View Logs from the Admin UI

Last modified on October 25, 2024

When your organization is configured to allow StrongDM to retain logs, you can view the following kinds of log entries from the Admin UI:

  • Administrative activities
  • Queries
  • SSH, RDP, or Kubernetes session replays

Admin UI Log Search Filters

The Admin UI logs include a variety of filters in order to help you parse your data. The filters are as follows:

  • Account: Filters the returned logs by user or service account
  • Actor: Filters the returned logs by user (note that this filter is available for Activities only; the date ranges available in the Admin UI vary by log type, and full logs are available via the CLI)
  • Dates: Filters the returned logs by a desired date range (note that returned date ranges are different for each type of log and that full logs are available via the SDM CLI)
  • Resource: Filters the returned logs by resource

Activities

Activity logs are recorded user events in StrongDM, such as logging in/out, creating/destroying resources, modifying settings/permissions, or performing general administration tasks. Activities do not include actions where users are interacting with resources, as each resource type creates its own unique type of logs.

To view the activity logs for your account, go to Logs > Activities in the Admin UI. The Activities page displays a paginated view of activity logs from the past 30 days by default or from the past 13 months if the Enterprise plan is enabled for your organization.

For more information about log retention and logs available from the CLI, see the Log Retention documentation.

The following is a list of potential Activities that might be tracked:

  • Access request to resource approval added
  • Access request to resource granted
  • Access request to role approved
  • Access request to resource canceled
  • Access request to role canceled
  • Access request to resource denied
  • Access request to role denied
  • Access request to resource timed out
  • Access request to role timed out
  • Access requested to resource
  • Access requested to role
  • Access rule created
  • Access rule deleted
  • Access rule updated
  • Access workflow added
  • Access workflow deleted
  • Add child organization
  • Admin initiated password reset
  • Admin token cloned
  • Admin token created
  • Admin token deleted
  • Admin token expired
  • Admin token reinstated
  • Admin token rekeyed
  • Admin token suspended
  • Allow public gateways
  • Allowed SSH port forwarding
  • Approval workflow added
  • Approval workflow approver added
  • Approval workflow approver deleted
  • Approval workflow deleted
  • Approval workflow step added
  • Approval workflow step deleted
  • Approval workflow updated
  • Attempt to login by a suspended user from the Admin UI
  • Attempt to login by a suspended user from the local client
  • Attempted to login by a service account from the Admin UI
  • Attempted to login by a suspended service account from the Admin UI
  • Certificate authority updated
  • Child organization admin invited
  • Cloud added
  • Cloud cloned
  • Cloud deleted
  • Cloud updated
  • Cluster added
  • Cluster cloned
  • Cluster connection port overridden
  • Cluster deleted
  • Cluster updated
  • Credential created
  • Credential deleted
  • Datasource added
  • Datasource cloned
  • Datasource connection port overridden
  • Datasource deleted
  • Datasource updated
  • Deactivate device approval
  • Disallowed SSH port forwarding
  • Do not allow public gateways
  • Dynamic role migration complete
  • Failed login attempt counter reset
  • Failed login attempt from the Admin UI
  • Failed login attempt from the local client
  • Identity alias created
  • Identity alias deleted
  • Identity alias updated
  • Identity set created
  • Identity set deleted
  • Identity set updated
  • Installation approved
  • Installation created
  • Installation created for relay
  • Installation revoked
  • Managed secret added
  • Managed secret deleted
  • Managed secret expiration time updated
  • Managed secret updated
  • MFA denied access for the Admin UI
  • MFA denied access for the local client
  • Multiple cluster ports overridden
  • Multiple datasource ports overridden
  • Multiple resources assigned to workflow
  • Multiple resources unassigned from workflow
  • Multiple role permissions added
  • Multiple role permissions deleted
  • Multiple server ports overridden
  • Organization created
  • Organization name updated
  • Organization resources allocated within VNM subnet
  • Organization setting updated
  • Organization SSH certificate authority rotated
  • Organization VNM subnet updated
  • Parent admin logged into the child org
  • Policy created
  • Policy deleted
  • Policy updated
  • Port override enforcement updated
  • Public key updated
  • Relay created
  • Relay deleted
  • Relay name updated
  • Remove child organization
  • Resource assigned to workflow
  • Resource unassigned from workflow
  • Role added
  • Role deleted
  • Role permission added
  • Role permission deleted
  • Role updated
  • SCIM token created
  • Secret engine added
  • Secret engine deleted
  • Secret engine updated
  • Secret store added
  • Secret store deleted
  • Secret store updated
  • Self-registration activated
  • Self-registration deactivated
  • Server added
  • Server cloned
  • Server connection port overridden
  • Server deleted
  • Server updated
  • Service account auto-connect updated
  • Service account created
  • Service account expired
  • Service account rekeyed
  • Trial extended
  • User account locked due to failed login attempts
  • User added
  • User added to role
  • User allowed to login via password
  • User changed their password
  • User clicked on their invitation
  • User clicked on their password reset
  • User deleted
  • User deleted from role
  • User invited
  • User logged into the Admin UI
  • User logged into the Admin UI using SSO
  • User logged into the local client
  • User logged into the local client using SSO
  • User logged out from the Admin UI
  • User logged out from the local client
  • User permission added
  • User permission deleted
  • User reinstated
  • User required to login via SSO
  • User reset their password
  • User set a password
  • User signup
  • User suspended
  • User temporary access expired
  • User temporary access granted
  • User temporary access revoked
  • User type changed
  • User updated
  • Website added
  • Website cloned
  • Website deleted
  • Website updated
  • Workflow assigned to multiple resources
  • Workflow assigned to resource
  • Workflow notification settings updated
  • Workflow notification type added
  • Workflow notification type removed
  • Workflow unassigned from multiple resources
  • Workflow unassigned from resource

