Last modified on October 20, 2023
Maintaining any system or environment requires access to and analysis of various logs. This article provides general information about the following:
- The types of logs StrongDM generates
- Where StrongDM logs can be stored
- How to view and filter StrongDM logs in the Admin UI
- Log encryption options
- Information about configuring logs locations
- Managing error logs
- Auditing certain log types
StrongDM Log Types
There are four types of logs that StrongDM generates:
- Activity logs capture the actions that occur within the StrongDM product (that is, the Admin UI and the CLI); actions are primarily administrative (for example, users changing each others’ permission levels, adding or editing infrastructure, changing settings, and so forth).
- Query logs record access to resources and the commands run on them.
- Sessions/Replay logs are captured whenever an SSH, Kubernetes, or RDP session is completed.
- Error logs are the logs that record state and errors within StrongDM, and are output to a file called
sdm.logon clients and on gateway/relay servers.
Log Storage Options
- Storage of queries and sessions/replays can be configured via Settings > Log Encryption & Storage in the StrongDM Admin UI. They can be located on either StrongDM’s servers or locally on your gateway or relay servers. Moreover, you can specify whether or not replays from SSH, Kubernetes, or RDP sessions are stored with StrongDM and can be replayed.
- Activities are only stored with StrongDM.
- Error logs are stored locally on the client or gateway/relay server.
For more information on viewing logs, queries, and sessions/replays that are stored by StrongDM, visit the Using StrongDM Logs guide.
View Logs in the Admin UI
- SSH sessions
- RDP replays
- Cloud and Web
If your logs are stored on your individual relays/gateways only, you are still able to view Activity logs in the Admin UI. For more information, see the Logs guide.
Admin UI Log Search Filters
The Admin UI logs include a variety of filters in order to help you parse your data. The filters are as follows:
- Account: Filters the returned logs by user or service account
- Actor: Filters the returned logs by user (Note that this filter is available for Activities only. The date ranges available in the Admin UI vary by log type, and full logs are available via the CLI.)
- Dates: Filters the returned logs by a desired date range (Note that returned date ranges are different for each type of log and that full logs are available via the SDM CLI.)
- Resource: Filters the returned logs by resource
Log Encryption and Storage Options
Depending on your security needs, StrongDM provides a variety of log encryption options. For general log encryption, you may use either StrongDM encryption or public key encryption. With StrongDM encryption, you can easily access logs via StrongDM. Public key encryption is ideal if you prefer a Zero Trust strategy. See the Remote Encryption Guide and the Gateway Log Encryption guide for more information.
If you choose to encrypt logs on your relays and gateways, you must provide a public key.
When you use the Local storage? setting in the Admin UI’s Settings > Log Encryption & Storage area to define the method by which your logs are stored (STDOUT, Log files, TCP, Socket, Syslog), it is important to note that these methods dictate where only the Query and Session/Replay logs will be saved. This setting does not affect the Error logs of the clients or gateways/relays, which are in their local
sdm.log file. StrongDM neither provides nor enables rotation of the
sdm.log file, so if you wish to rotate this log, you must set up and manage that process yourself. The primary purpose of the error logs is to troubleshoot in real time, so this may not be necessary in many cases.
If the Enterprise bundle is enabled for your organization, you can use Log Stream to stream your StrongDM audit logs to a third-party object storage service, such as Amazon S3.
For configuration information and examples of streamed logs, please see Log Stream.
Configure Logging Services
For examples on how to configure logging with various services, see our guides:
- Logging Scenario - Send Local Logs to CloudWatch
- Logging Scenario - Send Local Logs to S3
- Logging Scenario - Send Local Logs to Filebeat
- Logging Scenario - Send Local Logs to Graylog
- Logging Scenario - Logging with Rsyslog
- Logging Scenario - Send Local Logs to a Splunk Indexer
This section provides information about our log retention policy. StrongDM stores logs (such as queries, replays, and so forth) for a period of 13 months. If the Enterprise bundle is enabled for your organization, you can view logs for any time in the last 13 months. If the Enterprise bundle is not enabled, you can view logs for the last 30 days by default.
The Admin UI shows logs when you select StrongDM as the storage location, or when you choose to store logs with StrongDM and with your gateway servers locally or with third parties. Logs are visible in the Admin UI for a particular period of time depending on the type of record. For example, some logs may show 12 months of entries, while certain kinds of queries may show the last day or the last 100 queries.
You can use the CLI to download the logs, search for specific events beyond the time range shown in the Admin UI, and get other audit information.
You can find resources and information about the following StrongDM topics in this section: