This document will explain how to set up a regular export of admin activity in an organization. By leveraging the
sdm audit functionality, we'll retrieve a list of activities every five minutes and write them to a JSON file. A separate tool can then import these files into a log aggregator or SIEM.
We recommend creating a new Linux system user with restricted permissions to run the audit. In this example, we'll use
sdm. Download and install the Linux SDM client.
You do not need to log into the SDM client. The admin token will serve as authentication.
Create an Admin Token
To create an admin token, sign into the strongDM web interface and go to
Settings > Admin Tokens. From there you can create an admin token with the specific rights you require -- in this case, only the Audit > Activities permission.
For more details on creating admin tokens, check out the admin token guide.
Example Activity Export Script
Here is an example activity export script that in the next step we'll set up to run periodically. You may note that this script is really just one command: we set it up as a script for clarity but if you prefer you can insert just the
sdm audit... command directly into
date can take the
-d format in your OS; some versions use
#!/bin/bashexport SDM_ADMIN_TOKEN=<insert admin token here>START=$(date -d "5 minutes ago" '+%Y-%m-%dT%H:%M:00') # start of audit slice, defaulting to 5 minutes agoFN=$(date -d "yesterday 00:00" '+%Y%m%d%H%M') # timestamp string to append to output filenameEND=$(date '+%Y-%m-%d%TH:%M:00') # end of audit slice, defaulting to now, at the top of the minuteTARGET=/var/log/sdm # location where JSON files will be written/opt/strongdm/bin/sdm audit activities --from "$START" --to "$END" -j > "$TARGET/activities.$FN.json"
Add crontab entry
While most Linux systems have locations to place scripts that run daily/weekly/etc., the script above is configured by default to run every five minutes. As such, our best bet is to place it directly into the crontab file for a user or for the system.
Add this line to the crontab of your choice, modifying the interval to match what you set in the script:
*/5 * * * * /path/to/script.sh