Last modified on August 28, 2023
This article provides an overview of the command line interface (CLI) utility. It covers how to test the client’s configuration and explains some commonly used CLI commands. Although it doesn’t comprehensively cover each command available, it gives you a general idea of the flexibility and power available at your fingertips from the CLI.
Client Configuration Confirmation
As a reminder, to verify the client is working, type the following:
This should output something similar to the following:
sdm version 38.84.0 (99a5d1a71d4eccaf171449e33bc0826132b05165 #503)
sdm admincommands, the
--certificate-authorityvalue that is required in many places is a file path, not a Base64-encoded certificate.
Login and Logout
$ sdm login e-mail: firstname.lastname@example.org Please complete logging in at: https://app.strongdm.com/auth/XXXXXXXXXX authentication successful $ sdm logout
If your organization uses SSO, you are redirected to complete authentication via the web. The CLI will attempt to open the provided URL in your browser, or you can visit the URL directly.
Lock and Unlock the Client
If you have MFA enabled in your organization, you can manually lock and unlock the client from the CLI.
$ sdm lock locked $ sdm unlock awaiting confirmation... unlocked
awaiting confirmation... state you will receive an MFA push to complete the unlock process.
Check the Status of Datasources and Servers
$ sdm status DATASOURCE NAME STATUS PORT TYPE ! mysql 5.6.39 not connected 13311 mysql !jsonb-test not connected 15438 aurora-postgres Cache01 not connected 16379 redis CacheM01 not connected 21211 memcached Inventory DB (Heroku) not connected 15434 postgres Marketing DB RW not connected 15435 postgres MySQL 5.6 not connected 13310 mysql Pricing DB RO not connected 13306 mysql Users Profile DB RO not connected 15436 postgres SERVER STATUS PORT TYPE RDP prod server not connected 13389 rdp prod01 sudo not connected 62609 ssh prod02 not connected 62524 ssh
$ sdm connect Marketing connect successful $ sdm status DATASOURCE NAME STATUS PORT TYPE ! mysql 5.6.39 not connected 13311 mysql !jsonb-test not connected 15438 aurora-postgres Cache01 not connected 16379 redis CacheM01 not connected 21211 memcached Inventory DB (Heroku) not connected 15434 postgres Marketing DB RW connected 15435 postgres MySQL 5.6 not connected 13310 mysql Pricing DB RO not connected 13306 mysql Users Profile DB RO not connected 15436 postgres SERVER STATUS PORT TYPE RDP prod server not connected 13389 rdp prod01 sudo not connected 62609 ssh prod02 not connected 62524 ssh $ psql -h localhost -p 15435 -c 'select 42;' ?column? ---------- 42 (1 row) $ sdm disconnect Marketing disconnect successful
Connect to SSH
As described in the SSH connection guide there are several ways to connect to SSH servers. The easiest way is to use the
sdm ssh aliases. Using this method it is not necessary to run
sdm connect before opening the SSH connection.
$ alias|grep sdm scp='scp -S'\''/usr/local/bin/sdm'\'' -osdmSCP' ssh='/usr/local/bin/sdm ssh wrapped-run' $ ssh prod02 Last login: Wed Mar 13 14:23:01 2019 from ip-xx-xx-xx-xx.us-west-2.compute.internal __| __|_ ) _| ( / Amazon Linux 2 AMI ___|\___|___| https://aws.amazon.com/amazon-linux-2/ [ops@ip-xx-xx-xx-xx ~]$ exit logout Connection to 127.0.0.1 closed.
sdm connect servernameand then connect with your preferred ssh client to
Export User Activity Logs
In order to export user activity logs, run the following command with the start date for the logs you’re retrieving:
sdm audit activities --from YYYY-MM-DD
sdm audit activities --from 2023-04-26
Our system can parse dates in a wide variety of formats. Examples of some accepted formats include the following:
2023-04-26 22:43:00 UTC
26 April 2023 22:43
An error message is returned if you are not using a valid format:
Could not find format and will need to structure your date in a different way.
By default, the results of the command are in CSV format. If you want to change the output to JSON, you may add the
sdm audit activities -j --from 2023-04-26
The default output is
stdout; however, if you want the output to go to a file, you may use the
-o flag. When using the
-o flag, note that the flag must be the last flag invoked, followed by the name of the file you wish to create. Run the command from the directory where you want the file saved.
sdm audit activities --from 2023-04-26 -o example_logs_file.txt
The sdm Directory
By default, logs are written to
~/.sdm/sdm.log for both clients and relays.
There are also several authentication-related files in this directory. The
*.key files serve as the private keys, which authenticate you and your machine..
You can find resources and information about the following StrongDM topics in this section: