The file is used to configure the log server.  It  uses  an  INI-
     style  format  made  up  of sections in square brackets and pairs
     specific to each section below the section  name.   Depending  on
     the  key,  values  may be integers, booleans or strings.  Section
     and key names are not case sensitive, but values are.  The  pound
     sign  is  used to indicate a comment.  Both the comment character
     and any text after it, up to the end of the  line,  are  ignored.
     Lines  beginning  with a semi-colon are also ignored.  Long lines
     can be continued with a backslash as the last  character  on  the
     line.   Note  that  leading  white  space  is  removed  from  the
     beginning of lines even when the continuation character is  used.
     The  section  contains a copy of the default file.  The following
     configuration sections  are  recognized:  server  iolog  eventlog
     syslog  logfile  Each  section is described in detail below.  The
     section configures the address and port the  server  will  listen
     on.   The  following  keys  are  recognized:  The host name or IP
     address, optional port to listen on  and  an  optional  Transport
     Layer Security (TLS) flag in parentheses.  The host may be a host
     name, an IPv4 address, an IPv6 address in square brackets or  the
     wild  card  entry  A  host setting of will cause to listen on all
     configured network interfaces.   If  the  optional  tls  flag  is
     present,  will secure the connection with TLS version 1.2 or 1.3.
     Versions of TLS prior to 1.2 are not supported.  See for  details
     on generating TLS keys and certificates.  If a port is specified,
     it may either be a port number or a known service name as defined
     by  the  system  service name database.  If no port is specified,
     port 30343 will be used for plaintext connections and port  30344
     will  be  used  for  TLS  connections.   The  default  value  is:
     listen_address = *:30343 listen_address = *:30344(tls) which will
     listen  on  all  configured network interfaces for both plaintext
     and TLS connections.  Multiple lines may be specified  to  listen
     on  more  than  one  port  or  interface.   The  path to the file
     containing the process ID of the  running  If  set  to  an  empty
     value,  or  if  is  run  with the option, no will be created.  If
     refers to a symbolic link, it will be ignored.  The default value
     is  If  true,  will enable the TCP keepalive socket option on the
     client connection.  This enables  the  periodic  transmission  of
     keepalive messages to the client.  If the client does not respond
     to a message, the connection will be closed.  The amount of time,
     in  seconds,  will  wait for the client to respond.  A value of 0
     will disable the timeout.  The default value is 30.  The path  to
     a  certificate  authority  bundle  file,  in  PEM  format, to use
     instead of the system's default  certificate  authority  database
     when authenticating clients.  The default is to use if it exists,
     otherwise the system's default certificate authority database  is
     used.   The path to the server's certificate file, in PEM format.
     The default  value  is  If  true,  client  certificates  will  be
     validated by the server; clients without a valid certificate will
     be  unable  to  connect.   If  false,  no  validation  of  client
     certificates  will be performed.  It true and client certificates
     are created using a private certificate  authority,  the  setting
     must  be set to a CA bundle that contains the CA certificate used
     to generate the client certificate.  The default value is A  list
     of  ciphers  to  use  for  connections secured by TLS version 1.2
     only, separated by a colon See the section in for  full  details.
     The  default  value is which consists of encryption cipher suites
     with key lengths larger than 128 bits,  and  some  cipher  suites
     with  128-bit  keys.   Cipher suites that offer no authentication
     are excluded.  A list of ciphers to use for  connections  secured
     by  TLS  version  1.3 only, separated by a colon Supported cipher
     suites depend on the version of OpenSSL used, but should  include
     the     following:     The     default     cipher     suite    is
     TLS_AES_256_GCM_SHA384.  The path to  a  file  containing  custom
     Diffie-Hellman  parameters  in  PEM  format.   This  file  can be
     created  with  the  following  command:  openssl   dhparam   -out
     /etc/sudo_logsrvd_dhparams.pem  2048  By  default,  will  use the
     OpenSSL defaults for Diffie-Hellman key generation.  The path  to
     the  server's private key file, in PEM format.  The default value
     is If true, the server certificate will be  verified  at  startup
     and  clients  will  authenticate  the  server  by  verifying  its
     certificate and identity.  If false, no verification is performed
     of  the  server  certificate  by  the server or the client.  When
     using self-signed certificates without a  certificate  authority,
     this  setting should be set to false.  The default value is true.
     The section configures I/O log parameters.   These  settings  are
     identical  to  the  I/O  configuration  in The following keys are
     recognized: If set, I/O logs will be  compressed  using  Enabling
     compression  can  make it harder to view the logs in real-time as
     the program is executing due to buffering.  The default value  is
     The  top-level  directory  to use when constructing the path name
     for the I/O log directory.  The session sequence number, if  any,
     is  stored  in the directory.  The default value is The following
