4 SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
8 sudoreplay - replay sudo session logs
10 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
11 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by [-
\b-d
\bd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by] [-
\b-f
\bf _
\bf_
\bi_
\bl_
\bt_
\be_
\br] [-
\b-m
\bm _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt] [-
\b-s
\bs _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br]
14 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by [-
\b-d
\bd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by] -l [search expression]
16 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
17 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by plays back or lists the session logs created by s
\bsu
\bud
\bdo
\bo. When
18 replaying, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by can play the session back in real-time, or the
19 playback speed may be adjusted (faster or slower) based on the command
20 line options. The _
\bI_
\bD should be a six character sequence of digits and
21 upper case letters, e.g. 0100A5, which is logged by s
\bsu
\bud
\bdo
\bo when a
22 command is run with session logging enabled.
24 In list mode, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by can be used to find the ID of a session based
25 on a number of criteria such as the user, tty or command run.
27 In replay mode, if the standard output has not been redirected,
28 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will act on the following keys:
31 Pause output; press any key to resume.
33 '<' Reduce the playback speed by one half.
35 '>' Double the playback speed.
37 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
38 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by accepts the following command line options:
40 -d _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by
41 Use _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by to for the session logs instead of the
42 default, _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo.
44 -f _
\bf_
\bi_
\bl_
\bt_
\be_
\br By default, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will play back the command's
45 standard output, standard error and tty output. The _
\b-_
\bf
46 option can be used to select which of these to output. The
47 _
\bf_
\bi_
\bl_
\bt_
\be_
\br argument is a comma-separated list, consisting of
48 one or more of following: _
\bs_
\bt_
\bd_
\bo_
\bu_
\bt, _
\bs_
\bt_
\bd_
\be_
\br_
\br, and _
\bt_
\bt_
\by_
\bo_
\bu_
\bt.
50 -l Enable "list mode". In this mode, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will list
51 available session IDs. If a _
\bs_
\be_
\ba_
\br_
\bc_
\bh _
\be_
\bx_
\bp_
\br_
\be_
\bs_
\bs_
\bi_
\bo_
\bn is
52 specified, it will be used to restrict the IDs that are
53 displayed. An expression is composed of the following
56 command _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd _
\bp_
\ba_
\bt_
\bt_
\be_
\br_
\bn
57 Evaluates to true if the command run matches
58 _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd _
\bp_
\ba_
\bt_
\bt_
\be_
\br_
\bn. On systems with POSIX regular
59 expression support, the pattern may be an extended
60 regular expression. On systems without POSIX
70 SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
73 regular expression support, a simple substring
74 match is performed instead.
76 cwd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by
77 Evaluates to true if the command was run with the
78 specified current working directory.
80 fromdate _
\bd_
\ba_
\bt_
\be
81 Evaluates to true if the command was run on or
82 after _
\bd_
\ba_
\bt_
\be. See "Date and time format" for a
83 description of supported date and time formats.
85 group _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp
86 Evaluates to true if the command was run with the
87 specified _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp. Note that unless a
88 _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp was explicitly specified when s
\bsu
\bud
\bdo
\bo was
89 run this field will be empty in the log.
91 runas _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bu_
\bs_
\be_
\br
92 Evaluates to true if the command was run as the
93 specified _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bu_
\bs_
\be_
\br. Note that s
\bsu
\bud
\bdo
\bo runs commands
94 as user _
\br_
\bo_
\bo_
\bt by default.
96 todate _
\bd_
\ba_
\bt_
\be
97 Evaluates to true if the command was run on or
98 prior to _
\bd_
\ba_
\bt_
\be. See "Date and time format" for a
99 description of supported date and time formats.
101 tty _
\bt_
\bt_
\by Evaluates to true if the command was run on the
102 specified terminal device. The _
\bt_
\bt_
\by should be
103 specified without the _
\b/_
\bd_
\be_
\bv_
\b/ prefix, e.g. _
\bt_
\bt_
\by_
\b0_
\b1
104 instead of _
\b/_
\bd_
\be_
\bv_
\b/_
\bt_
\bt_
\by_
\b0_
\b1.
106 user _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be
107 Evaluates to true if the ID matches a command run
108 by _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be.
110 Predicates may be abbreviated to the shortest unique string
111 (currently all predicates may be shortened to a single
114 Predicates may be combined using _
\ba_
\bn_
\bd, _
\bo_
\br and _
\b! operators as
115 well as '(' and ')' for grouping (note that parentheses
116 must generally be escaped from the shell). The _
\ba_
\bn_
\bd
117 operator is optional, adjacent predicates have an implied
118 _
\ba_
\bn_
\bd unless separated by an _
\bo_
\br.
