For logsrvd_conf_test include both tls and non-tls configs.

2025-08-22 01:49:11 +00:00 · 2022-06-02 11:38:43 -06:00 · 2022-06-02 11:38:43 -06:00 · 2d6b9d22e1
commit 2d6b9d22e1
parent d7b2ff3214
6 changed files with 549 additions and 38 deletions
--- a/2
+++ b/2
@ -407,6 +407,8 @@ logsrvd/regress/logsrvd_conf/logsrvd_dhparams.pem
 logsrvd/regress/logsrvd_conf/logsrvd_key.pem
 logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in
 logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in
 logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.1.in
 logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.2.in
 logsrvd/sendlog.c
 logsrvd/sendlog.h
 logsrvd/tls_client.c
--- a/logsrvd/Makefile.in
+++ b/logsrvd/Makefile.in
@ -283,8 +283,13 @@ check: $(TEST_PROGS) check-fuzzer
 	    MALLOC_CONF="abort:true,junk:true"; export MALLOC_CONF; \
 	    builddir=$(abs_top_builddir)/logsrvd; \
 	    cd $(srcdir) || exit 1; \
 	    if test -n "@LIBTLS@"; then \
 		$$builddir/logsrvd_conf_test $(TEST_VERBOSE) \
 		    regress/logsrvd_conf/tls/*.in; \
 	    else \
 		$$builddir/logsrvd_conf_test $(TEST_VERBOSE) \
 		    regress/logsrvd_conf/*.in; \
 	    fi; \
 	fi
 check-verbose: check
--- a/logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in
+++ b/logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in
@ -19,7 +19,7 @@
 # Multiple listen_address settings may be specified.
 # The default is to listen on all addresses.
 listen_address = *:30343
-listen_address = *:30344(tls)
+#listen_address = *:30344(tls)
 # The file containing the ID of the running sudo_logsrvd process.
 pid_file = /var/run/sudo/sudo_logsrvd.pid
@ -37,37 +37,37 @@ timeout = 30
 # If true, the server will validate its own certificate at startup.
 # Defaults to true.
-tls_verify = true
+#tls_verify = true
 # If true, client certificates will be validated by the server;
 # clients without a valid certificate will be unable to connect.
 # By default, client certs are not checked.
-tls_checkpeer = false
+#tls_checkpeer = false
 # Path to a certificate authority bundle file in PEM format to use
 # instead of the system's default certificate authority database.
-tls_cacert = regress/logsrvd_conf/cacert.pem
+#tls_cacert = regress/logsrvd_conf/cacert.pem
 # Path to the server's certificate file in PEM format.
 # Required for TLS connections.
-tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
+#tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
 # Path to the server's private key file in PEM format.
 # Required for TLS connections.
-tls_key = regress/logsrvd_conf/logsrvd_key.pem
+#tls_key = regress/logsrvd_conf/logsrvd_key.pem
 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
 # This setting is only effective if the negotiated protocol is TLS version
 # 1.2.  The default cipher list is HIGH:!aNULL.
-tls_ciphers_v12 = HIGH:!aNULL
+#tls_ciphers_v12 = HIGH:!aNULL
 # TLS cipher list if the negotiated protocol is TLS version 1.3.
 # The default cipher list is TLS_AES_256_GCM_SHA384.
-tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
+#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
 # Path to the Diffie-Hellman parameter file in PEM format.
 # If not set, the server will use the OpenSSL defaults.
-tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
+#tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 [relay]
 # The host name or IP address and port to send logs to in relay mode.
@ -76,7 +76,7 @@ tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 # be relayed to the specified host instead of being stored locally.
 # This setting is not enabled by default.
 #relay_host = relayhost.dom.ain
-relay_host = 127.0.0.1(tls)
