sudo will normally only log the command it explicitly runs. If a user runs a command such as sudo su or sudo sh, subsequent commands run from that shell are not subject to sudo’s security policy. The same is true for commands that offer shell escapes (including most editors). If I/O logging is enabled, subsequent commands will have their input and/or output logged, but there will not be traditional logs for those commands.
1. Edit /etc/sudoers file by using command: visudo and add the entry below:
# visudo Defaults log_output Defaults log_input Defaults iolog_dir=/backup/SUDO_IO_LOG
For example,
# cat /etc/sudoers ... # add log Defaults log_output Defaults log_input Defaults iolog_dir=/backup/SUDO_IO_LOG
2. log location
# pwd /backup/SUDO_IO_LOG # ls 00 seq