Log Locally to Gateways
If you have configured strongDM to save logs locally on your relays and/or gateways, you can extract queries and replays from the log files. Admin UI activities, on the other hand, are always stored on the strongDM server.
As detailed in Getting Started with Logging, you can configure relay logging to STDOUT or to the default ~/.sdm/logs
location. The instructions that follow will refer to whichever files hold logs in your configuration.
Encryption
If you have configured relay log encryption, your logs will not be directly readable. To decrypt them, you'll need to use the sdm crypto parse-logs
utility with the private.key
file present.
$ cat logfile | sdm crypto parse-log private.key > decrypted-log
Queries
To find queries in the relay logs, you'll want to look for start events that are of the following forms, containing the actual query.
CSV example:
`2018-03-23 18:10:54.265186636 +0000 UTC,start,af9e303c-07f7-42ee-84c4-279ca7b9de28,1333,psql-server-6,1016,Joe Admin,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f`
JSON example:
{"type": "start","timestamp": "2021-01-01T13:14:15.820199164Z","uuid": "01a2B3cd4Efghi567jKlMnop8qRs","datasourceId": "rs-123a45678910b123","datasourceName": "cli_example mysql","userId": "a-0a12b34c567d89d1","userName": "Jane Admin","query": "/* ApplicationName=DBeaver 7.3.5 - Metadata */ SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='mysql' AND TABLE_NAME='db' ORDER BY ORDINAL_POSITION","hash": "1234a56b7c891dab012ef3456g78h9i1jk2l3m45"}
The easiest way to find queries is to use grep
to search for the datastore or query that you are interested in.
Replays
SSH
To view SSH session replays that are contained in relay logs, you must first find the Capture ID of the session you're interested in viewing. The Capture ID is shown in the relay logs in start events that are of this form, containing a JSON document with connection parameters:
2018-03-23 18:10:02.970395873 +0000 UTC,start,9d880e13-f608-4fe0-b1e7-deeb35bb9f2c,1334,prod-312-test,1016,Joe Admin,"{""version"":1,""width"":92,""height"":25,""duration"":0,""command"":"""",""title"":null,""env"":{""TERM"":""xterm-256color""},""type"":""shell"",""fileName"":null,""fileSize"":0,""stdout"":null,""lastChunkId"":0}
It is much easier, however, to use the sdm audit ssh
command, as described in Using strongDM Logs, to collect a list of SSH sessions during the time frame that interests you, including their Capture IDs.
Once you have the Capture ID, you can use sdm ssh split
to extract all captures from a log file. They are saved as individual .ssh
files named after the Capture ID.
$ sdm ssh split relay.1521828535.0.log5783cb5e-e1c8-44ba-b8ee-4bc4d8c28c7d.ssh9d880e13-f608-4fe0-b1e7-deeb35bb9f2c.ssh
If you have encrypted relay logs, you can either decrypt them first or run the sdm ssh split
command directly on the encrypted log by adding the -k
flag: sdm ssh split -k private.key logfile
RDP
If you have relay logging enabled, RDP session contents also will be stored within them, although remote reassembly is not currently supported. Please contact support@strongdm.com if you require an RDP session to be extracted from your logs.