     percent  escape  sequences   are   supported:   expanded   to   a
     monotonically increasing base-36 sequence number, such as 0100A5,
     where every two digits are used to form a  new  directory,  e.g.,
     expanded  to  the invoking user's login name expanded to the name
     of the invoking user's real group-ID expanded to the  login  name
     of  the  user the command will be run as (e.g., root) expanded to
     the group name of the user the command  will  be  run  as  (e.g.,
     wheel)  expanded  to  the local host name without the domain name
     expanded to the base name of the command being run  In  addition,
     any  escape  sequences supported by the system's function will be
     expanded.  To include a literal character, the string  should  be
     used.   The  path  name,  relative to in which to store I/O logs.
     Note that may contain directory components.  The default value is
     See  the  setting  above  for  a list of supported percent escape
     sequences.  In addition to the escape sequences, path names  that
     end  in  six  or  more  will  have  the  replaced  with  a unique
     combination of digits and letters, similar to the  function.   If
     the  path  created  by  concatenating  and  already  exists,  the
     existing I/O log file will be truncated  and  overwritten  unless
     ends in six or more If set, I/O log data is flushed to disk after
     each write instead of buffering it.  This makes  it  possible  to
     view  the  logs  in real-time as the program is executing but may
     significantly reduce the effectiveness of  I/O  log  compression.
     The  default  value is The group name to look up when setting the
     group-ID on new I/O log files and directories.  If  is  not  set,
     the  primary group-ID of the user specified by If neither nor are
     set, I/O log files and directories are created with  group-ID  0.
     The  file mode to use when creating I/O log files.  Mode bits for
     read and write permissions for owner, group or other are honored,
     everything  else  is  ignored.   The file permissions will always
     include the owner read and write  bits,  even  if  they  are  not
     present   in   the   specified   mode.   When  creating  I/O  log
     directories, search (execute) bits are added to  match  the  read
     and write bits specified by The default value is The user name to
     look up  when  setting  the  owner  of  new  I/O  log  files  and
     directories.   If  is  set, it will be used instead of the user's
     primary group-ID.  By default, I/O log files and directories  are
     created  with  user  and group-ID 0.  The maximum sequence number
     that will be substituted for the escape in the I/O log file  (see
     the  description  above  for  more information).  While the value
     substituted for is in base 36,  itself  should  be  expressed  in
     decimal.  Values larger than 2176782336 (which corresponds to the
     base 36 sequence number will be silently truncated to 2176782336.
     The default value is 2176782336.  The section configures how (and
     if) security policy events are  logged.   Where  to  log  accept,
     reject and alert events reported by the policy.  Supported values
     are and The default value is The event log format.  Supported log
     formats  are  for traditional sudo-style logs and for JSON-format
     logs.  The JSON log entries contain  the  full  contents  of  the
     accept,  reject  and  alert  messages.   The default value is The
     section configures how events are logged via Syslog  facility  if
     syslog  is  being  used  for  logging.  Defaults to The following
     syslog facilities are supported: (if your OS  supports  it),  and
     Syslog  priority to use when the user is allowed to run a command
     and authentication is  successful.   Defaults  to  The  following
     syslog  priorities  are  supported:  and Setting it to a value of
     will disable logging of successful commands.  Syslog priority  to
     use  when  the  user  is  not  allowed  to  run a command or when
     authentication is unsuccessful.  Defaults to See for the list  of
     supported  syslog  priorities.   Syslog priority to use for event
     log alert messages received from the client.  Defaults to See for
     the  list of supported syslog priorities.  On many systems, has a
     relatively small log buffer.  IETF RFC 5424  states  that  syslog
     servers  must  support  messages of at least 480 bytes and should
     support messages up to  2048  bytes.   By  default,  creates  log
     messages up to 960 bytes which corresponds to the historic syslog
     implementation which  used  a  1024  byte  buffer  to  store  the
     message,  date,  hostname  and  program  name.  To prevent syslog
     messages from being  truncated,  will  split  up  sudo-style  log
     messages  that  are  larger than bytes.  When a message is split,
     additional parts will include the string after the user name  and
     before  the  continued  command  line arguments.  JSON-format log
     entries are never split and  are  not  affected  by  The  section
     consists  of  settings  related  to  logging to a plain file (not
     syslog).  The path to the file-based event log.  This  path  must
     be fully-qualified and start with a character.  The default value
     is The string used when formatting the date and  time  for  file-
     based  event  logs.   Formatting  is  performed  via the system's
     function so any escape sequences supported by that function  will
     be  expanded.   The default value is which produces dates like in
     the C locale.  Sudo log server configuration file # # sudo logsrv
     configuration #