View Queries

Queries against datasources are streamed in real time as they are performed. They are displayed in the Admin UI in section Logs > Queries.

Extensive logs are available from the CLI, but at a minimum, queries from the last 24 hours (up to 30 entries) are available in the Admin UI.

Resource tags on queries represent a moment in time. Because tags can change for a resource, the ones that appear in the audit trail may or may not be as you expect. They reflect the state of the resource’s tags at the time of the logged event.

View SSH Replays

In the Admin UI, in section Logs > SSH, you can view any sessions recorded for this organization over the last 30 days by default or the last 13 months if the Enterprise plan is enabled for your organization. Sessions can be played at various speeds up to 16 times faster than the original. The recording also can be downloaded as a TypeScript file. Extensive logs are also available from the CLI.

View RDP Replays

RDP sessions initiated through StrongDM are available to be rendered and downloaded as an MP4 file. In the Admin UI, in section Logs > RDP, you can render and download any session, as long as that session is not encrypted, from the last 30 days by default or from the last 13 months if the Enterprise plan is enabled for your organization.

Rendering time is directly tied to the length of the video being rendered. For longer videos, it may take 10 to 15 minutes. Once a video is rendered, the user who requested the video receives an email stating that it is ready to download.

Extensive logs are also available from the CLI.

View Kubernetes Replays

When interacting with a Kubernetes cluster, several types of log events are recorded:

  • kubectl commands, such as kubectl create pod strongdm
  • API calls that happen as a result of command GET /apis/scheduling.k8s.io/v1?timeout=32s
  • Terminal replays from exec sessions kubectl exec -it pod/strongdm
  • Debug sessions with kubectl debug

You can view Kubernetes replays in the Admin UI, section Logs > Kubernetes. The Admin UI displays events from the past 30 days by default, or events from the past 13 months if the Enterprise plan is enabled for your organization. You may also retrieve logs using the CLI.

View Web Logs

When viewing a Website via StrongDM, every HTTP request to the target site is recorded, including the headers and completion time. You can view web logs in the Admin UI, section Logs > Web.

The Admin UI displays all web logs for the last 30 days by default or the last 13 months if the Enterprise plan is enabled for your organization. Extensive logs are also available from the CLI.

View Policy Logs

In section Logs > Policies, the Policy Monitor provides detailed logs for every action that is evaluated by policies. Please note that the Enterprise plan must be enabled for your organization in order to view policy logs.

The Policy Monitor lists the following fields:

  • Result: Either allow or deny; the result of the policy assessment for the action(s)
  • Target: Entity targeted by the action
  • Actions: Specific action the user attempted to perform
  • User: Name and email of the StrongDM user who performed the action
  • Timestamp: Date and time that the policy was triggered for the action

You can click on any item in the list to open the details view for that item. The details view includes the same detail as the list view row, but with even more detail, including the following:

  • A list of all actions that were evaluated by the policy
  • Information about any requirements met by the user during evaluation, such as providing a justification for their action
  • The user’s IP and location, with a visual map of the location pinned
  • Copy of the user’s queries

In addition, the details view includes a Policies tab that lists the policies that affected the interaction. Clicking on a policy name opens the policy in the Policy Editor. For more information about creating and editing policies, see the Policy Creation section.