Using strongDM Logs

When logging is configured for the strongDM server, you can view log entries (administrative activities, queries, SSH captures, RDP videos) directly through the strongDM Admin UI, or by using the sdm CLI tool.

Web UI

Within the web UI, you can look at activities, recent datasource queries, and replay SSH and RDP replays.

Activities

On the Activities page, you can view administrative activities, and browse from recent to older using the navigation at the top and bottom of the page.

UI Activities

Queries

If you click on the Queries page, you can view a real-time list of recent datasource queries within your organization. To see older queries or search within a certain timeframe, use the CLI sdm audit queries function, described below under CLI.

Note: If you have enabled strongDM log encryption, the entries here will be encrypted. To see the content of these queries, use the CLI.

UI Queries

Replays

On the Replays page, you can view all SSH and RDP replays, using the navigation at the top and bottom of the page.

UI Captures

By clicking on one replay session, it will pop up a web player where you can watch the session replay in real-time.

UI Capture Replay

Note: If you have enabled strongDM log encryption, session replay will be unavailable. Use the CLI (see below) to replay SSH sessions. To replay RDP sessions, please contact support@strongdm.com for assistance.

CLI

From the sdm command-line interface available on Mac and Linux, you can access all auditing – activities, queries, and replays – via the strongDM API.

Note: To see all of the commands and options available via the CLI, look at the Command Reference.

Activities

To review activities on the strongDM web UI, you can use the sdm audit activities command. By default, it will return the ten most recent web UI activities.

$ sdm audit activities
Timestamp,IP Address,Actor ID,Actor Name,Activity,Description
2018-03-22 12:28:40.276507 +0000 UTC,71.232.116.201,1016,Joe Admin,user logged into the UI,Joe Admin (admin@company.com) logged into the UI.
2018-03-22 15:23:26.375064 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting local log storage to none.
2018-03-22 15:23:26.376804 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting local log encode to plaintext.
2018-03-22 18:05:49.45456 +0000 UTC,71.232.116.201,1016,Joe Admin,user suspended,Joe Admin (admin@company.com) suspended Bob User (bob.user@company.com).
2018-03-22 18:05:51.002598 +0000 UTC,71.232.116.201,1016,Joe Admin,user type changed,Joe Admin (admin@company.com) changed type of Bob User (bob.user@company.com) to user.
2018-03-22 18:05:51.07059 +0000 UTC,71.232.116.201,1016,Joe Admin,user added to role,Joe Admin (admin@company.com) assigned Bob User (bob.user@company.com) to Junk.
2018-03-22 19:51:53.343206 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting remote log encode to strongdm.
2018-03-22 19:51:53.346103 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting local log storage to stdout.
2018-03-23 14:37:43.710974 +0000 UTC,71.232.116.201,1016,Joe Admin,user logged out from the local client,Joe Admin (admin@company.com) logged out from the local client.
2018-03-23 14:38:16.927605 +0000 UTC,71.232.116.201,1016,Joe Admin,user logged into the local client,Joe Admin (admin@company.com) logged into the local client.

To look for activity in a specific timeframe, you can make use of the --from and --to flags. Each takes a timestamp of the form YYYY-MM-DD or "YYYY-MM-DD HH:MM:SS" (note the quotes). When using these flags, you can specify --from alone, or use --from and --to together. With these flags, the command will return all activities within the specified timeframe. At this point, you can further narrow your search by using grep or other text processing to look for specific user, datasource, or server activity.

To view a continuous stream of web UI activities, or to redirect the output to another location, you can use the -f (follow) flag.

Queries

Similarly to Activities above, you can use the sdm audit queries command to find the most recent queries. This command alone will return the ten most recent queries; but you can use the --from and --to flags just as with sdm audit activities, as well as the -f flag to get a streaming output to STDOUT.

