Logging Tour

The logging component of strongDM is comprised of four main aspects:

  • Database queries
  • Server replays
  • Admin UI activities
  • Web logs

There are two places that logging can occur: on strongDM's servers and on individual relays. Either or both can be enabled via Settings / Log Encryption & Storage in the strongDM Admin UI.

Logging setup
Logging setup

Enable either or both strongDM and relay logging at this page. The remainder of this guide describes the logging options available for each logging location.

strongDM Logging

Logging on the strongDM servers, if enabled, includes logs for all resource types, which are available in the strongDM Admin UI.

The only logging option under strongDM logging is whether or not to enable encryption. This option is detailed in the Remote Encryption Guide.

For more information on viewing logs, queries, and captures that are stored by strongDM, visit the Using strongDM Logs guide.

If you store logs with strongDM, they will be visible in the Admin UI for for varying periods of time depending on the type of log. For more information about log retention and the more extensive logs available from the CLI, see the Log Retention documentation.

Relay Logging

Unlike strongDM logging, relay logging includes only query and capture activity. When relay logging is enabled, it has three configuration options. The first, Local encryption?, is detailed in the Local Encryption.

The Local storage? option lets you choose whether to log to STDOUT, a log file, a TCP port, or a local socket.

  • If you choose Stdout, the relay will log to STDOUT, and you'll need to ensure that you have the relay process wrapped in a script that will capture that output to redirect to a location of your choosing.
  • If you choose Log files, the relay will write logs to <SDM-relay-homedir>/.sdm/logs/. This log rotates when the relay is restarted and when the current log file grows to 100MB.
  • The TCP option lets you specify a host/port combination to send logs. You can use this option to send directly to a log aggregator or SIEM that can accept syslog-style log delivery.
  • Logging to a Socket will send to a specified local socket. This option is primarily useful for log aggregators that put agents on individual hosts and expect logs to be delivered via socket.

The final option, Local format?, lets you choose whether to log in CSV or JSON format.

Log Encryption and Storage
Gateway Log Encryption