Use strongDM Logs

Last modified on August 10, 2022

When logging is configured for the strongDM Server, you can view log entries:

Administrative activities
Queries
SSH, RDP, or Kubernetes session replays

These logs can be viewed directly through the strongDM Admin UI or by using the sdm CLI tool.

If you store logs with strongDM, they will be visible in the Admin UI for varying periods of time depending on the type of log. For more information about log retention and the more extensive logs available from the CLI, see the Log Retention documentation.

Admin UI

Within the Admin UI, you can look at activities, recent Datasource queries, and replay SSH and RDP replays.

Activities

On the Activities page, you can view administrative activities, and browse from recent to older using the navigation at the top and bottom of the page.

Queries

If you click on the Queries page, you can view a real-time list of recent Datasource queries within your organization. To see older queries or search within a certain time frame, use the CLI sdm audit queries function, which is described under CLI.

Note that resource tags on queries represent a moment in time. Because tags can change for a resource, the ones that appear in the audit trail may or may not be as you expect, but rather, reflect the state of the resource’s tags at that time.

If you have enabled strongDM log encryption, the entries here will be encrypted. To see the content of these queries, use the CLI.

Replays

On the Replays page, you can view all SSH, RDP, and Kubernetes replays, using the navigation at the top and bottom of the page.

By clicking on one replay session, it will pop up a web player where you can watch the session replay in real time.

If you have enabled strongDM log encryption, session replay will be unavailable. Use the CLI (see section CLI) to replay SSH sessions. To replay RDP sessions, please contact support@strongdm.com for assistance.

CLI

From the sdm command-line interface available on macOS and Linux, you can access all auditing—activities, queries, and replays—via the strongDM API.

To see all of the commands and options available via the CLI, see the CLI Reference.

Activities

To review activities on the strongDM Admin UI, you can use the sdm audit activities command. By default, it will return the 10 most recent Admin UI activities.

$ sdm audit activities
Timestamp,IP Address,Actor ID,Actor Name,Activity,Description
2018-03-22 12:28:40.276507 +0000 UTC,71.232.116.201,1016,Joe Admin,user logged into the UI,Joe Admin (admin@company.com) logged into the UI.
2018-03-22 15:23:26.375064 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting local log storage to none.
2018-03-22 15:23:26.376804 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting local log encode to plaintext.
2018-03-22 18:05:49.45456 +0000 UTC,71.232.116.201,1016,Joe Admin,user suspended,Joe Admin (admin@company.com) suspended Bob User (bob.user@company.com).
2018-03-22 18:05:51.002598 +0000 UTC,71.232.116.201,1016,Joe Admin,user type changed,Joe Admin (admin@company.com) changed type of Bob User (bob.user@company.com) to user.
2018-03-22 18:05:51.07059 +0000 UTC,71.232.116.201,1016,Joe Admin,user added to role,Joe Admin (admin@company.com) assigned Bob User (bob.user@company.com) to Junk.
2018-03-22 19:51:53.343206 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting remote log encode to strongdm.
2018-03-22 19:51:53.346103 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting local log storage to stdout.
2018-03-23 14:37:43.710974 +0000 UTC,71.232.116.201,1016,Joe Admin,user logged out from the local client,Joe Admin (admin@company.com) logged out from the local client.
2018-03-23 14:38:16.927605 +0000 UTC,71.232.116.201,1016,Joe Admin,user logged into the local client,Joe Admin (admin@company.com) logged into the local client.

To look for activity in a specific timeframe, you can make use of the --from and --to flags. Each takes a timestamp of the form YYYY-MM-DD or "YYYY-MM-DD HH:MM:SS" (note the quotes). When using these flags, you can specify --from alone, or use --from and --to together. With these flags, the command will return all activities within the specified time frame. At this point, you can further narrow your search by using grep or other text processing to look for specific User, Datasource, or Server activity.

To view a continuous stream of Admin UI activities or to redirect the output to another location, you can use the -f (follow) flag.

Queries

Similarly to Activities, you can use the sdm audit queries command to find the most recent queries. This command alone will return the most recent queries, but you can use the --from and --to flags to time-box your search, just as with sdm audit activities. You can also use the -f flag to get a streaming output to STDOUT.