+relay_host = 127.0.0.1
 # The amount of time, in seconds, the server will wait for a connection
 # to the relay server to complete.  A value of 0 will disable the timeout.
@ -108,37 +108,37 @@ timeout = 30
 # If true, the server's relay certificate will be verified at startup.
 # The default is to use the value in the [server] section.
-tls_verify = true
+#tls_verify = true
 # Whether to verify the relay's certificate for TLS connections.
 # The default is to use the value in the [server] section.
-tls_checkpeer = false
+#tls_checkpeer = false
 # Path to a certificate authority bundle file in PEM format to use
 # instead of the system's default certificate authority database.
 # The default is to use the value in the [server] section.
-tls_cacert = regress/logsrvd_conf/cacert.pem
+#tls_cacert = regress/logsrvd_conf/cacert.pem
 # Path to the server's certificate file in PEM format.
 # The default is to use the certificate in the [server] section.
-tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
+#tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
 # Path to the server's private key file in PEM format.
 # The default is to use the key in the [server] section.
-tls_key = regress/logsrvd_conf/logsrvd_key.pem
+#tls_key = regress/logsrvd_conf/logsrvd_key.pem
 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
 # this setting is only effective if the negotiated protocol is TLS version
 # 1.2.  The default is to use the value in the [server] section.
-tls_ciphers_v12 = HIGH:!aNULL
+#tls_ciphers_v12 = HIGH:!aNULL
 # TLS cipher list if the negotiated protocol is TLS version 1.3.
 # The default is to use the value in the [server] section.
-tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
+#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
 # Path to the Diffie-Hellman parameter file in PEM format.
 # The default is to use the value in the [server] section.
-tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
+#tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 [iolog]
 # The top-level directory to use when constructing the path name for the
--- a/logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in
+++ b/logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in
@ -19,7 +19,7 @@
 # Multiple listen_address settings may be specified.
 # The default is to listen on all addresses.
 listen_address = 172.0.0.1:30343
-listen_address = 172.0.0.1:30344(tls)
+#listen_address = 172.0.0.1:30344(tls)
 # The file containing the ID of the running sudo_logsrvd process.
 pid_file = /var/run/sudo/sudo_logsrvd.pid
@ -37,37 +37,37 @@ timeout = 30
 # If true, the server will validate its own certificate at startup.
 # Defaults to true.
-tls_verify = false
+#tls_verify = false
 # If true, client certificates will be validated by the server;
 # clients without a valid certificate will be unable to connect.
 # By default, client certs are not checked.
-tls_checkpeer = true
+#tls_checkpeer = true
 # Path to a certificate authority bundle file in PEM format to use
 # instead of the system's default certificate authority database.
-tls_cacert = regress/logsrvd_conf/cacert.pem
+#tls_cacert = regress/logsrvd_conf/cacert.pem
 # Path to the server's certificate file in PEM format.
 # Required for TLS connections.
-tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
+#tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
 # Path to the server's private key file in PEM format.
 # Required for TLS connections.
-tls_key = regress/logsrvd_conf/logsrvd_key.pem
+#tls_key = regress/logsrvd_conf/logsrvd_key.pem
 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
 # This setting is only effective if the negotiated protocol is TLS version
 # 1.2.  The default cipher list is HIGH:!aNULL.
-tls_ciphers_v12 = HIGH:!aNULL
+#tls_ciphers_v12 = HIGH:!aNULL
 # TLS cipher list if the negotiated protocol is TLS version 1.3.
 # The default cipher list is TLS_AES_256_GCM_SHA384.
-tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
+#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
 # Path to the Diffie-Hellman parameter file in PEM format.
 # If not set, the server will use the OpenSSL defaults.
-tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
+#tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 [relay]
 # The host name or IP address and port to send logs to in relay mode.
@ -76,7 +76,7 @@ tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 # be relayed to the specified host instead of being stored locally.
 # This setting is not enabled by default.
 #relay_host = relayhost.dom.ain
-relay_host = 127.0.0.1(tls)
