1 SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
6 sudoreplay - replay sudo session logs
8 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
9 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by [-
\b-h
\bh] [-
\b-d
\bd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by] [-
\b-f
\bf _
\bf_
\bi_
\bl_
\bt_
\be_
\br] [-
\b-m
\bm _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt] [-
\b-s
\bs
10 _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br] ID
12 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by [-
\b-h
\bh] [-
\b-d
\bd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by] -l [search expression]
14 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
15 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by plays back or lists the output logs created by s
\bsu
\bud
\bdo
\bo. When
16 replaying, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by can play the session back in real-time, or the
17 playback speed may be adjusted (faster or slower) based on the command
20 The _
\bI_
\bD should either be a six character sequence of digits and upper
21 case letters, e.g. 0100A5, or a pattern matching the _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be option
22 in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. When a command is run via s
\bsu
\bud
\bdo
\bo with _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt
23 enabled in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, a TSID=ID string is logged via syslog or
24 to the s
\bsu
\bud
\bdo
\bo log file. The _
\bI_
\bD may also be determined using s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by's
27 In list mode, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by can be used to find the ID of a session based
28 on a number of criteria such as the user, tty or command run.
30 In replay mode, if the standard output has not been redirected,
31 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will act on the following keys:
34 Pause output; press any key to resume.
36 '<' Reduce the playback speed by one half.
38 '>' Double the playback speed.
40 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
41 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by accepts the following command line options:
43 -d _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by
44 Use _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by to for the session logs instead of the
45 default, _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo.
47 -f _
\bf_
\bi_
\bl_
\bt_
\be_
\br By default, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will play back the command's
48 standard output, standard error and tty output. The _
\b-_
\bf
49 option can be used to select which of these to output. The
50 _
\bf_
\bi_
\bl_
\bt_
\be_
\br argument is a comma-separated list, consisting of
51 one or more of following: _
\bs_
\bt_
\bd_
\bo_
\bu_
\bt, _
\bs_
\bt_
\bd_
\be_
\br_
\br, and _
\bt_
\bt_
\by_
\bo_
\bu_
\bt.
53 -h The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to print a short
54 help message to the standard output and exit.
56 -l [_
\bs_
\be_
\ba_
\br_
\bc_
\bh _
\be_
\bx_
\bp_
\br_
\be_
\bs_
\bs_
\bi_
\bo_
\bn]
57 Enable "list mode". In this mode, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will list
58 available sessions in a format similar to the s
\bsu
\bud
\bdo
\bo log file
59 format, sorted by file name (or sequence number). If a
60 _
\bs_
\be_
\ba_
\br_
\bc_
\bh _
\be_
\bx_
\bp_
\br_
\be_
\bs_
\bs_
\bi_
\bo_
\bn is specified, it will be used to restrict
61 the IDs that are displayed. An expression is composed of
62 the following predicates:
64 command _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd _
\bp_
\ba_
\bt_
\bt_
\be_
\br_
\bn
65 Evaluates to true if the command run matches
66 _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd _
\bp_
\ba_
\bt_
\bt_
\be_
\br_
\bn. On systems with POSIX regular
67 expression support, the pattern may be an extended
68 regular expression. On systems without POSIX
69 regular expression support, a simple substring
70 match is performed instead.
72 cwd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by
73 Evaluates to true if the command was run with the
74 specified current working directory.
76 fromdate _
\bd_
\ba_
\bt_
\be
77 Evaluates to true if the command was run on or
78 after _
\bd_
\ba_
\bt_
\be. See "Date and time format" for a
79 description of supported date and time formats.
81 group _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp
82 Evaluates to true if the command was run with the
83 specified _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp. Note that unless a
84 _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp was explicitly specified when s
\bsu
\bud
\bdo
\bo was
85 run this field will be empty in the log.
87 runas _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bu_
\bs_
\be_
\br
88 Evaluates to true if the command was run as the
89 specified _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bu_
\bs_
\be_
\br. Note that s
\bsu
\bud
\bdo
\bo runs commands
90 as user _
\br_
\bo_
\bo_
\bt by default.
92 todate _
\bd_
\ba_
\bt_
\be
93 Evaluates to true if the command was run on or
94 prior to _
\bd_
\ba_
\bt_
\be. See "Date and time format" for a
95 description of supported date and time formats.
97 tty _
\bt_
\bt_
\by Evaluates to true if the command was run on the
98 specified terminal device. The _
\bt_
\bt_
\by should be
99 specified without the _
\b/_
\bd_
\be_
\bv_
\b/ prefix, e.g. _
\bt_
\bt_
\by_
\b0_
\b1
100 instead of _
\b/_
\bd_
\be_
\bv_
\b/_
\bt_
\bt_
\by_
\b0_
\b1.
102 user _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be
103 Evaluates to true if the ID matches a command run
104 by _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be.