$ sdm audit queries
Time,Datasource ID,Datasource Name,User ID,User Name,Duration (ms),Record Count,Query,Hash
2018-03-21 20:48:27.816603 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,SELECT VERSION(),bfdacb2e17fbd4ec7a8d1dc6d6d9da37926a1198
2018-03-21 20:49:28.022841 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,SHOW ALL,1ac37f50840217029812c9d0b779baf64e85261f
2018-03-21 20:49:28.530386 +0000 UTC,1333,Local pgsql,1016,Joe Admin,8,0,"SELECT oid, nspname, nspname = ANY (current_schemas(true)) AS is_on_search_path, oid = pg_my_temp_schema() AS is_my_temp_schema, pg_is_other_temp_schema(oid) AS is_other_temp_schema FROM pg_namespace",e2e88ed63a43677ee031d1e0a0ecb768ccdd92a1
2018-03-21 20:55:28.637862 +0000 UTC,1333,Local pgsql,1016,Joe Admin,0,0,"SELECT oid, nspname, nspname = ANY (current_schemas(true)) AS is_on_search_path, oid = pg_my_temp_schema() AS is_my_temp_schema, pg_is_other_temp_schema(oid) AS is_other_temp_schema FROM pg_namespace",e2e88ed63a43677ee031d1e0a0ecb768ccdd92a1
2018-03-21 20:55:28.920521 +0000 UTC,1333,Local pgsql,1016,Joe Admin,29,0,"SELECT   rel.relname,    rel.relkind,    rel.reltuples,  coalesce(rel.relpages,0) + coalesce(toast.relpages,0) AS num_total_pages,   SUM(ind.relpages) AS index_pages,   pg_roles.rolname AS owner FROM pg_class rel     left join pg_class toast on (toast.oid = rel.reltoastrelid) left join pg_index on (indrelid=rel.oid)    left join pg_class ind on (ind.oid = indexrelid)    join pg_namespace on (rel.relnamespace =pg_namespace.oid )  left join pg_roles on ( rel.relowner = pg_roles.oid ) WHERE rel.relkind IN ('r','v','m','f','p') AND nspname = 'public'GROUP BY rel.relname, rel.relkind, rel.reltuples, coalesce(rel.relpages,0) + coalesce(toast.relpages,0), pg_roles.rolname;",8b62e88535286055252d080712a781afc1f2d53c
2018-03-21 20:56:29.153809 +0000 UTC,1333,Local pgsql,1016,Joe Admin,2,0,"SELECT    rel.relname,    rel.relkind,    rel.reltuples,  coalesce(rel.relpages,0) + coalesce(toast.relpages,0) AS num_total_pages,   SUM(ind.relpages) AS index_pages,   pg_roles.rolname AS owner FROM pg_class rel     left join pg_class toast on (toast.oid = rel.reltoastrelid) left join pg_index on (indrelid=rel.oid)    left join pg_class ind on (ind.oid = indexrelid)    join pg_namespace on (rel.relnamespace =pg_namespace.oid )  left join pg_roles on ( rel.relowner = pg_roles.oid ) WHERE rel.relkind IN ('r','v','m','f','p') AND nspname = 'public'GROUP BY rel.relname, rel.relkind, rel.reltuples, coalesce(rel.relpages,0) + coalesce(toast.relpages,0), pg_roles.rolname;",8b62e88535286055252d080712a781afc1f2d53c
2018-03-21 20:56:32.125572 +0000 UTC,1333,Local pgsql,1016,Joe Admin,0,0,select 42;,cad5386a37b29383f33869ffa64d1585f9c93a0e
2018-03-21 20:57:17.261133 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f
2018-03-21 20:57:52.547195 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f
2018-03-21 20:58:37.72325 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f

If you have turned on strongDM log encryption, you will need to have the private key to view the query contents. You can use the -k <private.key> flag to decrypt the queries and use the result. This flag can also be used in conjunction with the -f flag to stream decrypted query logs to another location.

There is an additional option for this command, --full, that pulls query logs from long-term storage. This has the following effects:

The time frame precision is more coarse; results are returned in one-hour blocks.
Query results may be delayed up to one hour (i.e., results may not return queries performed within the last hour).
All queries are returned, including those that skip the Admin UI and short-term storage.

Replays

You can list replays, play them, and grep for strings (SSH specifically) within replays via the CLI.

Listing Replays

Just like Activities and Queries, you can use sdm audit ssh and sdm audit rdp to view recent or time-specified SSH/RDP sessions, using the same flags.

$ sdm audit ssh
Time,Server ID,Server Name,User ID,User Name,Duration (ms),Capture ID,Hash
2018-03-21 20:51:16.098221 +0000 UTC,1334,prod-312-test,1016,Joe Admin,8572,s1lAGI1niKKwdSYQtwi62HIuYTIO,afb368770931a2aae89e6a8801b40eac44569d93
2018-03-21 20:53:01.4391 +0000 UTC,1334,prod-312-test,1016,Joe Admin,7515,s1lAxGI1uuKe7zpgJtwi6j2dIfjY,aa4aa0646469757df9f0b92fb5ca39a9c1bfd38d
2018-03-22 21:57:10.920914 +0000 UTC,1334,prod-312-test,1016,Joe Admin,10440,s1lAxGI1niKKwSYQtwi6229NmTpG,aa4aa0646469757df9f0b92fb5ca39a9c1bfd38d
2018-03-22 23:16:40.170815 +0000 UTC,1334,prod-312-test,1016,Joe Admin,5433,s1lAGI7rekCY29NmTpGQD5G22WlK,883b03873229301e58fb6c9ccf1a3f584953d13c
2018-03-22 23:21:49.987304 +0000 UTC,1334,prod-312-test,1016,Joe Admin,4529,s1lAGIfjYkNrEW5MDbi62HIuYTIO,883b03873229301e58fb6c9ccf1a3f584953d13c
2018-03-23 01:18:02.167322 +0000 UTC,1334,prod-312-test,1016,Joe Admin,6318,s1lAA4Jkn4LPkosDulWmyHgCqqeB,883b03873229301e58fb6c9ccf1a3f584953d13c

Replays

There’s something else you can also do: view live replays of SSH sessions, much like the replay window in the strongDM Admin UI. To do so, you first need the capture ID, which is conveniently displayed in the output of the sdm audit ssh command. Once you have the capture ID of the capture you want to replay, you can use the sdm ssh play command to replay it in your command-line window.

$ sdm ssh play s1lAA4Jkn4LPkosDulWmyHgCqqeB
[... output elided ...]

If you just want to dump the commands and outputs from an SSH session to a file, perhaps for further analysis, you can use sdm ssh dump with the same syntax. This will dump the contents of the session to STDOUT, letting you redirect the output to a file if you choose.

Similarly to queries, you will need to use the -k <private.key> flag with capture replay/dump if you have turned on strongDM log encryption.

Use strongDM Logs

Admin UI #

Activities #

Queries #

Replays #

CLI #

Activities #

Queries #

Replays #

Listing Replays #

Replays #

Admin UI

Activities

Queries

Replays

CLI

Activities

Queries

Replays

Listing Replays

Replays