+relay_host = 127.0.0.1
 # The amount of time, in seconds, the server will wait for a connection
 # to the relay server to complete.  A value of 0 will disable the timeout.
@ -108,37 +108,37 @@ timeout = 30
 # If true, the server's relay certificate will be verified at startup.
 # The default is to use the value in the [server] section.
-tls_verify = true
+#tls_verify = true
 # Whether to verify the relay's certificate for TLS connections.
 # The default is to use the value in the [server] section.
-tls_checkpeer = false
+#tls_checkpeer = false
 # Path to a certificate authority bundle file in PEM format to use
 # instead of the system's default certificate authority database.
 # The default is to use the value in the [server] section.
-tls_cacert = regress/logsrvd_conf/cacert.pem
+#tls_cacert = regress/logsrvd_conf/cacert.pem
 # Path to the server's certificate file in PEM format.
 # The default is to use the certificate in the [server] section.
-tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
+#tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
 # Path to the server's private key file in PEM format.
 # The default is to use the key in the [server] section.
-tls_key = regress/logsrvd_conf/logsrvd_key.pem
+#tls_key = regress/logsrvd_conf/logsrvd_key.pem
 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
 # this setting is only effective if the negotiated protocol is TLS version
 # 1.2.  The default is to use the value in the [server] section.
-tls_ciphers_v12 = HIGH:!aNULL
+#tls_ciphers_v12 = HIGH:!aNULL
 # TLS cipher list if the negotiated protocol is TLS version 1.3.
 # The default is to use the value in the [server] section.
-tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
+#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
 # Path to the Diffie-Hellman parameter file in PEM format.
 # The default is to use the value in the [server] section.
-tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
+#tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 [iolog]
 # The top-level directory to use when constructing the path name for the
--- a/logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.1.in
+++ b/logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.1.in
@ -0,0 +1,252 @@
 #
 # sudo logsrv daemon configuration
 #
 [server]
 # The host name or IP address and port to listen on with an optional TLS
 # flag.  If no port is specified, port 30343 will be used for plaintext
 # connections and port 30344 will be used to TLS connections.
 # The following forms are accepted:
 #   listen_address = hostname(tls)
 #   listen_address = hostname:port(tls)
 #   listen_address = IPv4_address(tls)
 #   listen_address = IPv4_address:port(tls)
 #   listen_address = [IPv6_address](tls)
 #   listen_address = [IPv6_address]:port(tls)
 #
 # The (tls) suffix should be omitted for plaintext connections.
 #
 # Multiple listen_address settings may be specified.
 # The default is to listen on all addresses.
 listen_address = *:30343
 listen_address = *:30344(tls)
 # The file containing the ID of the running sudo_logsrvd process.
 pid_file = /var/run/sudo/sudo_logsrvd.pid
 # Where to log server warnings: none, stderr, syslog, or a path name.
 server_log = syslog
 # If true, enable the SO_KEEPALIVE socket option on client connections.
 # Defaults to true.
 tcp_keepalive = true
 # The amount of time, in seconds, the server will wait for the client to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 timeout = 30
 # If true, the server will validate its own certificate at startup.
 # Defaults to true.
 tls_verify = true
 # If true, client certificates will be validated by the server;
 # clients without a valid certificate will be unable to connect.
 # By default, client certs are not checked.
 tls_checkpeer = false
 # Path to a certificate authority bundle file in PEM format to use
 # instead of the system's default certificate authority database.
 tls_cacert = regress/logsrvd_conf/cacert.pem
 # Path to the server's certificate file in PEM format.
 # Required for TLS connections.
 tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
 # Path to the server's private key file in PEM format.
 # Required for TLS connections.
 tls_key = regress/logsrvd_conf/logsrvd_key.pem
 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
 # This setting is only effective if the negotiated protocol is TLS version
 # 1.2.  The default cipher list is HIGH:!aNULL.
 tls_ciphers_v12 = HIGH:!aNULL
 # TLS cipher list if the negotiated protocol is TLS version 1.3.
 # The default cipher list is TLS_AES_256_GCM_SHA384.
 tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
 # Path to the Diffie-Hellman parameter file in PEM format.
 # If not set, the server will use the OpenSSL defaults.
 tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 [relay]
 # The host name or IP address and port to send logs to in relay mode.
 # The syntax is identical to listen_address with the exception of
 # the wild card ('*') syntax.  When this setting is enabled, logs will
 # be relayed to the specified host instead of being stored locally.
 # This setting is not enabled by default.
 #relay_host = relayhost.dom.ain
 relay_host = 127.0.0.1(tls)
 # The amount of time, in seconds, the server will wait for a connection
 # to the relay server to complete.  A value of 0 will disable the timeout.
 # The default value is 30.
 connect_timeout = 30
 # The directory to store messages in before they are sent to the relay.
 # Messages are stored in wire format.
 # The default value is /var/log/sudo_logsrvd.
 relay_dir = /var/log/sudo_logsrvd
 # The number of seconds to wait after a connection error before
 # making a new attempt to forward a message to a relay host.
 # The default value is 30.
 retry_interval = 30
 # Whether to store the log before relaying it.  If true, enable store
 # and forward mode.  If false, the client connection is immediately
 # relayed.  Defaults to false.
 store_first = true
 # If true, enable the SO_KEEPALIVE socket option on relay connections.
 # Defaults to true.
 tcp_keepalive = true
 # The amount of time, in seconds, the server will wait for the relay to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 timeout = 30
