Log Stream Query Logs

Last modified on August 26, 2024

This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.

Field	Type	Description	Example
actorAccountID	String	Unique identifier of the account that performed the query	`"a-0abcdabcdab00000"`
actorEmail	String	Email of the account that performed the query, at the time the query was executed	`"alice.glick@example.com"`
actorExternalID	String	External ID of the account that performed the query, at the time the query was executed	`"e-bca5454"`
actorFirstName	String	Given name of the account that performed the query, at the time the query was executed	`"Alice"`
actorLastName	String	Family name of the account that performed the query, at the time the query was executed	`"Glick"`
actorTags	Object	Tags of the account accessed, at the time the query was executed	`{ "tag1": "val1", "tag2": "val2" }`
authenticationId	String	Authentication of the account associated with this query	`"auth-0000000000000001"`
authz	Object	Authorization metadata from the policy evaluation associated with this query; only included for Enterprise organizations that have a policy in place that this event triggered	`{ "formatVersion": "v1.0.0", "entities": {}, "context": {}, "requests": [], "requirements": { "error": "", "requirements": {}, "decision": "allow" }`
clientCommand	String	Command executed on the client for a Kubernetes session.	`"kubectl describe pods"`
clientIP	String	IP address the query was performed from, as detected at the StrongDM control plane	`"1.11.222.333"`
command	String	Command executed over an SSH or Kubernetes session	`"echo hi"`
container	String	Target container of a Kubernetes operation	`"nginx"`
durationMs	Integer	Duration of the query in milliseconds	`200`
egressNodeID	String	Unique ID of the node through which the resource was accessed	`"n-56988fae64a73652"`
formatVersion	String	Version of the log format	`"v1.0.0"`
hash	String	Hash of the body of the query	`"0da22222ba9b212ecfed33a17147c466ae0929fb"`
headers	Object	HTTP headers of a Kubernetes operation	`{ "header1": "value1", "header2": "value2" }`
identityAlias	String	Username of the IdentityAlias used to access the resource	`"alice.glick"`
isShell	Boolean	Whether the query was executed in a shell	`false`
logType	String	Type of log, always “queries” for query logs	`"queries"`
pod	String	Target pod of a Kubernetes operation	`"kube-dns-v20-8gsbl"`
query	String	Captured content of the query; for queries against SSH, Kubernetes, and RDP resources, this contains a JSON representation of the QueryCapture	`"select name from users"`
queryCategory	String	General category of resource against which query was performed	`"k8s", "queries" (datasources), "rdp", "ssh", "web", "cloud", "all"`
requestBody	String	HTTP request body of a Kubernetes operation
requestMethod	String	HTTP request method of a Kubernetes operation
requestURI	String	HTTP request URI of a Kubernetes operation
resourceID	String	Unique identifier of the resource against which the query was performed	`"r-1caa595464152e78"`
resourceName	String	Name of the resource accessed, at the time the query was executed	`"MySQL"`
resourceTags	Object	Tags of the resource accessed, at the time the query was executed	`{"env": "dev"}`
resourceType	String	Specific type of resource against which query was performed	`"mysql"`
rowCount	Integer	Number of records returned by the query, for a database resource	`18`
sourceIP	String	IP address the query was performed from, as detected at the ingress gateway; will be an internal address if the gateway is on the same local network or VPN as the client	`"1.11.222.333"`
target	String	Target destination of the query, in host:port format	`"3.33.222.111:5432"`
timestamp	String	Time at which the query was started, formatted as datetime	`"2024-08-01T13:13:20.895597162Z"`
uuid	String	Unique identifier of the query	`"0CEGCEGCEGCEGCEGCEGCE1234ceg"`