Compact JSON for Logfiles

This new format not only saves space but also makes it easier to process the logfiles automatically. Besides the sudo log format, it offers two new formats: json_pretty and json_compact. Whereas json_pretty is identical to the old JSON format, json_compact crams the log messages in JSON format into a single line, much like logging with syslog. You can then either process these locally with a JSON parser (e.g., jq) or forward them to a central logging instance for further analysis.

In the following example, the objective is to evaluate all the logs from a local syslog-ng instance. Alternatively, you could also send the logs from there to some other software or to a central log server. The example is merely intended to illustrate the options the new log format allows. To customize the sudo configuration, you would traditionally call up the visudo tool, which gives you an exclusive lock on the file and prevents any parallel changes to the file from overwriting your settings. Alternatively, you could create a new file in the /etc/sudoers.d/ folder for your own customizations. To edit this file, simply call:

# visudo -f /etc/sudoers.d/logging

In the file, specify that sudo should only write log messages to a text file and not additionally send them by syslog to the local journal. Now enable the new json_compact format. In this example, I'm assuming you also want to log calls to all child processes of the permitted sudo commands:

Defaults !syslog
Defaults logfile=/var/log/sudo
Defaults log_format=json_compact
Defaults log_subcmds

Listing 1 shows a simple syslog-ng configuration file that draws on syslog-ng to evaluate the JSON-formatted /var/log/sudo logfile and convert the logs to a different format to generate the new /var/log/sudo-text logfile. The results are shown in Listing 2. Of course, you could simply forward the JSON-formatted logfile to a different logging instance to analyze the logs there. The syslog-ng website provides some examples [2].

# cat sudo.conf
source s_sudojson {
   file("/var/log/sudo" flags(no-parse));
};
parser p_json {
     json-parser();
};
destination d_sudo-welf {
   file("/var/log/sudo"
     template("$(format-welf --scope nv_pairs --exclude MESSAGE --exclude accept.submitenv)\n\n")
   );
   file("/var/log/sudo-text"
     template("${DATE} user ${accept.submituser} ran ${accept.command} on host ${HOST} using sudo\n")
   );
};
log {
   source(s_sudojson);
   parser(p_json);
   destination(d_sudo);
};

May 22 09:38:51 user tscherf ran /usr/bin/vim on host master.ipa.test using sudo
May 22 09:38:52 user tscherf ran /usr/bin/who on host master.ipa.test using sudo

Conclusions

Thanks to the new sudo log format json_compact, you can easily generate machine-readable sudo logfiles, which you can then forward to a log management system for analysis downstream. If you prefer to inspect the messages manually instead, you can either use the sudo format or json_pretty if you need more information.

The Author

Thorsten Scherf is the global Product Lead for Identity Management and Platform Security in Red Hat's Product Operations group. He is a regular speaker at various international conferences and writes a lot about open source software.