Log Locally to Gateways
Last modified on January 13, 2023
If you have configured StrongDM to save logs locally on your relays and/or gateways, you can extract queries and replays from the log files. Admin UI activities, on the other hand, are always stored on the StrongDM server.
As detailed in Log Encryption and Storage, you can configure relay logging to go to STDOUT or to the default ~/.sdm/logs location. The instructions that follow refer to whichever files hold logs in your configuration.
There are several event types in relay logs, but the ones that are generally most useful are start events, as they contain query data and SSH/RDP session information, including the Capture ID.
Encryption
If you have configured relay log encryption, your logs are not directly readable. To decrypt them, you need to use the sdm crypto parse-logs utility with the private.key file present.
Example:
cat logfile | sdm crypto parse-log private.key > decrypted-log
Queries
To find queries in the relay logs, look for start events that are of the following forms, containing the actual query.
The easiest way to find queries is to use grep to search for the datastore or query.
CSV example
`2023-03-23 18:10:54.265186636 +0000 UTC,start,af9e303c-07f7-42ee-84c4-279ca7b9de28,1333,psql-server-6,1016,Joe Admin,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f`
JSON example
{
"type": "start",
"timestamp": "2023-01-01T13:14:15.820199164Z",
"uuid": "01a2B3cd4Efghi567jKlMnop8qRs",
"datasourceId": "rs-123a45678910b123",
"datasourceName": "cli_example mysql",
"userId": "a-0a12b34c567d89d1",
"userName": "Jane Admin",
"query": "/* ApplicationName=DBeaver 7.3.5 - Metadata */ SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='mysql' AND TABLE_NAME='db' ORDER BY ORDINAL_POSITION",
"hash": "1234a56b7c891dab012ef3456g78h9i1jk2l3m45"
}
Replays
SSH
To view SSH session replays that are contained in relay logs, you must first find the Capture ID of the session you want to view. There are a couple ways to get the Capture ID.
You can use the sdm audit ssh command, as described in Use StrongDM Logs, to collect a list of SSH sessions that occurred during a specific time frame, and get their Capture IDs. Once you have the Capture ID, you can use the sdm ssh split command to extract all captures from a log file. They are saved as individual SSH files named after the Capture ID.
Example:
$ sdm ssh split relay.1521828535.0.log
5783cb5e-e1c8-44ba-b8ee-4bc4d8c28c7d.ssh
9d880e13-f608-4fe0-b1e7-deeb35bb9f2c.ssh
Once you have the SSH file for the session you want to review, you can dump it to a text file and look at it in a text editor. Alternatively, you can cat the file to replay it at full speed.
Another way to get the Capture ID is to look in the relay logs. The Capture ID is shown in the relay logs in start events that are of the following form, containing a JSON document with connection parameters.
In the following example, the Capture ID is 9d880e13-f608-4fe0-b1e7-deeb35bb9f2c:
2023-03-23 18:10:02.970395873 +0000 UTC,start,9d880e13-f608-4fe0-b1e7-deeb35bb9f2c,1334,prod-312-test,1016,Joe Admin,"{""version"":1,""width"":92,""height"":25,""duration"":0,""command"":"""",""title"":null,""env"":{""TERM"":""xterm-256color""},""type"":""shell"",""fileName"":null,""fileSize"":0,""stdout"":null,""lastChunkId"":0}`
sdm ssh split command directly on the encrypted log by adding the -k flag: sdm ssh split -k private.key logfileRDP
If you have relay logging enabled, RDP session contents are also stored within them, although remote reassembly is not currently supported. Please contact support@strongdm.com if you require an RDP session to be extracted from your logs.