 # If true, the server's relay certificate will be verified at startup.
 # The default is to use the value in the [server] section.
 tls_verify = true
 # Whether to verify the relay's certificate for TLS connections.
 # The default is to use the value in the [server] section.
 tls_checkpeer = false
 # Path to a certificate authority bundle file in PEM format to use
 # instead of the system's default certificate authority database.
 # The default is to use the value in the [server] section.
 tls_cacert = regress/logsrvd_conf/cacert.pem
 # Path to the server's certificate file in PEM format.
 # The default is to use the certificate in the [server] section.
 tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
 # Path to the server's private key file in PEM format.
 # The default is to use the key in the [server] section.
 tls_key = regress/logsrvd_conf/logsrvd_key.pem
 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
 # this setting is only effective if the negotiated protocol is TLS version
 # 1.2.  The default is to use the value in the [server] section.
 tls_ciphers_v12 = HIGH:!aNULL
 # TLS cipher list if the negotiated protocol is TLS version 1.3.
 # The default is to use the value in the [server] section.
 tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
 # Path to the Diffie-Hellman parameter file in PEM format.
 # The default is to use the value in the [server] section.
 tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 [iolog]
 # The top-level directory to use when constructing the path name for the
 # I/O log directory.  The session sequence number, if any, is stored here.
 iolog_dir = /var/log/sudo-io
 # The path name, relative to iolog_dir, in which to store I/O logs.
 # It is possible for iolog_file to contain directory components.
 iolog_file = %{seq}
 # If set, I/O logs will be compressed using zlib.  Enabling compression can
 # make it harder to view the logs in real-time as the program is executing.
 iolog_compress = false
 # If set, I/O log data is flushed to disk after each write instead of
 # buffering it.  This makes it possible to view the logs in real-time
 # as the program is executing but reduces the effectiveness of compression.
 iolog_flush = true
 # The group to use when creating new I/O log files and directories.
 # If iolog_group is not set, the primary group-ID of the user specified
 # by iolog_user is used.  If neither iolog_group nor iolog_user
 # are set, I/O log files and directories are created with group-ID 0.
 #iolog_group = wheel
 # The user to use when setting the user-ID and group-ID of new I/O
 # log files and directories.  If iolog_group is set, it will be used
 # instead of the user's primary group-ID.  By default, I/O log files
 # and directories are created with user and group-ID 0.
 #iolog_user = root
 # The file mode to use when creating I/O log files.  The file permissions
 # will always include the owner read and write bits, even if they are
 # not present in the specified mode.  When creating I/O log directories,
 # search (execute) bits are added to match the read and write bits
 # specified by iolog_mode.
 iolog_mode = 0600
 # If disabled, sudo_logsrvd will attempt to avoid logging plaintext
 # password in the terminal input using passprompt_regex.
 log_passwords = true
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"
 # is in base 36, maxseq itself should be expressed in decimal.  Values
 # larger than 2176782336 (which corresponds to the base 36 sequence
 # number "ZZZZZZ") will be silently truncated to 2176782336.
 maxseq = 2176782336
 # One or more POSIX extended regular expressions used to match
 # password prompts in the terminal output when log_passwords is
 # disabled.  Multiple passprompt_regex settings may be specified.
 #passprompt_regex = [Pp]assword[: ]*
 passprompt_regex = [Pp]assword for [a-z0-9]+: *
 [eventlog]
 # Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 log_type = syslog
 # Whether to log an event when a command exits or is terminated by a signal.
 # Defaults to false
 log_exit = true
 # Event log format.
 # Supported log formats are "sudo" and "json"
 # Defaults to sudo
 log_format = sudo
 [syslog]
