Log Locally to Gateways

If you have configured strongDM to save logs locally on your relays and/or gateways, you can extract queries and replays from the log files. Admin UI activities, on the other hand, are always stored on the strongDM server.

There are several event types in relay logs, but the ones that are generally most useful are start events, as they contain query data and SSH/RDP session information, including the Capture ID.

Encryption #

If you have configured relay log encryption, your logs will not be directly readable. To decrypt them, you’ll need to use the sdm crypto parse-logs utility with the private.key file present.

cat logfile | sdm crypto parse-log private.key > decrypted-log

Queries #

To find queries in the relay logs, you’ll want to look for start events that are of the following forms, containing the actual query.

CSV example:

`2018-03-23 18:10:54.265186636 +0000 UTC,start,af9e303c-07f7-42ee-84c4-279ca7b9de28,1333,psql-server-6,1016,Joe Admin,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f`

JSON example:

{
  "type": "start",
  "timestamp": "2021-01-01T13:14:15.820199164Z",
  "uuid": "01a2B3cd4Efghi567jKlMnop8qRs",
  "datasourceId": "rs-123a45678910b123",
  "datasourceName": "cli_example mysql",
  "userId": "a-0a12b34c567d89d1",
  "userName": "Jane Admin",
  "query": "/* ApplicationName=DBeaver 7.3.5 - Metadata */ SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='mysql' AND TABLE_NAME='db' ORDER BY ORDINAL_POSITION",
  "hash": "1234a56b7c891dab012ef3456g78h9i1jk2l3m45"
}

The easiest way to find queries is to use grep to search for the datastore or query that you are interested in.

Replays #

SSH #

To view SSH session replays that are contained in relay logs, you must first find the Capture ID of the session you’re interested in viewing. The Capture ID is shown in the relay logs in start events that are of this form, containing a JSON document with connection parameters:

2018-03-23 18:10:02.970395873 +0000 UTC,start,9d880e13-f608-4fe0-b1e7-deeb35bb9f2c,1334,prod-312-test,1016,Joe Admin,"{""version"":1,""width"":92,""height"":25,""duration"":0,""command"":"""",""title"":null,""env"":{""TERM"":""xterm-256color""},""type"":""shell"",""fileName"":null,""fileSize"":0,""stdout"":null,""lastChunkId"":0}

It is much easier, however, to use the sdm audit ssh command, as described in Using strongDM Logs, to collect a list of SSH sessions during the time frame that interests you, including their Capture IDs.

Once you have the Capture ID, you can use sdm ssh split to extract all captures from a log file. They are saved as individual .ssh files named after the Capture ID.

$ sdm ssh split relay.1521828535.0.log
5783cb5e-e1c8-44ba-b8ee-4bc4d8c28c7d.ssh
9d880e13-f608-4fe0-b1e7-deeb35bb9f2c.ssh

Once you have the SSH file for the session you want to review, you can dump it to a text file and look at it in a text editor or simply cat the file to replay it at full speed.

RDP #

If you have relay logging enabled, RDP session contents also will be stored within them, although remote reassembly is not currently supported. Please contact support@strongdm.com if you require an RDP session to be extracted from your logs.