Log Locally to Gateways

If you have configured strongDM to save logs locally on your relays and/or gateways, you can extract queries and replays from the log files. Admin UI activities, on the other hand, are always stored on the strongDM server.

As detailed in Getting Started with Logging, you can configure relay logging to STDOUT or to the default ~/.sdm/logs location. The instructions that follow will refer to whichever files hold logs in your configuration.

There are several event types in relay logs, but the ones that are generally most useful are **start** events, as they contain query data and SSH / RDP session information, including the **Capture ID**.

Encryption

If you have configured relay log encryption, your logs will not be directly readable. To decrypt them, you'll need to use the sdm crypto parse-logs utility with the private.key file present.

$ cat logfile | sdm crypto parse-log private.key > decrypted-log

Queries

To find queries in the relay logs, you'll want to look for start events that are of this form, containing the actual query:

2018-03-23 18:10:54.265186636 +0000 UTC,start,af9e303c-07f7-42ee-84c4-279ca7b9de28,1333,psql-server-6,1016,Joe Admin,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f

The easiest way to do this is to use grep to search for the datastore or query that you are interested in.

Replays

SSH

To view SSH session replays that are contained in relay logs, you must first find the Capture ID of the session you're interested in viewing. The Capture ID can be seen in the relay logs in start events that are of this form, containing a JSON document with connection parameters:

2018-03-23 18:10:02.970395873 +0000 UTC,start,9d880e13-f608-4fe0-b1e7-deeb35bb9f2c,1334,prod-312-test,1016,Joe Admin,"{""version"":1,""width"":92,""height"":25,""duration"":0,""command"":"""",""title"":null,""env"":{""TERM"":""xterm-256color""},""type"":""shell"",""fileName"":null,""fileSize"":0,""stdout"":null,""lastChunkId"":0}

However, it is much easier to use the sdm audit ssh command, as described in Using strongDM Logs, to collect a list of SSH sessions during the timeframe that interests you, including their Capture IDs.

Once you have the Capture ID, you can use sdm ssh split to extract all captures from a logfile. They are saved as individual .ssh files named after the Capture ID.

$ sdm ssh split relay.1521828535.0.log
5783cb5e-e1c8-44ba-b8ee-4bc4d8c28c7d.ssh
9d880e13-f608-4fe0-b1e7-deeb35bb9f2c.ssh

If you have encrypted relay logs, you can either decrypt them first or run the sdm ssh split command directly on the encrypted log by adding the -k flag: sdm ssh split -k private.key logfile.

Once you have the `.ssh` file for the session you want to review, you can dump it to a text file and look at it in a text editor or simply `cat` the file to replay it at full speed.

RDP

If you have relay logging enabled, RDP session contents will also be stored within them, although remote reassembly is not currently supported. Please contact support@strongdm.com if you require an RDP session to be extracted from your logs.

Gateway Log Encryption

Log Encryption