diff --git a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1 b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1
index 9bf50ba5c..5fd7d3f40 100644
--- a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1
+++ b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1
@@ -24,15 +24,19 @@
 # The file containing the ID of the running sudo_logsrvd process.
 #pid_file = /var/run/sudo/sudo_logsrvd.pid
 
+# Where to log server warnings: none, stderr, syslog, or a path name.
+#server_log = syslog
+
 # If true, enable the SO_KEEPALIVE socket option on client connections.
+# Defaults to true.
 #tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the client to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 #timeout = 30
 
-# If true, the server certificate will be verified at startup and clients
-# will authenticate the server by verifying its certificate and identity.
+# If true, the server will validate its own certificate at startup.
+# Defaults to true.
 #tls_verify = true
 
 # If true, client certificates will be validated by the server;
@@ -80,7 +84,23 @@
 # The default value is 30.
 #connect_timeout = 30
 
+# The directory to store messages in before they are sent to the relay.
+# Messages are stored in wire format.
+# The default value is /var/log/sudo_logsrvd.
+#relay_dir = /var/log/sudo_logsrvd
+
+# The number of seconds to wait after a connection error before
+# making a new attempt to forward a message to a relay host.
+# The default value is 30.
+#retry_interval = 30
+
+# Whether to store the log before relaying it.  If true, enable store
+# and forward mode.  If false, the client connection is immediately
+# relayed.  Defaults to false.
+#store_first = true
+
 # If true, enable the SO_KEEPALIVE socket option on relay connections.
+# Defaults to true.
 #tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the relay to
@@ -159,6 +179,10 @@
 # specified by iolog_mode.
 #iolog_mode = 0600
 
+# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
+# password in the terminal input using passprompt_regex.
+#log_passwords = true
+
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"
 # is in base 36, maxseq itself should be expressed in decimal.  Values
@@ -166,12 +190,22 @@
 # number "ZZZZZZ") will be silently truncated to 2176782336.
 #maxseq = 2176782336
 
+# One or more POSIX extended regular expressions used to match
+# password prompts in the terminal output when log_passwords is
+# disabled.  Multiple passprompt_regex settings may be specified.
+#passprompt_regex = [Pp]assword[: ]*
+#passprompt_regex = [Pp]assword for [a-z0-9]+: *
+
 [eventlog]
-# Where to log accept, reject and alert events.
+# Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 #log_type = syslog
 
+# Whether to log an event when a command exits or is terminated by a signal.
+# Defaults to false
+#log_exit = true
+
 # Event log format.
 # Supported log formats are "sudo" and "json"
 # Defaults to sudo
@@ -204,6 +238,10 @@
 # client.
 #alert_priority = alert
 
+# The syslog facility to use for server warning messages.
+# Defaults to daemon.
+#server_facility = daemon
+
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
diff --git a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2 b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2
index 615e21248..a860082c6 100644
--- a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2
+++ b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2
@@ -24,15 +24,19 @@ listen_address = *:30344(tls)
 # The file containing the ID of the running sudo_logsrvd process.
 pid_file = /var/run/sudo/sudo_logsrvd.pid
 
+# Where to log server warnings: none, stderr, syslog, or a path name.
+server_log = syslog
+
 # If true, enable the SO_KEEPALIVE socket option on client connections.
+# Defaults to true.
 tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the client to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 timeout = 30
 
-# If true, the server certificate will be verified at startup and clients
-# will authenticate the server by verifying its certificate and identity.
+# If true, the server will validate its own certificate at startup.
+# Defaults to true.
 tls_verify = true
 
 # If true, client certificates will be validated by the server;
@@ -81,7 +85,23 @@ relay_host = localhost(tls)
 # The default value is 30.
 connect_timeout = 30
 
+# The directory to store messages in before they are sent to the relay.
+# Messages are stored in wire format.
+# The default value is /var/log/sudo_logsrvd.
+relay_dir = /var/log/sudo_logsrvd
+
+# The number of seconds to wait after a connection error before
+# making a new attempt to forward a message to a relay host.
+# The default value is 30.
+retry_interval = 30
+
+# Whether to store the log before relaying it.  If true, enable store
+# and forward mode.  If false, the client connection is immediately
+# relayed.  Defaults to false.
+#store_first = true
+
 # If true, enable the SO_KEEPALIVE socket option on relay connections.
+# Defaults to true.
 tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the relay to
@@ -160,6 +180,10 @@ iolog_user = root
 # specified by iolog_mode.
 iolog_mode = 0600
 
+# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
+# password in the terminal input using passprompt_regex.
+log_passwords = true
+
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"
 # is in base 36, maxseq itself should be expressed in decimal.  Values
@@ -167,12 +191,23 @@ iolog_mode = 0600
 # number "ZZZZZZ") will be silently truncated to 2176782336.
 maxseq = 2176782336
 