$ sdm audit queries
Time,Datasource ID,Datasource Name,User ID,User Name,Duration (ms),Record Count,Query,Hash
2018-03-21 20:48:27.816603 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,SELECT VERSION(),bfdacb2e17fbd4ec7a8d1dc6d6d9da37926a1198
2018-03-21 20:49:28.022841 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,SHOW ALL,1ac37f50840217029812c9d0b779baf64e85261f
2018-03-21 20:49:28.530386 +0000 UTC,1333,Local pgsql,1016,Joe Admin,8,0,"SELECT oid, nspname, nspname = ANY (current_schemas(true)) AS is_on_search_path, oid = pg_my_temp_schema() AS is_my_temp_schema, pg_is_other_temp_schema(oid) AS is_other_temp_schema FROM pg_namespace",e2e88ed63a43677ee031d1e0a0ecb768ccdd92a1
2018-03-21 20:55:28.637862 +0000 UTC,1333,Local pgsql,1016,Joe Admin,0,0,"SELECT oid, nspname, nspname = ANY (current_schemas(true)) AS is_on_search_path, oid = pg_my_temp_schema() AS is_my_temp_schema, pg_is_other_temp_schema(oid) AS is_other_temp_schema FROM pg_namespace",e2e88ed63a43677ee031d1e0a0ecb768ccdd92a1
2018-03-21 20:55:28.920521 +0000 UTC,1333,Local pgsql,1016,Joe Admin,29,0,"SELECT 	rel.relname, 	rel.relkind, 	rel.reltuples, 	coalesce(rel.relpages,0) + coalesce(toast.relpages,0) AS num_total_pages, 	SUM(ind.relpages) AS index_pages, 	pg_roles.rolname AS owner FROM pg_class rel 	left join pg_class toast on (toast.oid = rel.reltoastrelid) left join pg_index on (indrelid=rel.oid) 	left join pg_class ind on (ind.oid = indexrelid) 	join pg_namespace on (rel.relnamespace =pg_namespace.oid ) 	left join pg_roles on ( rel.relowner = pg_roles.oid ) WHERE rel.relkind IN ('r','v','m','f','p') AND nspname = 'public'GROUP BY rel.relname, rel.relkind, rel.reltuples, coalesce(rel.relpages,0) + coalesce(toast.relpages,0), pg_roles.rolname;",8b62e88535286055252d080712a781afc1f2d53c
2018-03-21 20:56:29.153809 +0000 UTC,1333,Local pgsql,1016,Joe Admin,2,0,"SELECT 	rel.relname, 	rel.relkind, 	rel.reltuples, 	coalesce(rel.relpages,0) + coalesce(toast.relpages,0) AS num_total_pages, 	SUM(ind.relpages) AS index_pages, 	pg_roles.rolname AS owner FROM pg_class rel 	left join pg_class toast on (toast.oid = rel.reltoastrelid) left join pg_index on (indrelid=rel.oid) 	left join pg_class ind on (ind.oid = indexrelid) 	join pg_namespace on (rel.relnamespace =pg_namespace.oid ) 	left join pg_roles on ( rel.relowner = pg_roles.oid ) WHERE rel.relkind IN ('r','v','m','f','p') AND nspname = 'public'GROUP BY rel.relname, rel.relkind, rel.reltuples, coalesce(rel.relpages,0) + coalesce(toast.relpages,0), pg_roles.rolname;",8b62e88535286055252d080712a781afc1f2d53c
2018-03-21 20:56:32.125572 +0000 UTC,1333,Local pgsql,1016,Joe Admin,0,0,select 42;,cad5386a37b29383f33869ffa64d1585f9c93a0e
2018-03-21 20:57:17.261133 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f
2018-03-21 20:57:52.547195 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f
2018-03-21 20:58:37.72325 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f

If you have turned on strongDM log encryption, you will need to have the private key to view the query contents. You can use the -k <private.key> flag to decrypt the queries and use the result. This flag can also be used in conjunction with the -f flag to stream decrypted query logs to another location.

There is an additional option for this command, --full, that pulls query logs from long-term storage. This has the following effects:

Replays

You can list replays, play them, and grep for strings (SSH specifically) within replays via the CLI.

Listing Replay

Just like Activities and Queries, you can use sdm audit ssh and sdm audit rdp to view recent or time-specified SSH/RDP sessions, using the same flags.

