Log Locally to Gateways
If you have configured strongDM to save logs locally on your relays and/or gateways, you can extract queries and replays from the log files. Admin UI activities, on the other hand, are always stored on the strongDM server.
As detailed in Getting Started with Logging, you can configure relay logging to STDOUT or to the default ~/.sdm/logs
location. The instructions that follow will refer to whichever files hold logs in your configuration.
Encryption
If you have configured relay log encryption, your logs will not be directly readable. To decrypt them, you'll need to use the sdm crypto parse-logs
utility with the private.key
file present.
$ cat logfile | sdm crypto parse-log private.key > decrypted-log
Queries
To find queries in the relay logs, you'll want to look for start events that are of this form, containing the actual query:
2018-03-23 18:10:54.265186636 +0000 UTC,start,af9e303c-07f7-42ee-84c4-279ca7b9de28,1333,psql-server-6,1016,Joe Admin,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f
The easiest way to do this is to use grep
to search for the datastore or query that you are interested in.
Replays
SSH
To view SSH session replays that are contained in relay logs, you must first find the Capture ID of the session you're interested in viewing. The Capture ID can be seen in the relay logs in start events that are of this form, containing a JSON document with connection parameters:
2018-03-23 18:10:02.970395873 +0000 UTC,start,9d880e13-f608-4fe0-b1e7-deeb35bb9f2c,1334,prod-312-test,1016,Joe Admin,"{""version"":1,""width"":92,""height"":25,""duration"":0,""command"":"""",""title"":null,""env"":{""TERM"":""xterm-256color""},""type"":""shell"",""fileName"":null,""fileSize"":0,""stdout"":null,""lastChunkId"":0}
However, it is much easier to use the sdm audit ssh
command, as described in Using strongDM Logs, to collect a list of SSH sessions during the timeframe that interests you, including their Capture IDs.
Once you have the Capture ID, you can use sdm ssh split
to extract all captures from a logfile. They are saved as individual .ssh
files named after the Capture ID.
$ sdm ssh split relay.1521828535.0.log5783cb5e-e1c8-44ba-b8ee-4bc4d8c28c7d.ssh9d880e13-f608-4fe0-b1e7-deeb35bb9f2c.ssh
If you have encrypted relay logs, you can either decrypt them first or run the sdm ssh split
command directly on the encrypted log by adding the -k
flag: sdm ssh split -k private.key logfile
.
RDP
If you have relay logging enabled, RDP session contents will also be stored within them, although remote reassembly is not currently supported. Please contact support@strongdm.com if you require an RDP session to be extracted from your logs.