Log Stream

Last modified on August 7, 2023

Log Stream allows you to stream your StrongDM audit logs to a third-party object storage service, such as Amazon S3. Having logs streamed to an external storage location for ingestion into security information and event management (SIEM) applications can help provide insights and visibility to compliance, security, and other teams.

For more information about logging, please see Logs.

How to Configure Log Stream

Log Stream is enabled and configured in the Admin UI in Settings > Log Encryption & Storage.

Log Stream Settings
Log Stream Settings

Amazon S3

The following steps show you how to configure Log Stream for streaming to an Amazon S3 bucket.

  1. Under Log Stream, select Yes for Enable Log Stream?.

  2. Select the Provider name (Amazon S3).

  3. Enter the Region of your target bucket (for example, us-west-2).

  4. Enter the Bucket Name (for example, unique-bucket-name).

  5. Enter the Key Prefix (for example, sdm/logs).

  6. Your region, bucket name, and key prefix values are then populated in the bucket policy. Click Copy to save the bucket policy to your clipboard.

    Example bucket policy:

      "Version": "2012-10-17",
      "Statement": [
          "Sid": "StrongDMLogStream",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::910226215634:role/StrongDMLogStream"
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::unique-bucket-name/sdm/logs/*"
  7. In a separate browser tab or window, sign in to the AWS Management Console and open the Amazon S3 console. From Buckets, choose the name of the desired bucket. On the bucket’s Permissions tab, click Edit bucket policy to add the bucket policy that you copied.

  8. After saving changes to your bucket policy, return to the Admin UI Log Stream settings and click Test to test that data from StrongDM can be written to your S3 bucket location. The test uses the provided bucket name and key prefix values to write a test object to <BUCKET_NAME>/<KEY_PREFIX>/test.

A successful test displays the “Log Stream test successful” message. If the test fails, check that the region, bucket name, and key prefix values that you entered are correct, and ensure that the bucket policy is saved correctly in the Amazon S3 console.

When configuration is complete, your audit logs are streamed to the connected S3 bucket.

Examples of Streamed Logs

When Log Stream is configured, several varieties of logs are streamed to the target storage location, including activities, queries for all resource types, and replay data for interactive sessions. This section provides examples of each log format.


    "formatVersion": "v1.0.0",
    "logType": "activities",
    "actorAccountID": "a-0000000000000000",
    "timestamp": "0001-01-01T00:00:00Z"

Activity log example

    "formatVersion": "v1.0.0",
    "logType": "activities",
    "activity": "user logged into the Admin UI",
    "actorAccountID": "a-0abcdabcdab00000",
    "actorEmail": "alice.glick@strongdm.com",
    "actorFirstName": "Alice",
    "actorLastName": "Glick",
    "actorExternalID": "e-bca5454",
    "description": "Alice Glick (alice.glick@strongdm.com) logged into the Admin UI.",
    "ipAddress": "",
    "objects": [
            "type": "user",
            "id": "a-0abcdabcdab00000",
            "email": "alice.glick@strongdm.com"
    "timestamp": "2023-05-01T18:50:04.782960647Z"

Query log example

    "formatVersion": "v1.0.0",
    "logType": "queries",
    "accountID": "a-0abcdabcdab00000",
    "accountFirstName": "Bob",
    "accountLastName": "Belcher",
    "accountEmail": "bob.belcher@strongdm.com",
    "accountExternalID": "e-bca5454",
    "durationMs": "20",
    "hash": "0da22222ba9b212ecfed33a17147c466ae0929fb",
    "queryCategory": "cloud",
    "resourceID": "rs-0abcdabcdabcd00",
    "resourceName": "AWS Development",
    "resourceTags": {
        "env": "dev"
    "resourceType": "aws",
    "sourceIp": "1.23.456.789",
    "timestamp": "2023-05-01T13:13:20.895597162Z",
    "uuid": "0ABCDABCDABCDABCDABCD1234abc"

Replay log example

    "formatVersion": "v1.0.0",
    "logType": "replays",
    "chunkID": 1,
    "events": [
            "data": "base64binarydata",
            "durationMs": "46"
    "hash": "0da22222ba9b212ecfed33a17147c466ae0929fb",
    "queryUUID": "sABCDABCDABCDABCDABCD1234abc",
    "timestamp": "2023-05-03T21:14:12.377835194Z"