     [server] # The host name or IP address and port to listen on with
     an optional TLS # flag.  If no port is specified, port 30343 will
     be used for plaintext # connections and port 30344 will  be  used
     to  TLS  connections.   #  The  following  forms  are accepted: #
     listen_address   =    hostname(tls)    #      listen_address    =
     hostname:port(tls)   #    listen_address  =  IPv4_address(tls)  #
     listen_address  =  IPv4_address:port(tls)  #    listen_address  =
     [IPv6_address](tls) #   listen_address = [IPv6_address]:port(tls)
     # # The (tls) suffix should be omitted for plaintext connections.
     #  #  Multiple  listen_address  settings may be specified.  # The
     default is to listen on all addresses.  #listen_address = *:30343
     #listen_address = *:30344(tls)

     # The file containing the ID of the running sudo_logsrvd process.
     #pid_file = /run/sudo/sudo_logsrvd.pid

     # If set, enable the SO_KEEPALIVE socket option on the  connected
     socket.  #tcp_keepalive = true

     # The amount of time, in seconds, the server will  wait  for  the
     client to # respond.  A value of 0 will disable the timeout.  The
     default value is 30.  #timeout = 30

     # If set, server certificate will be verified at  server  startup
     and  # also connecting clients will perform server authentication
     by  #  verifying   the   server's   certificate   and   identity.
     #tls_verify = true

     # Whether to verify client certificates for TLS  connections.   #
     By default client certs are not checked.  #tls_checkpeer = false

     # Path to the certificate authority bundle file in PEM format.  #
     Required  if 'tls_verify' or 'tls_checkpeer' is set.  #tls_cacert
     = /etc/ssl/sudo/cacert.pem

     # Path to  the  server's  certificate  file  in  PEM  format.   #
     Required      for      TLS      connections.      #tls_cert     =
     /etc/ssl/sudo/certs/logsrvd_cert.pem

     # Path to the  server's  private  key  file  in  PEM  format.   #
     Required      for      TLS      connections.       #tls_key     =
     /etc/ssl/sudo/private/logsrvd_key.pem

     # TLS cipher list (see  "CIPHER  LIST  FORMAT"  in  the  openssl-
     ciphers  manual).   # NOTE that this setting is only effective if
     the negotiated protocol # is TLS  version  1.2.   #  The  default
     cipher list is HIGH:!aNULL.  #tls_ciphers_v12 = HIGH:!aNULL

     # TLS cipher list if the negotiated protocol is TLS version  1.3.
     #    The   default   cipher   list   is   TLS_AES_256_GCM_SHA384.
     #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384

     # Path to the Diffie-Hellman parameter file in PEM format.  #  If
     not set, the server will use the OpenSSL defaults.  #tls_dhparams
     = /etc/ssl/sudo/logsrvd_dhparams.pem

     [iolog] # The top-level directory to use  when  constructing  the
     path  name  for  the  #  I/O log directory.  The session sequence
     number, if any, is stored here.  #iolog_dir = /var/log/sudo-io

     # The path name, relative to iolog_dir, in  which  to  store  I/O
     logs.   #  Note that iolog_file may contain directory components.
     #iolog_file = %{seq}

     # If set, I/O logs  will  be  compressed  using  zlib.   Enabling
     compression can # make it harder to view the logs in real-time as
     the program is executing.  #iolog_compress = false

