Log Stream

Last modified on August 7, 2023

This feature is part of the Enterprise bundle. If it is not enabled for your organization, please reach out to your Customer Success Manager or to Support for more details.

Log Stream allows you to stream your StrongDM audit logs to a third-party object storage service, such as Amazon S3. Having logs streamed to an external storage location for ingestion into security information and event management (SIEM) applications can help provide insights and visibility to compliance, security, and other teams.

For more information about logging, please see Logs.

How to Configure Log Stream

Log Stream is enabled and configured in the Admin UI in Settings > Log Encryption & Storage.

Amazon S3

The following steps show you how to configure Log Stream for streaming to an Amazon S3 bucket.

Under Log Stream, select Yes for Enable Log Stream?.
Select the Provider name (Amazon S3).
Enter the Region of your target bucket (for example, us-west-2).
Enter the Bucket Name (for example, unique-bucket-name).
Enter the Key Prefix (for example, sdm/logs).

Your region, bucket name, and key prefix values are then populated in the bucket policy. Click Copy to save the bucket policy to your clipboard.

Example bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "StrongDMLogStream",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::910226215634:role/StrongDMLogStream"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::unique-bucket-name/sdm/logs/*"
    }
  ]
}

In a separate browser tab or window, sign in to the AWS Management Console and open the Amazon S3 console. From Buckets, choose the name of the desired bucket. On the bucket’s Permissions tab, click Edit bucket policy to add the bucket policy that you copied.
After saving changes to your bucket policy, return to the Admin UI Log Stream settings and click Test to test that data from StrongDM can be written to your S3 bucket location. The test uses the provided bucket name and key prefix values to write a test object to <BUCKET_NAME>/<KEY_PREFIX>/test.

A successful test displays the “Log Stream test successful” message. If the test fails, check that the region, bucket name, and key prefix values that you entered are correct, and ensure that the bucket policy is saved correctly in the Amazon S3 console.

When configuration is complete, your audit logs are streamed to the connected S3 bucket.

If an unrecoverable error occurs when streaming logs to the target storage location, such as if StrongDM is unable to stream some or all data to the target storage location, StrongDM administrators in your organization receive an email detailing the problem. In addition, the Log Stream settings provide more information about the stream status.

Moreover, if StrongDM detects a streaming failure, then logs will no longer be streamed to your configured location. Once you have resolved the connection issue, logs will automatically start streaming again. If you wish to, you can retrieve logs from the duration of the failure using the StrongDM API or CLI.

Examples of Streamed Logs

When Log Stream is configured, several varieties of logs are streamed to the target storage location, including activities, queries for all resource types, and replay data for interactive sessions. This section provides examples of each log format.

Test

{
    "formatVersion": "v1.0.0",
    "logType": "activities",
    "actorAccountID": "a-0000000000000000",
    "timestamp": "0001-01-01T00:00:00Z"
}

Activity log example

{
    "formatVersion": "v1.0.0",
    "logType": "activities",
    "activity": "user logged into the Admin UI",
    "actorAccountID": "a-0abcdabcdab00000",
    "actorEmail": "alice.glick@strongdm.com",
    "actorFirstName": "Alice",
    "actorLastName": "Glick",
    "actorExternalID": "e-bca5454",
    "description": "Alice Glick (alice.glick@strongdm.com) logged into the Admin UI.",
    "ipAddress": "123.123.123.123",
    "objects": [
        {
            "type": "user",
            "id": "a-0abcdabcdab00000",
            "email": "alice.glick@strongdm.com"
        }
    ],
    "timestamp": "2023-05-01T18:50:04.782960647Z"
}

Query log example

{
    "formatVersion": "v1.0.0",
    "logType": "queries",
    "accountID": "a-0abcdabcdab00000",
    "accountFirstName": "Bob",
    "accountLastName": "Belcher",
    "accountEmail": "bob.belcher@strongdm.com",
    "accountExternalID": "e-bca5454",
    "durationMs": "20",
    "hash": "0da22222ba9b212ecfed33a17147c466ae0929fb",
    "queryCategory": "cloud",
    "resourceID": "rs-0abcdabcdabcd00",
    "resourceName": "AWS Development",
    "resourceTags": {
        "env": "dev"
    },
    "resourceType": "aws",
    "sourceIp": "1.23.456.789",
    "timestamp": "2023-05-01T13:13:20.895597162Z",
    "uuid": "0ABCDABCDABCDABCDABCD1234abc"
}

Replay log example

{
    "formatVersion": "v1.0.0",
    "logType": "replays",
    "chunkID": 1,
    "events": [
        {
            "data": "base64binarydata",
            "durationMs": "46"
        }
    ],
    "hash": "0da22222ba9b212ecfed33a17147c466ae0929fb",
    "queryUUID": "sABCDABCDABCDABCDABCD1234abc",
    "timestamp": "2023-05-03T21:14:12.377835194Z"
}

Log Stream

How to Configure Log Stream #

Amazon S3 #

Examples of Streamed Logs #

Test #

Activity log example #

Query log example #

Replay log example #