Last modified on August 10, 2022
Maintaining any system or environment requires access to and analysis of various logs. This article provides general information about the following:
- The types of logs strongDM generates
- Where strongDM logs can be stored
- How to view and filter strongDM logs in the Admin UI
- Log encryption options
- Information about configuring logs locations
- Managing error logs
- Auditing certain log types
strongDM Log Types
There are four types of logs that strongDM generates:
- Activity logs capture the actions that occur within the strongDM product (that is, the Admin UI and the CLI); actions are primarily administrative (for example, users changing each others’ permission levels, adding or editing infrastructure, changing settings, and so forth).
- Query logs record access to resources and the commands run on them.
- Sessions/Replay logs are captured whenever an SSH, Kubernetes, or RDP session is completed.
- Error logs are the logs that record state and errors within strongDM, and are output to a file called
sdm.logon clients and on gateway/relay servers.
Log Storage Options
- Storage of queries and sessions/replays can be configured via Settings > Log Encryption & Storage in the strongDM Admin UI, and either be located on strongDM’s servers, or locally on your gateway/relay servers.
- Activities are only stored with strongDM.
- Error logs are stored locally on the client or gateway/relay server.
For more information on viewing logs, queries, and sessions/replays that are stored by strongDM, visit the Using strongDM Logs guide.
View Logs in the Admin UI
If your logs are stored via strongDM, the Admin UI lets you view logs for the following:
If your logs are stored on your individual relays/gateways only, you are still able to view Activity logs in the Admin UI. For more information, see the Review Logs guide.
Admin UI Log Search Filters
The Admin UI logs include a variety of filters in order to help you parse your data. The filters are as follows:
- Account: Filters the returned logs by user or service account
- Actor: Filters the returned logs by user (Note that this filter is available for Activities only. The date ranges available in the Admin UI vary by log type, and full logs are available via the CLI.)
- Dates: Filters the returned logs by a desired date range (Note that returned date ranges are different for each type of log and that full logs are available via the SDM CLI.)
- Resource: Filters the returned logs by resource
Log Encryption and Storage Options
Depending on your security needs, strongDM provides a variety of log encryption options. For general log encryption, you may use either strongDM encryption or public key encryption. With strongDM encryption, you can easily access logs via strongDM. Public key encryption is ideal if you prefer a Zero Trust strategy. See the Remote Encryption Guide and the Gateway Log Encryption guide for more information.
If you choose to encrypt logs on your relays and gateways, you must provide a public key.
When you use the Local storage? setting in the Admin UI’s Settings > Log Encryption & Storage area to define the method by which your logs are stored (STDOUT, Log files, TCP, Socket, Syslog), it is important to note that these methods dictate where only the Query and Session/Replay logs will be saved. This setting does not affect the Error logs of the clients or gateways/relays, which are in their local
sdm.log file. strongDM neither provides nor enables rotation of the
sdm.log file, so if you wish to rotate this log, you must set up and manage that process yourself. The primary purpose of the error logs is to troubleshoot in real time, so this may not be necessary in many cases.
Configure Logging Services
We have guides that give examples on how to configure logging with various services:
- Logging Scenario - Send Local Logs to CloudWatch
- Logging Scenario - Send Local Logs to S3
- Logging Scenario - Send Local Logs to Filebeat
- Logging Scenario - Send Local Logs to Graylog
- Logging Scenario - Logging with Rsyslog
- Logging Scenario - Send Local Logs to a Splunk Indexer
The Log Export Container
An easy way to export logs of queries, sessions, and replays to other logging services is by using strongDM’s Code Garden project, the Log Export Container. The Log Export Container is a Docker container that can be easily deployed and configured to export strongDM logs; the container acts as a syslog concentrator. If you wish to export your strongDM logs to a third-party logging service, you can use the container to do so. Additionally, it can also pull Activities and decode SSH and Kubernetes sessions.