Logs

Last modified on May 25, 2023

Maintaining any system or environment requires access to and analysis of various logs. This article provides general information about the following:

  • The types of logs StrongDM generates
  • Where StrongDM logs can be stored
  • How to view and filter StrongDM logs in the Admin UI
  • Log encryption options
  • Information about configuring logs locations
  • Managing error logs
  • Auditing certain log types

StrongDM Log Types

There are four types of logs that StrongDM generates:

  • Activity logs capture the actions that occur within the StrongDM product (that is, the Admin UI and the CLI); actions are primarily administrative (for example, users changing each others’ permission levels, adding or editing infrastructure, changing settings, and so forth).
  • Query logs record access to resources and the commands run on them.
  • Sessions/Replay logs are captured whenever an SSH, Kubernetes, or RDP session is completed.
  • Error logs are the logs that record state and errors within StrongDM, and are output to a file called sdm.log on clients and on gateway/relay servers.

Log Storage Options

  • Storage of queries and sessions/replays can be configured via Settings > Log Encryption & Storage in the StrongDM Admin UI, and either be located on StrongDM’s servers, or locally on your gateway/relay servers.
  • Activities are only stored with StrongDM.
  • Error logs are stored locally on the client or gateway/relay server.

For more information on viewing logs, queries, and sessions/replays that are stored by StrongDM, visit the Using StrongDM Logs guide.

View Logs in the Admin UI

If your logs are stored via StrongDM, the Admin UI lets you view logs for the following:

  • Activities
  • Queries
  • SSH sessions
  • RDP replays
  • Kubernetes
  • Cloud and Web

If your logs are stored on your individual relays/gateways only, you are still able to view Activity logs in the Admin UI. For more information, see the Logs guide.

Admin UI Log Search Filters

The Admin UI logs include a variety of filters in order to help you parse your data. The filters are as follows:

  • Account: Filters the returned logs by user or service account
  • Actor: Filters the returned logs by user (Note that this filter is available for Activities only. The date ranges available in the Admin UI vary by log type, and full logs are available via the CLI.)
  • Dates: Filters the returned logs by a desired date range (Note that returned date ranges are different for each type of log and that full logs are available via the SDM CLI.)
  • Resource: Filters the returned logs by resource

Log Encryption and Storage Options

Log Encryption

Depending on your security needs, StrongDM provides a variety of log encryption options. For general log encryption, you may use either StrongDM encryption or public key encryption. With StrongDM encryption, you can easily access logs via StrongDM. Public key encryption is ideal if you prefer a Zero Trust strategy. See the Remote Encryption Guide and the Gateway Log Encryption guide for more information.

If you choose to encrypt logs on your relays and gateways, you must provide a public key.

Log Storage

When you use the Local storage? setting in the Admin UI’s Settings > Log Encryption & Storage area to define the method by which your logs are stored (STDOUT, Log files, TCP, Socket, Syslog), it is important to note that these methods dictate where only the Query and Session/Replay logs will be saved. This setting does not affect the Error logs of the clients or gateways/relays, which are in their local sdm.log file. StrongDM neither provides nor enables rotation of the sdm.log file, so if you wish to rotate this log, you must set up and manage that process yourself. The primary purpose of the error logs is to troubleshoot in real time, so this may not be necessary in many cases.

Log Stream

Log Stream allows you to stream your StrongDM audit logs to a third-party object storage service, such as Amazon S3. Having logs streamed to an external bucket for ingestion into security information and event management (SIEM) applications can help provide insights and visibility to compliance, security, and other teams.

You can use Log Stream if the Advanced Insights reporting and auditing bundle is enabled for your organization.

Log Stream Settings
Log Stream Settings

How to configure Log Stream

The following steps show you how to configure Log Stream for streaming to an Amazon S3 bucket.

  1. Under Log Stream, select Yes for Enable Log Stream?.

  2. Select the Provider name (for example, Amazon S3).

  3. Enter the Region of your target bucket (for example, us-west-2).

  4. Enter the Bucket Name (for example, unique-bucket-name).

  5. Enter the Key Prefix (for example, sdm/logs).

  6. Your region, bucket name, and key prefix values are then populated in the bucket policy. Click Copy to save the bucket policy to your clipboard.

    Example bucket policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "StrongDMLogStream",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::910226215634:role/StrongDMLogStream"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::unique-bucket-name/sdm/logs/*"
    }
  ]
}

  7. In a separate browser tab or window, sign in to the AWS Management Console and open the Amazon S3 console. From Buckets, choose the name of the desired bucket. On the bucket’s Permissions tab, click Edit bucket policy to add the bucket policy that you copied.

