This document will explain how to set up a daily log of queries. By leveraging the
sdm audit functionality, we'll retrieve a list of queries and write them to a daily log file. Writing your own daily log can be especially important if you intend to store logs long term. If you store logs with strongDM, they will be retained for a period of 13 months, and then permanently deleted. If you write to your own log files, you can store them indefinitely or according to your own policies.
We recommend creating a new Linux system user with restricted permissions to run the daily audit. In this example we'll use
sdm. Download and install the Linux SDM client.
You do not need to log into the SDM client. The admin token will serve as authentication.
Create an Admin Token
To create an admin token, sign into the strongDM web interface and go to
Settings > Admin Tokens. From there you can create an admin token with the specific rights you require -- in this case, only the Audit > Queries permission.
A dialog will pop up with the admin token.
Save it for later use in
/etc/sdm-admin.token in the form:
SDM_ADMIN_TOKEN=<paste token here>
This file must be owned by your user.
chown sdm:sdm /etc/sdm-admin.token
Example Log Archiver Script
Here is an example log archiver script that in the next step we'll set up to run nightly. We'll store this script in
sudo mkdir -p /opt/strongdm/bin/sudo mkdir -p /var/log/sdm/sudo tee "/opt/strongdm/bin/log-archiver.sh" > /dev/null <<'EOT'#!/bin/bashSTART=$(date -d "yesterday 00:00" '+%Y-%m-%d 00:00:00')FN=$(date -d "yesterday 00:00" '+%Y-%m-%d')END=$(date -d "today 00:00" '+%Y-%m-%d 00:00:00')TARGET=/var/log/sdm/opt/strongdm/bin/sdm audit queries --from "$START" --to "$END" >> "$TARGET/queries.$FN"EOTsudo chown sdm:sdm /var/log/sdm /opt/strongdm/ /opt/strongdm/bin/ /opt/strongdm/bin/log-archiver.shsudo chmod +x /opt/strongdm/bin/log-archiver.sh
Set up a systemd Service and Timer
This systemd service definition will run our script daily, at the time systemctl is configured to run daily services.
sudo tee "/etc/systemd/system/log-archiver.service" > /dev/null <<'EOT'[Unit]Description=SDM log archiver[Service]Type=oneshotEnvironmentFile=/etc/sdm-admin.tokenExecStart=/opt/strongdm/bin/log-archiver.shUser=sdmEOTsudo tee "/etc/systemd/system/log-archiver.timer" > /dev/null <<'EOT'[Unit]Description=Run log archiver dailyRequires=log-archiver.service[Timer]OnCalendar=dailyPersistent=true[Install]WantedBy=timers.target
Activate the timer:
sudo systemctl daemon-reloadsudo systemctl enable log-archiver.timersudo systemctl start log-archiver.timer