     # If set, I/O log data  is  flushed  to  disk  after  each  write
     instead  of  #  buffering it.  This makes it possible to view the
     logs in real-time # as the program is executing but  reduces  the
     effectiveness of compression.  #iolog_flush = true

     #  The  group  to  use  when  creating  new  I/O  log  files  and
     directories.   #  If iolog_group is not set, the primary group-ID
     of the user specified  #  by  iolog_user  is  used.   If  neither
     iolog_group   nor  iolog_user  #  are  set,  I/O  log  files  and
     directories are created with group-ID 0.  #iolog_group = wheel

     # The user to use when setting the user-ID and  group-ID  of  new
     I/O  # log files and directories.  If iolog_group is set, it will
     be used # instead of the user's primary  group-ID.   By  default,
     I/O  log files # and directories are created with user and group-
     ID 0.  #iolog_user = root

     # The file mode to use when creating I/O  log  files.   The  file
     permissions  # will always include the owner read and write bits,
     even if they are # not  present  in  the  specified  mode.   When
     creating  I/O  log directories, # search (execute) bits are added
     to match the read and  write  bits  #  specified  by  iolog_mode.
     #iolog_mode = 0600

     # The maximum sequence number that will be  substituted  for  the
     "%{seq}"  #  escape  in  the  I/O  log  file.   While  the  value
     substituted for "%{seq}" # is in base 36, maxseq itself should be
     expressed  in  decimal.   Values  # larger than 2176782336 (which
     corresponds to the base 36 sequence # number  "ZZZZZZ")  will  be
     silently truncated to 2176782336.  #maxseq = 2176782336

     [eventlog] # Where to log accept, reject  and  alert  events.   #
     Accepted  values  are  syslog,  logfile,  or none.  # Defaults to
     syslog #log_type = syslog

     # Event log format.  # Currently only sudo-style event  logs  are
     supported.  #log_format = sudo

     [syslog] # The maximum length of a syslog  payload.   #  On  many
     systems, syslog(3) has a relatively small log buffer.  # IETF RFC
     5424 states that syslog servers must support  messages  #  of  at
     least  480 bytes and should support messages up to 2048 bytes.  #
     Messages larger than this  value  will  be  split  into  multiple
     messages.  #maxlen = 960

     # The syslog facility to use  for  event  log  messages.   #  The
     following syslog facilities are supported: authpriv (if your OS #
     supports it), auth, daemon, user, local0, local1, local2, local3,
     # local4, local5, local6, and local7.  #facility = authpriv

     # Syslog priority to use for event log accept messages, when  the
     command  #  is  allowed  by  the  security policy.  The following
     syslog priorities are # supported:  alert,  crit,  debug,  emerg,
     err, info, notice, warning, none.  #accept_priority = notice

     # Syslog priority to use for event log reject messages, when  the
     command    #   is   not   allowed   by   the   security   policy.
     #reject_priority = alert

     # Syslog priority to use for event log alert messages reported by
     the # client.  #alert_priority = alert

     [logfile] # The path to the file-based event log.   #  This  path
     must  be fully-qualified and start with a '/' character.  #path =
     /var/log/sudo

     # The format string used when formatting the date and time for  #
     file-based  event  logs.  Formatting is performed via strftime(3)
     so # any format string supported by  that  function  is  allowed.
     #time_format  = %h %e %T See the HISTORY file in the distribution
     (https://www.sudo.ws/history.html) for a brief history  of  sudo.
     Many  people have worked on over the years; this version consists
     of code written primarily by: See the CONTRIBUTORS  file  in  the
     distribution   (https://www.sudo.ws/contributors.html)   for   an
     exhaustive list of people who have contributed to If you feel you
     have   found   a   bug   in   please   submit  a  bug  report  at
     https://bugzilla.sudo.ws/ Limited free support is  available  via
     the          sudo-users         mailing         list,         see
     https://www.sudo.ws/mailman/listinfo/sudo-users to  subscribe  or
     search  the  archives.   is  provided  and any express or implied
     warranties, including, but not limited to, the implied warranties
     of  merchantability  and  fitness  for  a  particular purpose are
     disclaimed.   See  the   LICENSE   file   distributed   with   or
     https://www.sudo.ws/license.html for complete details.