 # The maximum length of a syslog payload.
 # On many systems, syslog(3) has a relatively small log buffer.
 # IETF RFC 5424 states that syslog servers must support messages
 # of at least 480 bytes and should support messages up to 2048 bytes.
 # Messages larger than this value will be split into multiple messages.
 maxlen = 960
 # The syslog facility to use for event log messages.
 # The following syslog facilities are supported: authpriv (if your OS
 # supports it), auth, daemon, user, local0, local1, local2, local3,
 # local4, local5, local6, and local7.
 #facility = authpriv
 facility = auth
 # Syslog priority to use for event log accept messages, when the command
 # is allowed by the security policy.  The following syslog priorities are
 # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
 accept_priority = notice
 # Syslog priority to use for event log reject messages, when the command
 # is not allowed by the security policy.
 reject_priority = alert
 # Syslog priority to use for event log alert messages reported by the
 # client.
 alert_priority = alert
 # The syslog facility to use for server warning messages.
 # Defaults to daemon.
 server_facility = daemon
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
 path = /var/log/sudo.log
 # The format string used when formatting the date and time for
 # file-based event logs.  Formatting is performed via strftime(3) so
 # any format string supported by that function is allowed.
 time_format = %h %e %T
--- a/logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.2.in
+++ b/logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.2.in
@ -0,0 +1,252 @@
 #
 # sudo logsrv daemon configuration
 #
 [server]
 # The host name or IP address and port to listen on with an optional TLS
 # flag.  If no port is specified, port 30343 will be used for plaintext
 # connections and port 30344 will be used to TLS connections.
 # The following forms are accepted:
 #   listen_address = hostname(tls)
 #   listen_address = hostname:port(tls)
 #   listen_address = IPv4_address(tls)
 #   listen_address = IPv4_address:port(tls)
 #   listen_address = [IPv6_address](tls)
 #   listen_address = [IPv6_address]:port(tls)
 #
 # The (tls) suffix should be omitted for plaintext connections.
 #
 # Multiple listen_address settings may be specified.
 # The default is to listen on all addresses.
 listen_address = 172.0.0.1:30343
 listen_address = 172.0.0.1:30344(tls)
 # The file containing the ID of the running sudo_logsrvd process.
 pid_file = /var/run/sudo/sudo_logsrvd.pid
 # Where to log server warnings: none, stderr, syslog, or a path name.
 server_log = stderr
 # If true, enable the SO_KEEPALIVE socket option on client connections.
 # Defaults to true.
 tcp_keepalive = true
 # The amount of time, in seconds, the server will wait for the client to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 timeout = 30
 # If true, the server will validate its own certificate at startup.
 # Defaults to true.
 tls_verify = false
 # If true, client certificates will be validated by the server;
 # clients without a valid certificate will be unable to connect.
 # By default, client certs are not checked.
 tls_checkpeer = true
 # Path to a certificate authority bundle file in PEM format to use
 # instead of the system's default certificate authority database.
 tls_cacert = regress/logsrvd_conf/cacert.pem
 # Path to the server's certificate file in PEM format.
 # Required for TLS connections.
 tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
 # Path to the server's private key file in PEM format.
 # Required for TLS connections.
 tls_key = regress/logsrvd_conf/logsrvd_key.pem
 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
 # This setting is only effective if the negotiated protocol is TLS version
 # 1.2.  The default cipher list is HIGH:!aNULL.
 tls_ciphers_v12 = HIGH:!aNULL
 # TLS cipher list if the negotiated protocol is TLS version 1.3.
 # The default cipher list is TLS_AES_256_GCM_SHA384.
 tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
 # Path to the Diffie-Hellman parameter file in PEM format.
 # If not set, the server will use the OpenSSL defaults.
 tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 [relay]
 # The host name or IP address and port to send logs to in relay mode.
 # The syntax is identical to listen_address with the exception of
 # the wild card ('*') syntax.  When this setting is enabled, logs will
 # be relayed to the specified host instead of being stored locally.
 # This setting is not enabled by default.
 #relay_host = relayhost.dom.ain
 relay_host = 127.0.0.1(tls)
 # The amount of time, in seconds, the server will wait for a connection
 # to the relay server to complete.  A value of 0 will disable the timeout.
 # The default value is 30.
 connect_timeout = 30
 # The directory to store messages in before they are sent to the relay.
 # Messages are stored in wire format.
 # The default value is /var/log/sudo_logsrvd.
 relay_dir = /var/log/sudo_logsrvd
 # The number of seconds to wait after a connection error before
 # making a new attempt to forward a message to a relay host.
 # The default value is 30.
 retry_interval = 30
 # Whether to store the log before relaying it.  If true, enable store
 # and forward mode.  If false, the client connection is immediately
 # relayed.  Defaults to false.
 store_first = true
 # If true, enable the SO_KEEPALIVE socket option on relay connections.
 # Defaults to true.
 tcp_keepalive = true
 # The amount of time, in seconds, the server will wait for the relay to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 timeout = 30
