Log Encryption and Storage

Last modified on August 10, 2022

Log Encryption & Storage allows you to define where and how your logs of queries, sessions, and replays are stored. You may enable strongDM server storage, gateway/relay storage, or both. If you choose not to store logs on strongDM’s servers, you must enable log storage on your relays/gateways.

Logging Setup
Logging Setup

strongDM Storage

Storing logs on strongDM servers makes it possible to view/watch logs in the Admin UI and the CLI. Logs shown in the Admin UI are a much smaller subset of what is available via the CLI (see our log retention page for more details). Logs will be stored and accessible via the CLI for 13 months and then permanently deleted.

Remote encryption

When you store logs via strongDM servers, you must configure a remote encryption option: either strongDM or public key.

The strongDM option encrypts logs using a strongDM-generated key. The advantage of this is that strongDM can decrypt and deliver logs to you on demand.

The Public key option lets you configure a public/private key pair. That is, the system uses your generated key to encrypt logs, but only you can decrypt them. This means that if strongDM stores these logs, it can only send them back to you still encrypted.

Relay/Gateway Storage

You can configure query, session, and replay logs to be stored on your relays/gateways as the sole storage option or in addition to strongDM server storage. Additionally, you have the option to store these logs in either CSV or JSON format.

Local encryption

When you store logs locally on your relays/gateways, you have two encryption options: none or public key. The public key option lets you configure a public/private key pair. For more information, see Local Encryption.

Relay/Gateway destination options

The Local storage? option lets you choose the destination of your relay/gateway logs: STDOUT, a log file, a TCP port, a local socket, or a syslog.

  • If you choose Stdout, the relay/gateway will log to STDOUT, and you’ll need to ensure that you have the relay/gateway process wrapped in a script that will capture that output to redirect to a location of your choosing.
  • If you choose Log files, the relay/gateway will write logs to <SDM_RELAY_HOME_DIRECTORY>/.sdm/logs/. This log rotates if the current log file grows to 100 MB.
  • The TCP option lets you specify a host/port combination to send logs. You can use this option to send directly to a log aggregator or SIEM that can accept syslog-style log delivery.
  • The Socket option will send to a specified local socket. This option is primarily useful for log aggregators that put agents on individual hosts and expect logs to be delivered via socket.
  • The Syslog option lets you specify the host/port combination of a syslog server to send logs using the syslog protocol. You can use this option to send logs directly to a syslog aggregator or a security information and event management (SIEM) solution.

For more information, see Log Locally to Gateways.