+# One or more POSIX extended regular expressions used to match
+# password prompts in the terminal output when log_passwords is
+# disabled.  Multiple passprompt_regex settings may be specified.
+#passprompt_regex = [Pp]assword[: ]*
+#passprompt_regex = [Pp]assword for [a-z0-9]+: *
+passprompt_regex = [Pp]assword[: ]*
+
 [eventlog]
-# Where to log accept, reject and alert events.
+# Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 log_type = syslog
 
+# Whether to log an event when a command exits or is terminated by a signal.
+# Defaults to false
+log_exit = true
+
 # Event log format.
 # Supported log formats are "sudo" and "json"
 # Defaults to sudo
@@ -205,6 +240,10 @@ reject_priority = alert
 # client.
 alert_priority = alert
 
+# The syslog facility to use for server warning messages.
+# Defaults to daemon.
+server_facility = daemon
+
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
diff --git a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3 b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3
index 1d88b3c19..b0fba8a96 100644
--- a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3
+++ b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3
@@ -24,15 +24,19 @@ listen_address = *:30343
 # The file containing the ID of the running sudo_logsrvd process.
 pid_file = /var/run/sudo/sudo_logsrvd.pid
 
+# Where to log server warnings: none, stderr, syslog, or a path name.
+#server_log = syslog
+
 # If true, enable the SO_KEEPALIVE socket option on client connections.
+# Defaults to true.
 tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the client to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 timeout = 0
 
-# If true, the server certificate will be verified at startup and clients
-# will authenticate the server by verifying its certificate and identity.
+# If true, the server will validate its own certificate at startup.
+# Defaults to true.
 #tls_verify = true
 
 # If true, client certificates will be validated by the server;
@@ -80,7 +84,23 @@ timeout = 0
 # The default value is 30.
 #connect_timeout = 30
 
+# The directory to store messages in before they are sent to the relay.
+# Messages are stored in wire format.
+# The default value is /var/log/sudo_logsrvd.
+#relay_dir = /var/log/sudo_logsrvd
+
+# The number of seconds to wait after a connection error before
+# making a new attempt to forward a message to a relay host.
+# The default value is 30.
+#retry_interval = 30
+
+# Whether to store the log before relaying it.  If true, enable store
+# and forward mode.  If false, the client connection is immediately
+# relayed.  Defaults to false.
+#store_first = true
+
 # If true, enable the SO_KEEPALIVE socket option on relay connections.
+# Defaults to true.
 #tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the relay to
@@ -144,13 +164,13 @@ iolog_flush = false
 # If iolog_group is not set, the primary group-ID of the user specified
 # by iolog_user is used.  If neither iolog_group nor iolog_user
 # are set, I/O log files and directories are created with group-ID 0.
-#iolog_group = sudo
+iolog_group = sudo
 
 # The user to use when setting the user-ID and group-ID of new I/O
 # log files and directories.  If iolog_group is set, it will be used
 # instead of the user's primary group-ID.  By default, I/O log files
 # and directories are created with user and group-ID 0.
-#iolog_user = sudo
+iolog_user = sudo
 
 # The file mode to use when creating I/O log files.  The file permissions
 # will always include the owner read and write bits, even if they are
@@ -159,6 +179,10 @@ iolog_flush = false
 # specified by iolog_mode.
 iolog_mode = 0640
 
+# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
+# password in the terminal input using passprompt_regex.
+#log_passwords = true
+
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"
 # is in base 36, maxseq itself should be expressed in decimal.  Values
@@ -166,12 +190,22 @@ iolog_mode = 0640
 # number "ZZZZZZ") will be silently truncated to 2176782336.
 maxseq = 999999999
 
+# One or more POSIX extended regular expressions used to match
+# password prompts in the terminal output when log_passwords is
+# disabled.  Multiple passprompt_regex settings may be specified.
+#passprompt_regex = [Pp]assword[: ]*
+#passprompt_regex = [Pp]assword for [a-z0-9]+: *
+
 [eventlog]
-# Where to log accept, reject and alert events.
+# Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 log_type = logfile
 
+# Whether to log an event when a command exits or is terminated by a signal.
+# Defaults to false
+log_exit = false
+
 # Event log format.
 # Supported log formats are "sudo" and "json"
 # Defaults to sudo
@@ -204,6 +238,10 @@ log_format = json
 # client.
 #alert_priority = alert
 
+# The syslog facility to use for server warning messages.
+# Defaults to daemon.
+#server_facility = daemon
+
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
diff --git a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4 b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4
index b25a4d851..7d6ec4ec2 100644
--- a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4
+++ b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4
@@ -24,15 +24,19 @@ listen_address = *:30344(tls)
 # The file containing the ID of the running sudo_logsrvd process.
 pid_file = /var/run/sudo/sudo_logsrvd.pid
 
+# Where to log server warnings: none, stderr, syslog, or a path name.
+server_log = syslog
+
 # If true, enable the SO_KEEPALIVE socket option on client connections.
+# Defaults to true.
 tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the client to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 timeout = 30
 
-# If true, the server certificate will be verified at startup and clients
-# will authenticate the server by verifying its certificate and identity.
+# If true, the server will validate its own certificate at startup.
+# Defaults to true.
 tls_verify = true
 
 # If true, client certificates will be validated by the server;
@@ -73,6 +77,7 @@ tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
 # be relayed to the specified host instead of being stored locally.
 # This setting is not enabled by default.
 #relay_host = relayhost.dom.ain
+#relay_host = relayhost.dom.ain(tls)
 relay_host = localhost(tls)
 
 # The amount of time, in seconds, the server will wait for a connection
@@ -80,7 +85,23 @@ relay_host = localhost(tls)
 # The default value is 30.
 connect_timeout = 30
 
+# The directory to store messages in before they are sent to the relay.
+# Messages are stored in wire format.
+# The default value is /var/log/sudo_logsrvd.
+relay_dir = /var/log/sudo_logsrvd
+
+# The number of seconds to wait after a connection error before
+# making a new attempt to forward a message to a relay host.
+# The default value is 30.
+retry_interval = 30
+
+# Whether to store the log before relaying it.  If true, enable store
+# and forward mode.  If false, the client connection is immediately
+# relayed.  Defaults to false.
+#store_first = true
+
 # If true, enable the SO_KEEPALIVE socket option on relay connections.
+# Defaults to true.
 tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the relay to
@@ -159,6 +180,10 @@ iolog_user = root
 # specified by iolog_mode.
 iolog_mode = 0600
 
+# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
+# password in the terminal input using passprompt_regex.
+log_passwords = true
+
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"
 # is in base 36, maxseq itself should be expressed in decimal.  Values
@@ -166,12 +191,23 @@ iolog_mode = 0600
 # number "ZZZZZZ") will be silently truncated to 2176782336.
 maxseq = 2176782336
 
+# One or more POSIX extended regular expressions used to match
+# password prompts in the terminal output when log_passwords is
+# disabled.  Multiple passprompt_regex settings may be specified.
+#passprompt_regex = [Pp]assword[: ]*
+#passprompt_regex = [Pp]assword for [a-z0-9]+: *
+passprompt_regex = [Pp]assword[: ]*
+
 [eventlog]
-# Where to log accept, reject and alert events.
+# Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 log_type = syslog
 
+# Whether to log an event when a command exits or is terminated by a signal.
+# Defaults to false
+log_exit = true
+
 # Event log format.
 # Supported log formats are "sudo" and "json"
 # Defaults to sudo
@@ -204,6 +240,10 @@ reject_priority = alert
 # client.
 alert_priority = alert
 
+# The syslog facility to use for server warning messages.
+# Defaults to daemon.
+server_facility = daemon
+
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
diff --git a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5 b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5
index bd1a639a3..5a4019f52 100644
--- a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5
+++ b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5
@@ -24,15 +24,19 @@ listen_address = *:30344(tls)
 # The file containing the ID of the running sudo_logsrvd process.
 pid_file = /var/run/sudo/sudo_logsrvd.pid
 
+# Where to log server warnings: none, stderr, syslog, or a path name.
+server_log = syslog
+
 # If true, enable the SO_KEEPALIVE socket option on client connections.
+# Defaults to true.
 tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the client to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 timeout = 30
 
-# If true, the server certificate will be verified at startup and clients
-# will authenticate the server by verifying its certificate and identity.
+# If true, the server will validate its own certificate at startup.
+# Defaults to true.
 tls_verify = true
 
 # If true, client certificates will be validated by the server;
@@ -73,6 +77,7 @@ tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
 # be relayed to the specified host instead of being stored locally.
 # This setting is not enabled by default.
 #relay_host = relayhost.dom.ain
+#relay_host = relayhost.dom.ain(tls)
 relay_host = localhost(tls)
 
 # The amount of time, in seconds, the server will wait for a connection
@@ -80,7 +85,23 @@ relay_host = localhost(tls)
 # The default value is 30.
 connect_timeout = 30
 
+# The directory to store messages in before they are sent to the relay.
+# Messages are stored in wire format.
+# The default value is /var/log/sudo_logsrvd.
+relay_dir = /var/log/sudo_logsrvd
+
+# The number of seconds to wait after a connection error before
+# making a new attempt to forward a message to a relay host.
+# The default value is 30.
+retry_interval = 30
+
+# Whether to store the log before relaying it.  If true, enable store
+# and forward mode.  If false, the client connection is immediately
+# relayed.  Defaults to false.
+#store_first = true
+
 # If true, enable the SO_KEEPALIVE socket option on relay connections.
+# Defaults to true.
 tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the relay to
@@ -159,6 +180,10 @@ iolog_user = root
 # specified by iolog_mode.
 iolog_mode = 0600
 
+# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
+# password in the terminal input using passprompt_regex.
+log_passwords = true
+
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"
 # is in base 36, maxseq itself should be expressed in decimal.  Values
@@ -166,12 +191,23 @@ iolog_mode = 0600
 # number "ZZZZZZ") will be silently truncated to 2176782336.
 maxseq = 2176782336
 
+# One or more POSIX extended regular expressions used to match
+# password prompts in the terminal output when log_passwords is
+# disabled.  Multiple passprompt_regex settings may be specified.
+#passprompt_regex = [Pp]assword[: ]*
+#passprompt_regex = [Pp]assword for [a-z0-9]+: *
+passprompt_regex = [Pp]assword[: ]*
+
 [eventlog]
-# Where to log accept, reject and alert events.
+# Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 log_type = syslog
 
+# Whether to log an event when a command exits or is terminated by a signal.
+# Defaults to false
+log_exit = true
+
 # Event log format.
 # Supported log formats are "sudo" and "json"
 # Defaults to sudo
@@ -204,6 +240,10 @@ reject_priority = alert
 # client.
 alert_priority = alert
 
+# The syslog facility to use for server warning messages.
+# Defaults to daemon.
+server_facility = daemon
+
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
diff --git a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6 b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6
index 972edc7ac..33f1cf215 100644
--- a/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6
+++ b/logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6
@@ -24,15 +24,19 @@ listen_address = *:30344(tls)
 # The file containing the ID of the running sudo_logsrvd process.
 pid_file = /var/run/sudo/sudo_logsrvd.pid
 
+# Where to log server warnings: none, stderr, syslog, or a path name.
+server_log = syslog
+
 # If true, enable the SO_KEEPALIVE socket option on client connections.
+# Defaults to true.
 tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the client to
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 timeout = 30
 
-# If true, the server certificate will be verified at startup and clients
-# will authenticate the server by verifying its certificate and identity.
+# If true, the server will validate its own certificate at startup.
+# Defaults to true.
 tls_verify = true
 
 # If true, client certificates will be validated by the server;
@@ -73,6 +77,7 @@ tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
 # be relayed to the specified host instead of being stored locally.
 # This setting is not enabled by default.
 #relay_host = relayhost.dom.ain
+#relay_host = relayhost.dom.ain(tls)
 relay_host = localhost(tls)
 
 # The amount of time, in seconds, the server will wait for a connection
@@ -80,7 +85,23 @@ relay_host = localhost(tls)
 # The default value is 30.
 connect_timeout = 30
 
+# The directory to store messages in before they are sent to the relay.
+# Messages are stored in wire format.
+# The default value is /var/log/sudo_logsrvd.
+relay_dir = /var/log/sudo_logsrvd
+
+# The number of seconds to wait after a connection error before
+# making a new attempt to forward a message to a relay host.
+# The default value is 30.
+retry_interval = 30
+
+# Whether to store the log before relaying it.  If true, enable store
+# and forward mode.  If false, the client connection is immediately
+# relayed.  Defaults to false.
+#store_first = true
+
 # If true, enable the SO_KEEPALIVE socket option on relay connections.
+# Defaults to true.
 tcp_keepalive = true
 
 # The amount of time, in seconds, the server will wait for the relay to
@@ -159,6 +180,10 @@ iolog_user = root
 # specified by iolog_mode.
 iolog_mode = 0600
 
+# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
+# password in the terminal input using passprompt_regex.
+log_passwords = true
+
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"
 # is in base 36, maxseq itself should be expressed in decimal.  Values
@@ -166,12 +191,23 @@ iolog_mode = 0600
 # number "ZZZZZZ") will be silently truncated to 2176782336.
 maxseq = 2176782336
 
+# One or more POSIX extended regular expressions used to match
+# password prompts in the terminal output when log_passwords is
+# disabled.  Multiple passprompt_regex settings may be specified.
+#passprompt_regex = [Pp]assword[: ]*
+#passprompt_regex = [Pp]assword for [a-z0-9]+: *
+passprompt_regex = [Pp]assword[: ]*
+
 [eventlog]
-# Where to log accept, reject and alert events.
+# Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 log_type = syslog
 
+# Whether to log an event when a command exits or is terminated by a signal.
+# Defaults to false
+log_exit = true
+
 # Event log format.
 # Supported log formats are "sudo" and "json"
 # Defaults to sudo
@@ -204,6 +240,10 @@ reject_priority = alert
 # client.
 alert_priority = high
 
+# The syslog facility to use for server warning messages.
+# Defaults to daemon.
+server_facility = daemon
+
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.