Log Stream Query Logs
Last modified on October 31, 2024
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
Field | Type | Description | Example |
---|---|---|---|
actorAccountID | String | Unique identifier of the account that performed the query | "a-0abcdabcdab00000" |
actorEmail | String | Email of the account that performed the query, at the time the query was executed | "alice.glick@example.com" |
actorExternalID | String | External ID of the account that performed the query, at the time the query was executed | "e-bca5454" |
actorFirstName | String | Given name of the account that performed the query, at the time the query was executed | "Alice" |
actorLastName | String | Family name of the account that performed the query, at the time the query was executed | "Glick" |
actorTags | Object | Tags of the account accessed, at the time the query was executed | { "tag1": "val1", "tag2": "val2" } |
authenticationId | String | Authentication of the account associated with this query | "auth-0000000000000001" |
authz | Object | Authorization metadata from the policy evaluation associated with this query; only included for Enterprise organizations that have a policy in place that this event triggered | See the Policy Info in Logs section for details. |
clientCommand | String | Command executed on the client for a Kubernetes session. | "kubectl describe pods" |
clientIP | String | IP address the query was performed from, as detected at the StrongDM control plane | "1.11.222.333" |
command | String | Command executed over an SSH or Kubernetes session | "echo hi" |
container | String | Target container of a Kubernetes operation | "nginx" |
durationMs | Integer | Duration of the query in milliseconds | 200 |
egressNodeID | String | Unique ID of the node through which the resource was accessed | "n-56988fae64a73652" |
formatVersion | String | Version of the log format | "v1.0.0" |
hash | String | Hash of the body of the query | "0da22222ba9b212ecfed33a17147c466ae0929fb" |
headers | Object | HTTP headers of a Kubernetes operation | { "header1": "value1", "header2": "value2" } |
identityAlias | String | Username of the IdentityAlias used to access the resource | "alice.glick" |
isShell | Boolean | Whether the query was executed in a shell | false |
logType | String | Type of log, always “queries” for query logs | "queries" |
pod | String | Target pod of a Kubernetes operation | "kube-dns-v20-8gsbl" |
query | String | Captured content of the query; for queries against SSH, Kubernetes, and RDP resources, this contains a JSON representation of the QueryCapture | "select name from users" |
queryCategory | String | General category of resource against which query was performed | "k8s", "queries" (datasources), "rdp", "ssh", "web", "cloud", "all" |
requestBody | String | HTTP request body of a Kubernetes operation | |
requestMethod | String | HTTP request method of a Kubernetes operation | |
requestURI | String | HTTP request URI of a Kubernetes operation | |
resourceID | String | Unique identifier of the resource against which the query was performed | "r-1caa595464152e78" |
resourceName | String | Name of the resource accessed, at the time the query was executed | "MySQL" |
resourceTags | Object | Tags of the resource accessed, at the time the query was executed | {"env": "dev"} |
resourceType | String | Specific type of resource against which query was performed | "mysql" |
rowCount | Integer | Number of records returned by the query, for a database resource | 18 |
sdmOrgId | String | Organization identifier of the organization that emitted the event represented in the log | "o-6dce5b5663c12e6b" |
sourceIP | String | IP address the query was performed from, as detected at the ingress gateway; will be an internal address if the gateway is on the same local network or VPN as the client | "1.11.222.333" |
target | String | Target destination of the query, in host:port format | "3.33.222.111:5432" |
timestamp | String | Time at which the query was started, formatted as datetime | "2024-08-01T13:13:20.895597162Z" |
uuid | String | Unique identifier of the query | "0CEGCEGCEGCEGCEGCEGCE1234ceg" |