 # If true, the server's relay certificate will be verified at startup.
 # The default is to use the value in the [server] section.
 tls_verify = true
 # Whether to verify the relay's certificate for TLS connections.
 # The default is to use the value in the [server] section.
 tls_checkpeer = false
 # Path to a certificate authority bundle file in PEM format to use
 # instead of the system's default certificate authority database.
 # The default is to use the value in the [server] section.
 tls_cacert = regress/logsrvd_conf/cacert.pem
 # Path to the server's certificate file in PEM format.
 # The default is to use the certificate in the [server] section.
 tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
 # Path to the server's private key file in PEM format.
 # The default is to use the key in the [server] section.
 tls_key = regress/logsrvd_conf/logsrvd_key.pem
 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
 # this setting is only effective if the negotiated protocol is TLS version
 # 1.2.  The default is to use the value in the [server] section.
 tls_ciphers_v12 = HIGH:!aNULL
 # TLS cipher list if the negotiated protocol is TLS version 1.3.
 # The default is to use the value in the [server] section.
 tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
 # Path to the Diffie-Hellman parameter file in PEM format.
 # The default is to use the value in the [server] section.
 tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
 [iolog]
 # The top-level directory to use when constructing the path name for the
 # I/O log directory.  The session sequence number, if any, is stored here.
 iolog_dir = /var/log/sudo-io
 # The path name, relative to iolog_dir, in which to store I/O logs.
 # It is possible for iolog_file to contain directory components.
 iolog_file = %{seq}
 # If set, I/O logs will be compressed using zlib.  Enabling compression can
 # make it harder to view the logs in real-time as the program is executing.
 iolog_compress = false
 # If set, I/O log data is flushed to disk after each write instead of
 # buffering it.  This makes it possible to view the logs in real-time
 # as the program is executing but reduces the effectiveness of compression.
 iolog_flush = true
 # The group to use when creating new I/O log files and directories.
 # If iolog_group is not set, the primary group-ID of the user specified
 # by iolog_user is used.  If neither iolog_group nor iolog_user
 # are set, I/O log files and directories are created with group-ID 0.
 #iolog_group = wheel
 # The user to use when setting the user-ID and group-ID of new I/O
 # log files and directories.  If iolog_group is set, it will be used
 # instead of the user's primary group-ID.  By default, I/O log files
 # and directories are created with user and group-ID 0.
 #iolog_user = root
 # The file mode to use when creating I/O log files.  The file permissions
 # will always include the owner read and write bits, even if they are
 # not present in the specified mode.  When creating I/O log directories,
 # search (execute) bits are added to match the read and write bits
 # specified by iolog_mode.
 iolog_mode = 0600
 # If disabled, sudo_logsrvd will attempt to avoid logging plaintext
 # password in the terminal input using passprompt_regex.
 log_passwords = true
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"
 # is in base 36, maxseq itself should be expressed in decimal.  Values
 # larger than 2176782336 (which corresponds to the base 36 sequence
 # number "ZZZZZZ") will be silently truncated to 2176782336.
 maxseq = 2176782336
 # One or more POSIX extended regular expressions used to match
 # password prompts in the terminal output when log_passwords is
 # disabled.  Multiple passprompt_regex settings may be specified.
 #passprompt_regex = [Pp]assword[: ]*
 passprompt_regex = [Pp]assword for [a-z0-9]+: *
 [eventlog]
 # Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 log_type = none
 # Whether to log an event when a command exits or is terminated by a signal.
 # Defaults to false
 log_exit = true
 # Event log format.
 # Supported log formats are "sudo" and "json"
 # Defaults to sudo
 log_format = json
 [syslog]
 # The maximum length of a syslog payload.
 # On many systems, syslog(3) has a relatively small log buffer.
 # IETF RFC 5424 states that syslog servers must support messages
 # of at least 480 bytes and should support messages up to 2048 bytes.
 # Messages larger than this value will be split into multiple messages.
 maxlen = 960
 # The syslog facility to use for event log messages.
 # The following syslog facilities are supported: authpriv (if your OS
 # supports it), auth, daemon, user, local0, local1, local2, local3,
 # local4, local5, local6, and local7.
 #facility = authpriv
 facility = daemon
 # Syslog priority to use for event log accept messages, when the command
 # is allowed by the security policy.  The following syslog priorities are
 # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
 accept_priority = notice
 # Syslog priority to use for event log reject messages, when the command
 # is not allowed by the security policy.
 reject_priority = alert
 # Syslog priority to use for event log alert messages reported by the
 # client.
 alert_priority = alert
 # The syslog facility to use for server warning messages.
 # Defaults to daemon.
 server_facility = daemon
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
 path = /var/log/sudo.log
 # The format string used when formatting the date and time for
 # file-based event logs.  Formatting is performed via strftime(3) so
 # any format string supported by that function is allowed.
 time_format = %h %e %T