-If set, \fBsudo\fR will prompt for the password of the user specified by
-the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
-invoking user. Note that this precludes the use of a uid not listed
-in the passwd database as an argument to the \fB\-u\fR option.
-This flag is \fIoff\fR by default.
+If set, \fBsudo\fR will prompt for the password of the user specified
+by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
+of the invoking user. In addition, the timestamp file name will
+include the target user's name. Note that this flag precludes the
+use of a uid not listed in the passwd database as an argument to
+the \fB\-u\fR option. This flag is \fIoff\fR by default.
+.IP "log_input" 16
+.IX Item "log_input"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Sp
+Input is logged to the \fI/var/log/sudo\-io\fR directory using a unique
+session \s-1ID\s0 that is included in the normal \fBsudo\fR log line, prefixed
+with \fITSID=\fR.
+.IP "log_output" 16
+.IX Item "log_output"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+.Sp
+Output is logged to the
+\&\fI/var/log/sudo\-io\fR directory using a unique session \s-1ID\s0 that is
+included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+.Sp
+Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
+can also be used to list or search the available logs.