106 Predicates may be abbreviated to the shortest unique string
107 (currently all predicates may be shortened to a single
110 Predicates may be combined using _
\ba_
\bn_
\bd, _
\bo_
\br and _
\b! operators as
111 well as '(' and ')' for grouping (note that parentheses
112 must generally be escaped from the shell). The _
\ba_
\bn_
\bd
113 operator is optional, adjacent predicates have an implied
114 _
\ba_
\bn_
\bd unless separated by an _
\bo_
\br.
116 -m _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt Specify an upper bound on how long to wait between key
117 presses or output data. By default, s
\bsu
\bud
\bdo
\bo_
\b_r
\bre
\bep
\bpl
\bla
\bay
\by will
118 accurately reproduce the delays between key presses or
119 program output. However, this can be tedious when the
120 session includes long pauses. When the _
\b-_
\bm option is
121 specified, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will limit these pauses to at most
122 _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt seconds. The value may be specified as a floating
123 point number, .e.g. _
\b2_
\b._
\b5.
125 -s _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br
126 This option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to adjust the number of
127 seconds it will wait between key presses or program output.
128 This can be used to slow down or speed up the display. For
129 example, a _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br of _
\b2 would make the output twice as
130 fast whereas a _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br of <.5> would make the output
133 -V The -
\b-V
\bV (version) option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to print its
134 version number and exit.
136 D
\bDa
\bat
\bte
\be a
\ban
\bnd
\bd t
\bti
\bim
\bme
\be f
\bfo
\bor
\brm
\bma
\bat
\bt
137 The time and date may be specified multiple ways, common formats
140 HH:MM:SS am MM/DD/CCYY timezone
141 24 hour time may be used in place of am/pm.
143 HH:MM:SS am Month, Day Year timezone
144 24 hour time may be used in place of am/pm, and month and day
145 names may be abbreviated. Note that month and day of the week
146 names must be specified in English.
151 DD Month CCYY HH:MM:SS
152 The month name may be abbreviated.
154 Either time or date may be omitted, the am/pm and timezone are
155 optional. If no date is specified, the current day is assumed; if no
156 time is specified, the first second of the specified date is used. The
157 less significant parts of both time and date may also be omitted, in
158 which case zero is assumed. For example, the following are all valid:
160 The following are all valid time and date specifications:
162 now The current time and date.
165 Exactly one day from now.
174 The first second of the next Friday.
177 The current time but the first day of the coming week.
180 The current time but 14 days ago.
183 10:01 am, September 17, 2009.
186 10:01 am on the current day.
188 10 10:00 am on the current day.
191 00:00 am, September 17, 2009.
193 10:01 am Sep 17, 2009
194 10:01 am, September 17, 2009.
197 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo The default I/O log directory.
199 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bl_
\bo_
\bg
200 Example session log info.
202 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\bi_
\bn
203 Example session standard input log.
205 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\bo_
\bu_
\bt
206 Example session standard output log.
208 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\be_
\br_
\br
209 Example session standard error log.
211 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bt_
\by_
\bi_
\bn
212 Example session tty input file.
214 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bt_
\by_
\bo_
\bu_
\bt
215 Example session tty output file.
217 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bi_
\bm_
\bi_
\bn_
\bg
218 Example session timing file.
220 Note that the _
\bs_
\bt_
\bd_
\bi_
\bn, _
\bs_
\bt_
\bd_
\bo_
\bu_
\bt and _
\bs_
\bt_
\bd_
\be_
\br_
\br files will be empty unless s
\bsu
\bud
\bdo
\bo
221 was used as part of a pipeline for a particular command.
223 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
224 List sessions run by user _
\bm_
\bi_
\bl_
\bl_
\be_
\br_
\bt:
226 sudoreplay -l user millert
228 List sessions run by user _
\bb_
\bo_
\bb with a command containing the string vi:
230 sudoreplay -l user bob command vi
232 List sessions run by user _
\bj_
\be_
\bf_
\bf that match a regular expression:
234 sudoreplay -l user jeff command '/bin/[a-z]*sh'
236 List sessions run by jeff or bob on the console:
238 sudoreplay -l ( user jeff or user bob ) tty console
240 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
241 _
\bs_
\bu_
\bd_
\bo(1m), _
\bs_
\bc_
\br_
\bi_
\bp_
\bt(1)
243 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bR
247 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by, please submit a bug
248 report at http://www.sudo.ws/sudo/bugs/
250 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
251 Limited free support is available via the sudo-users mailing list, see
252 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
255 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
256 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by is provided ``AS IS'' and any express or implied warranties,
257 including, but not limited to, the implied warranties of
258 merchantability and fitness for a particular purpose are disclaimed.
259 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
260 http://www.sudo.ws/sudo/license.html for complete details.
264 1.8.5 April 16, 2012 SUDOREPLAY(1m)