Photo by Kelly Sikkema on Unsplash

Photo by Kelly Sikkema on Unsplash

Processing the new sudo logging format

Neat Packaging

Article from ADMIN 86/2025
By
We present an example that shows how syslog-ng uses the new logging format of the sudo tool to process sudo messages.

The Linux sudo command helps Linux administrators run specific programs in the context of another user, typically root. In this way, non-privileged users can run management programs on a system. The tool writes to a log to keep track of users who used sudo to run programs. The default format has been plain text, but from version 1.9.4, it can be configured to log in JSON format.

sudo Logging

By default, sudo uses syslog to send log messages, which means that, on a Linux system, the messages end up in the system journal. You can choose between JSON and sudo plain text as the log format. Text ensures that the messages are easy to read while keeping the amount of information that ends up in the log to a minimum (Figure 1).

Figure 1: By default, sudo uses an easy-to-read plain text log format for all messages routed by syslog.

If you are looking for more information on a sudo log event, you can change the format of the log message to JSON, which makes several data fields available in the journal (Figure 2). You will find more detailed information on the individual fields of the log format by entering

man 5 sudoers

for the

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Log Management

    One of the more mundane, perhaps boring, but necessary administration tasks is checking system logs – the source of knowledge or intelligence of what is happening in the cluster.

    more »
  • Lead Image © Leo Blanchette, 123RF.com
    Installing and operating the Graylog SIEM solution
    Graylog security information and event management combines real-time monitoring and immediate notification of rule violations with long-term archiving for analysis and reporting.
    more »
  • A modern logging solution
    As systems grow more complex and distributed, managing and making sense of logs used for monitoring, debugging, and troubleshooting can become a daunting task. Fluentd and its lighter counterpart Fluent Bit can help you unify data collection and consumption to make sense of logging data.
    more »
  • Photo by Susann Schuster on Unsplash
    Network monitoring with Zeek
    Zeek offers an arsenal of scripts for monitoring popular network protocols and comes with its own policy scripting language for customization.
    more »
  • Lead Image © ffzhang, 123RF.com
    Data center management with Ralph
    The Ralph open source asset management system and configuration database keep things simple when it comes to managing data centers, but without compromising flexibility.
    more »
comments powered by Disqus