View Activity Logs

Last modified on June 4, 2024

Activity logs are recorded user events in StrongDM, such as logging in/out, creating/destroying resources, modifying settings/permissions, or performing general administration tasks. Activities do not include actions where users are interacting with resources, as each resource type creates its own unique type of logs.

To view the activity logs for your account, go to Logs > Activities in the Admin UI. The Activities page displays a paginated view of activity logs from the past 30 days by default or from the past 13 months if the Enterprise bundle is enabled for your organization.

For more information about log retention and logs available from the CLI, see the Log Retention documentation.

The following is a list of potential Activities that might be tracked:

  • Access request to resource approval added
  • Access request to resource granted
  • Access request to role approved
  • Access request to resource canceled
  • Access request to role canceled
  • Access request to resource denied
  • Access request to role denied
  • Access request to resource timed out
  • Access request to role timed out
  • Access requested to resource
  • Access requested to role
  • Access rule created
  • Access rule deleted
  • Access rule updated
  • Access workflow added
  • Access workflow deleted
  • Add child organization
  • Admin initiated password reset
  • Admin token cloned
  • Admin token created
  • Admin token deleted
  • Admin token expired
  • Admin token reinstated
  • Admin token rekeyed
  • Admin token suspended
  • Allow public gateways
  • Allowed SSH port forwarding
  • Approval workflow added
  • Approval workflow approver added
  • Approval workflow approver deleted
  • Approval workflow deleted
  • Approval workflow step added
  • Approval workflow step deleted
  • Approval workflow updated
  • Attempt to login by a suspended user from the Admin UI
  • Attempt to login by a suspended user from the local client
  • Attempted to login by a service account from the Admin UI
  • Attempted to login by a suspended service account from the Admin UI
  • Certificate authority updated
  • Child organization admin invited
  • Cloud added
  • Cloud cloned
  • Cloud deleted
  • Cloud updated
  • Cluster added
  • Cluster cloned
  • Cluster connection port overridden
  • Cluster deleted
  • Cluster updated
  • Credential created
  • Credential deleted
  • Datasource added
  • Datasource cloned
  • Datasource connection port overridden
  • Datasource deleted
  • Datasource updated
  • Deactivate device approval
  • Disallowed SSH port forwarding
  • Do not allow public gateways
  • Dynamic role migration complete
  • Failed login attempt counter reset
  • Failed login attempt from the Admin UI
  • Failed login attempt from the local client
  • Identity alias created
  • Identity alias deleted
  • Identity alias updated
  • Identity set created
  • Identity set deleted
  • Identity set updated
  • Installation approved
  • Installation created
  • Installation created for relay
  • Installation revoked
  • MFA denied access for the Admin UI
  • MFA denied access for the local client
  • Multiple cluster ports overridden
  • Multiple datasource ports overridden
  • Multiple resources assigned to workflow
  • Multiple resources unassigned from workflow
  • Multiple role permissions added
  • Multiple role permissions deleted
  • Multiple server ports overridden
  • Organization created
  • Organization name updated
  • Organization resources allocated within VNM subnet
  • Organization setting updated
  • Organization SSH certificate authority rotated
  • Organization VNM subnet updated
  • Parent admin logged into the child org
  • Policy created
  • Policy deleted
  • Policy updated
  • Port override enforcement updated
  • Public key updated
  • Relay created
  • Relay deleted
  • Relay name updated
  • Remove child organization
  • Resource assigned to workflow
  • Resource unassigned from workflow
  • Role added
  • Role deleted
  • Role permission added
  • Role permission deleted
  • Role updated
  • SCIM token created
  • Secret store added
  • Secret store deleted
  • Secret store updated
  • Self-registration activated
  • Self-registration deactivated
  • Server added
  • Server cloned
  • Server connection port overridden
  • Server deleted
  • Server updated
  • Service account auto-connect updated
  • Service account created
  • Service account expired
  • Service account rekeyed
  • Trial extended
  • User account locked due to failed login attempts
  • User added
  • User added to role
  • User allowed to login via password
  • User changed their password
  • User clicked on their invitation
  • User clicked on their password reset
  • User deleted
  • User deleted from role
  • User invited
  • User logged into the Admin UI
  • User logged into the Admin UI using SSO
  • User logged into the local client
  • User logged into the local client using SSO
  • User logged out from the Admin UI
  • User logged out from the local client
  • User permission added
  • User permission deleted
  • User reinstated
  • User required to login via SSO
  • User reset their password
  • User set a password
  • User signup
  • User suspended
  • User temporary access expired
  • User temporary access granted
  • User temporary access revoked
  • User type changed
  • User updated
  • Website added
  • Website cloned
  • Website deleted
  • Website updated
  • Workflow assigned to multiple resources
  • Workflow assigned to resource
  • Workflow notification settings updated
  • Workflow notification type added
  • Workflow notification type removed
  • Workflow unassigned from multiple resources
  • Workflow unassigned from resource