  8. After saving changes to your bucket policy, return to the Admin UI Log Stream settings and click Test to test that data from StrongDM can be written to your S3 bucket location. The test uses the provided bucket name and key prefix values to write a test object to <BUCKET_NAME>/<KEY_PREFIX>/test.

A successful test displays the “Log Stream test successful” message. If the test fails, check that the region, bucket name, and key prefix values that you entered are correct, and ensure that the bucket policy is saved correctly in the Amazon S3 console.

When configuration is complete, your audit logs are streamed to the connected S3 bucket.

Examples of streamed logs

When Log Stream is configured, several varieties of logs are streamed to the target bucket, including activities, queries for all resource types, and replay data for interactive sessions. This section provides examples of each log format.

Test 
{
    "formatVersion": "v1.0.0",
    "logType": "activities",
    "actorAccountID": "a-0000000000000000",
    "timestamp": "0001-01-01T00:00:00Z"
}
Activity log example 
{
    "formatVersion": "v1.0.0",
    "logType": "activities",
    "activity": "user logged into the Admin UI",
    "actorAccountID": "a-0abcdabcdab00000",
    "actorEmail": "alice.glick@strongdm.com",
    "actorFirstName": "Alice",
    "actorLastName": "Glick",
    "actorExternalID": "e-bca5454",
    "description": "Alice Glick (alice.glick@strongdm.com) logged into the Admin UI.",
    "ipAddress": "123.123.123.123",
    "objects": [
        {
            "type": "user",
            "id": "a-0abcdabcdab00000",
            "email": "alice.glick@strongdm.com"
        }
    ],
    "timestamp": "2023-05-01T18:50:04.782960647Z"
}
Query log example 
{
    "formatVersion": "v1.0.0",
    "logType": "queries",
    "accountID": "a-0abcdabcdab00000",
    "accountFirstName": "Bob",
    "accountLastName": "Belcher",
    "accountEmail": "bob.belcher@strongdm.com",
    "accountExternalID": "e-bca5454",
    "durationMs": "20",
    "hash": "0da22222ba9b212ecfed33a17147c466ae0929fb",
    "queryCategory": "cloud",
    "resourceID": "rs-0abcdabcdabcd00",
    "resourceName": "AWS Development",
    "resourceTags": {
        "env": "dev"
    },
    "resourceType": "aws",
    "timestamp": "2023-05-01T13:13:20.895597162Z",
    "uuid": "0ABCDABCDABCDABCDABCD1234abc"
}
Replay log example 
{
    "formatVersion": "v1.0.0",
    "logType": "replays",
    "chunkID": 1,
    "events": [
        {
            "data": "base64binarydata",
            "durationMs": "46"
        }
    ],
    "hash": "0da22222ba9b212ecfed33a17147c466ae0929fb",
    "queryUUID": "sABCDABCDABCDABCDABCD1234abc",
    "timestamp": "2023-05-03T21:14:12.377835194Z"
}

Configure Logging Services

For examples on how to configure logging with various services, see our guides:

The Log Export Container

An easy way to export logs of queries, sessions, and replays to other logging services is by using StrongDM’s Code Garden project, the Log Export Container. The Log Export Container is a Docker container that can be easily deployed and configured to export StrongDM logs; the container acts as a syslog concentrator. If you wish to export your StrongDM logs to a third-party logging service, you can use the container to do so. Additionally, it can also pull Activities and decode SSH and Kubernetes sessions.

For more information on the Log Export Container, or to learn how to configure automatic exports, see the Log Export Container Guide or the Log Export Container repository on GitHub.

Log Retention

This section provides information about our log retention policy. StrongDM stores logs (such as queries, replays, and so forth) for a period of 13 months. If the Advanced Insights reporting and auditing bundle is enabled for your organization, you can view logs for any time in the last 13 months. If Advanced Insights is not enabled, you can view logs for the last 30 days by default.

The Admin UI shows logs when you select StrongDM as the storage location, or when you choose to store logs with StrongDM and with your gateway servers locally or with third parties. Logs are visible in the Admin UI for a particular period of time depending on the type of record. For example, some logs may show 12 months of entries, while certain kinds of queries may show the last day or the last 100 queries.

You can use the CLI to download the logs, search for specific events beyond the time range shown in the Admin UI, and get other audit information.

You can find resources and information about the following StrongDM topics in this section: