How to Read Node Log Files

Nodes (gateways/relays) store log events in log files, if your organization is configured to retain local logs on nodes. These log files contain information about queries as well as replay data. These logs can be reviewed at the Admin UI and CLI (if StrongDM log retention is enabled) but they can also be reviewed by directly viewing the log files on any given node.

Encrypted Log Files #

If you have configured node (gateway/relay) log encryption, your logs are not directly readable. To decrypt them, you need to use the sdm crypto parse-logs utility with the private.key file present.

Example:

cat logfile | sdm crypto parse-log private.key > decrypted-log

Locate Queries in Log Files #

To find queries in the node logs, look for start events that are of the following forms, containing the actual query.

The easiest way to find queries is to use grep to search for the particular resource or query.

CSV example #

`2023-03-23 18:10:54.265186636 +0000 UTC,start,af9e303c-07f7-42ee-84c4-279ca7b9de28,1333,psql-server-6,1016,Joe Admin,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f`

JSON example #

{
  "type": "start",
  "timestamp": "2023-01-01T13:14:15.820199164Z",
  "uuid": "01a2B3cd4Efghi567jKlMnop8qRs",
  "datasourceId": "rs-123a45678910b123",
  "datasourceName": "cli_example mysql",
  "userId": "a-0a12b34c567d89d1",
  "userName": "Jane Admin",
  "query": "/* ApplicationName=DBeaver 7.3.5 - Metadata */ SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='mysql' AND TABLE_NAME='db' ORDER BY ORDINAL_POSITION",
  "hash": "1234a56b7c891dab012ef3456g78h9i1jk2l3m45"
}

For more details about the start event type, see the Node Logs - Start Event reference.

Read Log Files to Find Capture IDs #

Knowing a replay’s capture ID is necessary to review it.

Find capture IDs by manually searching log files #

One way to get the capture ID is to look in the node logs. The capture ID is shown in the logs in start events that are of the following form, containing a JSON object with connection parameters.

In the following example, the capture ID is 9d880e13-f608-4fe0-b1e7-deeb35bb9f2c:

2023-03-23 18:10:02.970395873 +0000 UTC,start,9d880e13-f608-4fe0-b1e7-deeb35bb9f2c,1334,prod-312-test,1016,Joe Admin,"{""version"":1,""width"":92,""height"":25,""duration"":0,""command"":"""",""title"":null,""env"":{""TERM"":""xterm-256color""},""type"":""shell"",""fileName"":null,""fileSize"":0,""stdout"":null,""lastChunkId"":0}`

Find Capture IDs with the CLI #

Another way to collect your capture IDs is to use sdm audit ssh.

You can use the sdm audit ssh command to collect a list of SSH sessions that occurred during a specific time frame, and get their capture IDs.

Extract SSH replay data #

Once you have the capture ID, you can use the sdm ssh split command to extract all captures from a log file. They are saved as individual SSH files named after the capture ID.

Example:

$ sdm ssh split relay.1521828535.0.log
5783cb5e-e1c8-44ba-b8ee-4bc4d8c28c7d.ssh
9d880e13-f608-4fe0-b1e7-deeb35bb9f2c.ssh

If you have encrypted node logs, you can either decrypt them first, with sdm crypto parse-logs, or run the sdm ssh split command directly on the encrypted log by adding the -k flag:

sdm ssh split -k private.key relay.1521828535.0.log

If you have chosen to save your StrongDM gateway or relay logs in JSON, you need to add the -j option to perform this operation correctly:

sdm ssh split -j relay.1521828535.0.log

Once you have the SSH file(s) for the session you want to review, you can dump it to a text file and look at it in a text editor. Alternatively, you can cat the file to replay it at full speed.

View Replays #

To view replays for SSH, Kubernetes, or RDP sessions from the command line, see the View Logs from the CLI section.

Log References #

To view a list of all available fields and their descriptions for each event type, please see the Log References section.