View Kubernetes Replays

When interacting with a Kubernetes cluster, several types of log events are recorded:

  • kubectl commands, such as kubectl create pod strongdm
  • API calls that happen as a result of command GET /apis/
  • Terminal replays from exec sessions kubectl exec -it pod/strongdm
  • Debug sessions with kubectl debug

You can view Kubernetes replays in the Admin UI, section Logs > Kubernetes. The Admin UI displays events from the past 30 days by default, or events from the past 13 months if the Enterprise bundle is enabled for your organization. You may also retrieve logs using the CLI.

View Datasource Queries

Datasource queries are streamed in real time as they are performed. They are displayed in the Admin UI in section Logs > Queries.

Extensive logs are available from the CLI, but at a minimum, queries from the last 24 hours (up to 30 entries) are available in the Admin UI.

View RDP Replays

RDP sessions initiated through StrongDM are available for download as an MP4 file. In the Admin UI, in section Logs > RDP, you can render and download any session, as long as that session is not encrypted, from the last 30 days by default or from the last 13 months if the Enterprise bundle is enabled for your organization.

Rendering time is directly tied to the length of the video being rendered. For longer videos, you may need to wait 10 or 15 minutes. Once a video is rendered, the user who requested the video receives an email stating that it is ready to download.

Extensive logs are also available from the CLI.

View RDP Replays Locally

In section RDP Replays, instructions are given for rendering and watching replays of unencrypted RDP sessions from the Admin UI. It is also possible to render RDP sessions locally via a Docker image:

docker run --rm -ti -v ~/.sdm/logs:/logs --format 'csv' r1po3p80VaPnzSSjAobzV2RavzWW

Pointers for using the Docker image:

  • You need the FFmpeg package installed locally in order to play RDP session videos.
  • If you have changed your SDM HOME location away from the default ~/.sdm, change that path in the above command.
  • Substitute the sample session ID in the above command with the session ID you intend to replay.
  • Completed MP4 files are deposited in the /logs folder.

The local rendering can be done via the CLI as well, if desired:

sdm replay rdp

  sdm replay rdp - render a RDP session in movie format.

  sdm replay rdp [command options] <sessionID> <relay-log-file-path1> <relay-log-file-path2> <relay-log-file-pathN>...

  --format value      define the file format of the relay log file ('json' or 'csv') (default: "json")

  --tmpdir value, -t value for long sessions, a larger temporary directory might be necessary for rendering (default: "C:\\Users\\sebas\\.sdm\\logs")

View SSH Replays

In the Admin UI, in section Logs > SSH, you can view any sessions recorded for this organization over the last 30 days by default or the last 13 months if the Enterprise bundle is enabled for your organization. Sessions can be played at various speeds up to 16 times faster than the original. The recording also can be downloaded as a TypeScript file. Extensive logs are also available from the CLI.

View Web Logs

When viewing a Website via StrongDM, every HTTP request to the target site is recorded, including the headers and completion time. You can view web logs in the Admin UI, section Logs > Web.

The Admin UI displays all web logs for the last 30 days by default or the last 13 months if the Enterprise bundle is enabled for your organization. Extensive logs are also available from the CLI.

View Policy Logs

In section Logs > Policies, the Policy Monitor provides detailed logs for every action that is evaluated by policies. Please note that the Enterprise bundle must be enabled for your organization in order to view policy logs.

The Policy Monitor lists the following fields:

  • Result: Either allow or deny; the result of the policy assessment for the action(s)
  • Target: Entity targeted by the action
  • Actions: Specific action the user attempted to perform
  • User: Name and email of the StrongDM user who performed the action
  • Timestamp: Date and time that the policy was triggered for the action

You can click on any item in the list to open the details view for that item. The details view includes the same detail as the list view row, but with even more detail, including the following:

  • A list of all actions that were evaluated by the policy
  • Information about any requirements met by the user during evaluation, such as providing a justification for their action
  • The user’s IP and location, with a visual map of the location pinned
  • Copy of the user’s queries

In addition, the details view includes a Policies tab that lists the policies that affected the interaction. Clicking on a policy name opens the policy in the Policy Editor.