Log Management

Last modified on April 3, 2023

Log Storage

Logging of user activity is fully configurable by the Customer so that you control what is passed to StrongDM. You can choose to log with us, log locally, or both.

Stored with StrongDM

Logs stored with StrongDM are written to an immutable, write-once S3 bucket.

Stored with the Customer

When a Customer chooses to log locally, logs are written to the StrongDM gateway’s local storage. This allows the Customer to configure how and where to ship logs (for example, shipping to an internal SIEM or log aggregation tool).

Log Encryption

Logs with StrongDM are always encrypted at some level. What level a Customer chooses is up to them. We currently support three different methods of encryption within the StrongDM Platform.

Platform Encryption (the default mode)

Logs generated by the StrongDM Platform are encrypted with a Customer-unique key by the StrongDM application before being written to AWS S3, on top of the default at rest encryption enabled on the S3 bucket.

Using the StrongDM Platform encryption provides two key functions:

  • Log are able to be displayed in the Admin UI in plaintext
  • Logs cannot be viewed in plaintext from the raw storage (for example, S3)

By encrypting all logs with a unique application key, StrongDM is able to provide another layer of assurance that Customer information is not inadvertently disclosed.

Public Key Encryption

Log data from the StrongDM gateway is encrypted at the StrongDM gateway using the public component of a public/private key pair before being sent to the StrongDM Platform. Log metadata is still sent to StrongDM for plaintext display within the Admin UI.

When using public key encryption to protect log data:

  • Log contents are returned in encrypted form in the AdminUI and as query results from an sdm CLI command.
  • Metadata is present in the Admin UI in plaintext.
  • The Customer administrator must use the private component of the key pair to decrypt the log contents for review.
  • StrongDM is never able to see the plaintext log contents.

Non-shared Symmetric Key Encryption (Combined with local logging)

In this situation, only session metadata is sent to StrongDM for display in the Admin UI. StrongDM does not have access to the key used to encrypt the data. The logs are sent, encrypted, to your gateway or relay servers, where you are able to decrypt it locally.

Log Retention

If you store logs with StrongDM, they are retained for a period of 13 months. See our retention policy for more details.