Last modified on April 3, 2023
This document explains how to set up a daily log of queries. By leveraging the
sdm audit functionality, you can retrieve a list of queries and write them to a daily log file. Writing your own daily log can be especially important if you intend to store logs long-term. If you store logs with StrongDM, they are retained for a period of 13 months. If you write to your own log files, you can store them indefinitely or according to your own policies. See our retention policy for more information.
We recommend creating a new Linux system user with restricted permissions to run the daily audit. In this example,
sdm is used.
Download and install the Linux Client.
Create an Admin Token
To create an admin token, sign into the StrongDM Admin UI and go to Access > API & Admin Tokens. From there, you can create an admin token with the specific rights you require. In this case, you only need the Audit > Queries permission.
After you click Create, a dialog displays with the admin token. Copy the token, and save it for later use in
/etc/sdm-admin.token in the format
This file must be owned by your user.
chown sdm:sdm /etc/sdm-admin.token
Example Log Archiver Script
Here is an example log archiver script that, in the next step, is set up to run nightly. In this example, we store this script in
sudo mkdir -p /opt/strongdm/bin/ sudo mkdir -p /var/log/sdm/ sudo tee "/opt/strongdm/bin/log-archiver.sh" > /dev/null <<'EOT' #!/bin/bash START=$(date -d "yesterday 00:00" '+%Y-%m-%d 00:00:00') FN=$(date -d "yesterday 00:00" '+%Y-%m-%d') END=$(date -d "today 00:00" '+%Y-%m-%d 00:00:00') TARGET=/var/log/sdm /opt/strongdm/bin/sdm audit queries --from "$START" --to "$END" >> "$TARGET/queries.$FN" EOT sudo chown sdm:sdm /var/log/sdm /opt/strongdm/ /opt/strongdm/bin/ /opt/strongdm/bin/log-archiver.sh sudo chmod +x /opt/strongdm/bin/log-archiver.sh
Set up a systemd service and timer
systemd service definition runs the script daily at the time that
systemctl is configured to run daily services.
sudo tee "/etc/systemd/system/log-archiver.service" > /dev/null <<'EOT' [Unit] Description=SDM log archiver [Service] Type=oneshot EnvironmentFile=/etc/sdm-admin.token ExecStart=/opt/strongdm/bin/log-archiver.sh User=sdm EOT sudo tee "/etc/systemd/system/log-archiver.timer" > /dev/null <<'EOT' [Unit] Description=Run log archiver daily Requires=log-archiver.service [Timer] OnCalendar=daily Persistent=true [Install] WantedBy=timers.target EOT
Activate the timer
Execute the following to activate the timer:
sudo systemctl daemon-reload sudo systemctl enable log-archiver.timer sudo systemctl start log-archiver.timer