user jeff or user bob ) tty console
239 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
240 _
\bs_
\bu_
\bd_
\bo(1m), _
\bs_
\bc_
\br_
\bi_
\bp_
\bt(1)
242 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bR
246 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by, please submit a bug
247 report at http://www.sudo.ws/sudo/bugs/
249 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
250 Limited free support is available via the sudo-users mailing list, see
251 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
254 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
255 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by is provided ``AS IS'' and any express or implied warranties,
256 including, but not limited to, the implied warranties of
257 merchantability and fitness for a particular purpose are disclaimed.
258 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
259 http://www.sudo.ws/sudo/license.html for complete details.
263 1.8.3 September 16, 2011 SUDOREPLAY(1m)