How to Customize Sudo Log Format in Ubuntu Linux

Yes, you can customize the log format for sudo in Ubuntu by modifying the sudoers configuration file. This article explains how to use the logfmt option to change how sudo commands are recorded in syslog, ensuring you capture the specific details needed for auditing while maintaining system security standards.

Default Sudo Logging Behavior

By default, Ubuntu records sudo usage in the system authentication log, typically located at /var/log/auth.log. The standard format includes the timestamp, user, terminal, and the command executed. While sufficient for general use, administrators often require specific fields for compliance or advanced monitoring.

Using the logfmt Option

To change the format, you must edit the sudoers file using the visudo command. This tool prevents syntax errors that could lock you out of sudo access. Open the terminal and run:

sudo visudo

Locate the Defaults section. You can add or modify the logfmt setting to define your custom structure. The format string supports various escape sequences similar to printf.

Custom Format Example

The following example changes the log output to include the user, runas user, and command in a specific pattern. Add this line to the sudoers file:

Defaults logfmt="%u %p %T %z"

In this string, %u represents the user, %p represents the process ID, %T represents the tty, and %z represents the command. You can combine these tags to suit your logging infrastructure needs.

Applying and Verifying Changes

Once you save and exit visudo, the changes take effect immediately for new sudo sessions. There is no need to restart the system or the syslog service. To verify the new format, execute a sudo command and check the log file:

sudo ls /root
grep sudo /var/log/auth.log

Review the output to ensure the logs match your defined format. Always test configuration changes in a non-production environment before applying them to live servers to avoid losing critical audit trails.