Log Management

Last modified on March 24, 2023

Log Storage

Logging of user activity is fully configurable by the Customer so that you control what is passed to StrongDM. You can choose to log with us, log locally, or both.

Stored with StrongDM

Logs stored with StrongDM are written to an immutable, write-once S3 bucket.

Stored with the Customer

When a Customer chooses to log locally, logs are written to the SDM Gateway’s local storage. This allows the Customer to configure how and where to ship logs (e.g. shipping to an internal SIEM or log aggregation tool).

Log Encryption

Logs with StrongDM are always encrypted at some level. What level a Customer chooses is up to them. We currently support three different methods of encryption within the StrongDM Platform.

Platform Encryption (the default mode)

Logs generate by the StrongDM Platform are encrypted with a Customer-unique key by the StrongDM application before being written to AWS S3, on top of the default at rest encryption enabled on the S3 bucket.

Using the StrongDM Platform encryption provides two key functions:

  • Log are able to be displayed in the Admin UI in plaintext
  • Logs cannot be viewed in plaintext from the raw storage (e.g. S3)

By encrypting all logs with a unique application key, StrongDM is able to provide another layer of assurance that Customer information is not inadvertently disclosed.

Public Key Encryption

Log data from the StrongDM gateway is encrypted at the StrongDM Gateway using the public component of a public/private key pair before being sent to the StrongDM Platform. Log metadata is still sent to StrongDM for plaintext display within the Admin UI.

When using public key encryption to protect log data:

  • Log contents will be returned in encrypted form in the AdminUI and as query results from an sdm CLI command
  • Metadata will be present in the AdminUI in plain text
  • Customer administrator must use the private component of the key pair to decrypt the log contents for review
  • StrongDM will never be able to see the plain text log contents

Non-shared Symmetric Key Encryption (Combined with local logging)

In this situation, only session metadata will be sent to StrongDM for display in the Admin UI. StrongDM does not have access to the key used to encrypt the data. The logs will be sent, encrypted, to your Gateway/Relay servers, where you will be able to decrypt it locally.

Log Retention

If you store logs with StrongDM, they will be retained for a period of 13 months, and then permanently deleted.

Top