Logging Tour

There are four general types of log events that strongDM creates and stores:

  • Activities are the actions that occur within the strongDM product.
  • Queries are recorded whenever Datasources are accessed.
  • Replays are captured whenever an SSH, Kubernetes, or RDP session is completed.
  • Logs are recorded whenever a Web or Cloud resource is accessed.

There are two places that logging events can be stored: on strongDM's Servers and on individual Gateways/Relays. Either or both can be enabled via Settings / Log Encryption & Storage in the strongDM Admin UI.

Logging Setup
Logging Setup

Enable either or both strongDM and Gateway/Relay logging in the Log Encryption & Storage settings. If you choose the option to not store log events on strongDM's Servers you must enable logging on your Gateways/Relays. The remainder of this guide describes the logging encryption and storage options available.

strongDM Storage

If enabled, logging is stored on the strongDM Servers. This includes logging events for all resource types and activities.

The only logging option under strongDM logging is whether to use strongDM encryption or encryption with a key that you provide. This option is detailed in the Remote Encryption Guide.

For more information on viewing logs, queries, and captures that are stored by strongDM, visit the Using strongDM Logs guide.

If you choose to store logs with strongDM, they all will be visible in the Admin UI for varying periods of time depending on the type of log. For more information about log retention and the more extensive logs available from the CLI, see the Log Retention documentation.

Gateway/Relay Logging

When Gateway/Relay local logging is enabled, all queries, replays, and logs will not be stored on the strongDM Servers. Activities will continue to be stored with strongDM. There are three configuration options available. The first, Local encryption?, is detailed in the Local Encryption.

The Local storage? option lets you choose the destination of your local storage: STDOUT, a log file, a TCP port, a local socket, or a syslog.

  • If you choose Stdout, the Gateway/Relay will log to STDOUT, and you'll need to ensure that you have the Gateway/Relay process wrapped in a script that will capture that output to redirect to a location of your choosing.
  • If you choose Log files, the Gateway/Relay will write logs to <SDM_RELAY_HOME_DIRECTORY>/.sdm/logs/. This log rotates when the Gateway/Relay is restarted and when the current log file grows to 100 MB.
  • The TCP option lets you specify a host/port combination to send logs. You can use this option to send directly to a log aggregator or SIEM that can accept syslog-style log delivery.
  • Logging to a Socket will send to a specified local socket. This option is primarily useful for log aggregators that put agents on individual hosts and expect logs to be delivered via socket.
  • The Syslog option lets you specify the host/port combination of a syslog server to send logs using the syslog protocol. You can use this option to send logs directly to a syslog aggregator or a security information and event management (SIEM) solution.

The final option, Local format?, lets you choose whether to log in CSV or JSON format.

Log Encryption and Storage
Gateway Log Encryption