From firesmith at protonmail.com  Fri Jun  7 11:23:36 2024
From: firesmith at protonmail.com (Kodiak Firesmith)
Date: Fri, 07 Jun 2024 17:23:36 +0000
Subject: [sudo-users] Sudoreplay log management
Message-ID: <6m9jw3MUmC9e9fNIJzcT02XU9KeXxojtjdvk3YkIHYdCpiDIJZPjjs387qhYVRKM5v9yUX7aBNnjAJHf4lEHbsGTHs9wslY1Resn_KedeB8=@protonmail.com>

Hi Folks,
I've noticed that on very busy servers, sudoreply logs in /var/log/sudo-io/ can grow to substantial size. Due to the rather unique nature of the folder structure it doesn't seem to lend itself to being managed via something like logrotate.

I was curious if others have come up with better methods of managing sudoreplay logs. Ideally there would be an option built into the sudoreplay command to perform log management or rotation activities, eg: sudoreplay --rotate-logs --older-than=-7d, or --rotate-logs --user=jimbob.

Until I have something that can manage these logs, I've simply excluded a few trusted accounts from sudo logging entirely, but I'd really love to be able to instead perform explicit log management like above. Especially if there are some users I'd want to preserve logs forever for, and others that I'd just want to keep a rolling 7 day lookback.

Thanks!

Sent with [Proton Mail](https://proton.me/) secure email.