120 -m _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt Specify an upper bound on how long to wait between key
121 presses or output data. By default, s
\bsu
\bud
\bdo
\bo_
\b_r
\bre
\bep
\bpl
\bla
\bay
\by will
122 accurately reproduce the delays between key presses or
123 program output. However, this can be tedious when the
124 session includes long pauses. When the _
\b-_
\bm option is
125 specified, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will limit these pauses to at most
126 _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt seconds. The value may be specified as a floating
130 1.7.4 July 12, 2010 2
136 SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
139 point number, .e.g. _
\b2_
\b._
\b5.
141 -s _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br
142 This option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to adjust the number of
143 seconds it will wait between key presses or program output.
144 This can be used to slow down or speed up the display. For
145 example, a _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br of _
\b2 would make the output twice as
146 fast whereas a _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br of <.5> would make the output
149 -V The -
\b-V
\bV (version) option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to print its
150 version number and exit.
152 D
\bDa
\bat
\bte
\be a
\ban
\bnd
\bd t
\bti
\bim
\bme
\be f
\bfo
\bor
\brm
\bma
\bat
\bt
153 The time and date may be specified multiple ways, common formats
156 HH:MM:SS am MM/DD/CCYY timezone
157 24 hour time may be used in place of am/pm.
159 HH:MM:SS am Month, Day Year timezone
160 24 hour time may be used in place of am/pm, and month and day
161 names may be abbreviated. Note that month and day of the week
162 names must be specified in English.
167 DD Month CCYY HH:MM:SS
168 The month name may be abbreviated.
170 Either time or date may be omitted, the am/pm and timezone are
171 optional. If no date is specified, the current day is assumed; if no
172 time is specified, the first second of the specified date is used. The
173 less significant parts of both time and date may also be omitted, in
174 which case zero is assumed. For example, the following are all valid:
176 The following are all valid time and date specifications:
178 now The current time and date.
181 Exactly one day from now.
190 The first second of the next Friday.
196 1.7.4 July 12, 2010 3
202 SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
206 The current time but the first day of the coming week.
209 The current time but 14 days ago.
212 10:01 am, September 17, 2009.
215 10:01 am on the current day.
217 10 10:00 am on the current day.
220 00:00 am, September 17, 2009.
222 10:01 am Sep 17, 2009
223 10:01 am, September 17, 2009.
226 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo The default I/O log directory.
228 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bl_
\bo_
\bg
229 Example session log info.
231 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\bi_
\bn
232 Example session standard input log.
234 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\bo_
\bu_
\bt
235 Example session standard output log.
237 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\be_
\br_
\br
238 Example session standard error log.
240 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bt_
\by_
\bi_
\bn
241 Example session tty input file.
243 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bt_
\by_
\bo_
\bu_
\bt
244 Example session tty output file.
246 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bi_
\bm_
\bi_
\bn_
\bg
247 Example session timing file.
249 Note that the _
\bs_
\bt_
\bd_
\bi_
\bn, _
\bs_
\bt_
\bd_
\bo_
\bu_
\bt and _
\bs_
\bt_
\bd_
\be_
\br_
\br files will be empty unless s
\bsu
\bud
\bdo
\bo
250 was used as part of a pipeline for a particular command.
252 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
253 List sessions run by user _
\bm_
\bi_
\bl_
\bl_
\be_
\br_
\bt:
255 sudoreplay -l user millert
257 List sessions run by user _
\bb_
\bo_
\bb with a command containing the string vi:
262 1.7.4 July 12, 2010 4
268 SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
271 sudoreplay -l user bob command vi
273 List sessions run by user _
\bj_
\be_
\bf_
\bf that match a regular expression:
275 sudoreplay -l user jeff command '/bin/[a-z]*sh'
277 List sessions run by jeff or bob on the console:
279 sudoreplay -l ( user jeff or user bob ) tty console
281 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
282 _
\bs_
\bu_
\bd_
\bo(1m), _
\bs_
\bc_
\br_
\bi_
\bp_
\bt(1)
284 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bR
288 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by, please submit a bug
289 report at http://www.sudo.ws/sudo/bugs/
291 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
292 Limited free support is available via the sudo-users mailing list, see
293 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
296 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
297 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by is provided ``AS IS'' and any express or implied warranties,
298 including, but not limited to, the implied warranties of
299 merchantability and fitness for a particular purpose are disclaimed.
300 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
301 http://www.sudo.ws/sudo/license.html for complete details.
328 1.7.4 July 12, 2010 5