$ sdm audit ssh
Time,Server ID,Server Name,User ID,User Name,Duration (ms),Capture ID,Hash
2018-03-21 20:51:16.098221 +0000 UTC,1334,prod-312-test,1016,Joe Admin,8572,4516ae2e-5d55-4559-a08c-8a0f514b579c,afb368770931a2aae89e6a8801b40eac44569d93
2018-03-21 20:53:01.4391 +0000 UTC,1334,prod-312-test,1016,Joe Admin,7515,fbd50897-1359-4b55-a103-68e4dafa494b,aa4aa0646469757df9f0b92fb5ca39a9c1bfd38d
2018-03-22 21:57:10.920914 +0000 UTC,1334,prod-312-test,1016,Joe Admin,10440,aa8dab30-685d-4180-a86b-bb1794d23756,aa4aa0646469757df9f0b92fb5ca39a9c1bfd38d
2018-03-22 23:16:40.170815 +0000 UTC,1334,prod-312-test,1016,Joe Admin,5433,7a8735cf-05c8-4840-89ae-42c6ad750136,883b03873229301e58fb6c9ccf1a3f584953d13c
2018-03-22 23:21:49.987304 +0000 UTC,1334,prod-312-test,1016,Joe Admin,4529,2324e5d7-398b-47cd-ace6-78b33f813e3f,883b03873229301e58fb6c9ccf1a3f584953d13c
2018-03-23 01:18:02.167322 +0000 UTC,1334,prod-312-test,1016,Joe Admin,6318,4e6827e0-cb36-4377-aedb-544b671845f9,883b03873229301e58fb6c9ccf1a3f584953d13c
2018-03-23 08:23:12.707229 +0000 UTC,1334,prod-312-test,1016,Joe Admin,3745,efccd591-7f3c-4199-b41c-a4be76947b93,883b03873229301e58fb6c9ccf1a3f584953d13c
2018-03-23 09:57:41.547007 +0000 UTC,1334,prod-312-test,1016,Joe Admin,1212,b877f95b-6511-4ef9-83e7-366bc9043561,883b03873229301e58fb6c9ccf1a3f584953d13c
2018-03-23 11:01:48.111931 +0000 UTC,1334,prod-312-test,1016,Joe Admin,1182,03fe2d1b-e487-4111-b69a-a7b913d61c49,883b03873229301e58fb6c9ccf1a3f584953d13c
2018-03-23 15:29:53.533823 +0000 UTC,1334,prod-312-test,1016,Joe Admin,1342,218f8a42-2565-4d20-94cd-06591a96577b,883b03873229301e58fb6c9ccf1a3f584953d13c

Replays

However, there’s something else you can also do: view live replays of SSH sessions, much like the replay window in the strongDM web UI. To do so, you first need the capture ID, conveniently displayed in the output of the sdm audit ssh command. Once you have the capture ID of the capture you want to replay, you can use the sdm ssh replay command to replay it in your command-line window.

$ sdm ssh play 218f8a42-2565-4d20-94cd-06591a96577b
[... output elided ...]

If you just want to dump the commands and outputs from an SSH session to a file, perhaps for further analysis, you can use sdm ssh dump with the same syntax. This will dump the contents of the session to SDOUT, letting you redirect the output to a file if you choose.

Similarly to queries, you will need to use the -k <private.key> flag with capture replay/dump if you have turned on strongDM log encryption.

Searching Within Captures

Finally, you can use sdm ssh grep <search-term> to look for a specific string within your captured SSH sessions. This will search all SSH captures within the last 15 days and return matches, showing the capture ID of the session and the content of the matching line.

Note: sdm ssh grep will only search unencrypted ssh sessions.

$ sdmdev ssh grep pwd
4e6827e0-cb36-4377-aedb-544b671845f9:Joe Admin:2018-03-23 01:18:02.245322 +0000 UTC: prod-312-test:~ andy$ pwd
2324e5d7-398b-47cd-ace6-78b33f813e3f:Joe Admin:2018-03-22 23:21:51.065304 +0000 UTC: [?1034hprod-312-test:~ andy$ pwd
EOF