View Activity Logs

Last modified on March 24, 2023

Activity logs are recorded user events in StrongDM, such as logging in/out, creating/destroying resources, modifying settings/permissions, or performing general administration tasks. Activities do not include actions where users are interacting with resources, as each resource type creates its own unique type of logs.

To view the activity logs for your account, go to Logs > Activities in the Admin UI. The Activities page displays a paginated view of activity logs from the last year.

For more information about log retention and the more extensive logs available from the CLI, see the Log Retention documentation.

The following is a list of potential Activities that might be tracked:

  • Access rule created
  • Access rule deleted
  • Access rule updated
  • Add child organization
  • Admin initiated password reset
  • Admin token cloned
  • Admin token created
  • Admin token deleted
  • Admin token expired
  • Admin token reinstated
  • Admin token rekeyed
  • Admin token suspended
  • Allow public gateways
  • Allowed SSH port forwarding
  • Attempt to login by a suspended user from the Admin UI
  • Attempt to login by a suspended user from the local client
  • Attempted to login by a service account from the Admin UI
  • Attempted to login by a suspended service account from the Admin UI
  • Child organization admin invited
  • Cloud added
  • Cloud cloned
  • Cloud deleted
  • Cloud updated
  • Cluster added
  • Cluster cloned
  • Cluster connection port overridden
  • Cluster deleted
  • Cluster updated
  • Datasource added
  • Datasource cloned
  • Datasource connection port overridden
  • Datasource deleted
  • Datasource updated
  • Deactivate device approval
  • Disallowed SSH port forwarding
  • Do not allow public gateways
  • Dynamic role migration complete
  • Failed login attempt counter reset
  • Failed login attempt from the Admin UI
  • Failed login attempt from the local client
  • Installation approved
  • Installation created
  • Installation created for relay
  • Installation revoked
  • MFA denied access for the Admin UI
  • MFA denied access for the local client
  • Multiple cluster ports overridden
  • Multiple datasource ports overridden
  • Multiple role permissions added
  • Multiple role permissions deleted
  • Multiple server ports overridden
  • Organization created
  • Organization name updated
  • Organization setting updated
  • Organization SSH certificate authority rotated
  • Parent admin logged into the child org
  • Port override enforcement updated
  • Public key updated
  • Relay created
  • Relay deleted
  • Relay name updated
  • Remote identity created
  • Remote identity deleted
  • Remote identity updated
  • Remove child organization
  • Role added
  • Role deleted
  • Role permission added
  • Role permission deleted
  • Role updated
  • SCIM token created
  • Secret store added
  • Secret store deleted
  • Secret store updated
  • Self-registration activated
  • Self-registration deactivated
  • Server added
  • Server cloned
  • Server connection port overridden
  • Server deleted
  • Server updated
  • Service account auto-connect updated
  • Service account created
  • Service account expired
  • Service account rekeyed
  • Trial extended
  • User account locked due to failed login attempts
  • User added
  • User added to role
  • User allowed to login via password
  • User changed their password
  • User clicked on their invitation
  • User clicked on their password reset
  • User deleted
  • User deleted from role
  • User invited
  • User logged into the Admin UI
  • User logged into the Admin UI using SSO
  • User logged into the local client
  • User logged into the local client using SSO
  • User logged out from the Admin UI
  • User logged out from the local client
  • User permission added
  • User permission deleted
  • User reinstated
  • User required to login via SSO
  • User reset their password
  • User set a password
  • User signup
  • User suspended
  • User temporary access expired
  • User temporary access granted
  • User temporary access revoked
  • User type changed
  • User updated
  • Website added
  • Website cloned
  • Website deleted
  • Website updated

View Kubernetes Replays

When interacting with a Kubernetes cluster, several types of log events are recorded:

  • kubectl commands, such as kubectl create pod strongdm
  • API calls that happen as a result of command GET /apis/scheduling.k8s.io/v1?timeout=32s
  • Terminal replays from exec sessions kubectl exec -it pod/strongdm
  • Debug sessions with kubectl debug

You can view Kubernetes replays in the Admin UI, section Logs > Kubernetes. The Admin UI will display 4,500 log lines or 100 days or events, whichever is fewer. More extensive logs are available from the CLI.

View Datasource Queries

Datasource queries are streamed in real time as they are performed. They are displayed in the Admin UI in section Logs > Queries.

Extensive logs are available from the CLI, but at a minimum, queries from the last 24 hours (up to 30 entries) are available in the Admin UI.

View RDP Replays

RDP sessions initiated through StrongDM are available for download as an MP4 file. In the Admin UI, in section Logs > RDP, you can render and download any session from the last 100 days as long as those sessions were not encrypted. Rendering time is directly tied to the length of the video being rendered. For longer videos, you may need to wait 10 or 15 minutes. Once a video is rendered, the user who requested the video will receive an email stating that it is ready to download.

The Admin UI will display up to 4,500 log lines. More extensive logs are available from the CLI.

View RDP Replays Locally

In section RDP Replays, instructions are given for rendering and watching replays of unencrypted RDP sessions from the Admin UI. It is also possible to render RDP sessions locally via a Docker image:

docker run --rm -ti -v ~/.sdm/logs:/logs quay.io/sdmrepo/rdpreplay:latest --format 'csv' r1po3p80VaPnzSSjAobzV2RavzWW

Pointers for using the Docker image:

  • You will need the FFmpeg package installed locally in order to play RDP session videos.
  • If you have changed your SDM HOME location away from the default ~/.sdm, change that path in the above command.
  • Substitute the sample session ID in the above command with the session ID you intend to replay.
  • Completed MP4 files will be deposited in the /logs folder.

The local rendering can be done via the CLI as well, if desired:

sdm replay rdp

NAME:

  sdm replay rdp - render a RDP session in movie format.

USAGE:

  sdm replay rdp [command options] <sessionID> <relay-log-file-path1> <relay-log-file-path2> <relay-log-file-pathN>...

OPTIONS:

  --format value      define the file format of the relay log file ('json' or 'csv') (default: "json")

  --tmpdir value, -t value for long sessions, a larger temporary directory might be necessary for rendering (default: "C:\\Users\\sebas\\.sdm\\logs")

View SSH Replays

In the Admin UI, in section Logs > SSH, you can view any sessions recorded for this organization over the last 100 days. Sessions can be played at various speeds up to 16 times faster than the original. The recording can also be downloaded as a TypeScript file.

The Admin UI will display up to 4,500 log lines. More extensive logs are available from the CLI.

View Web Logs

When viewing a Website via StrongDM, every HTTP request to the target site is recorded, including the headers and completion time. You can view web logs in the Admin UI, section Logs > Web.

The Admin UI will display all Web Logs for the last 7 days, showing up to 4,500 log lines. More extensive logs available from the CLI.