View Logs from the CLI
Last modified on September 16, 2024
When your organization is configured to allow StrongDM to retain logs, you can view the following kinds of log entries from the Admin UI or using the CLI:
- Administrative activities
- Queries
- SSH, RDP, or Kubernetes session replays
From the sdm
command-line interface (CLI), you can access all auditing—activities, queries, and replays—via the StrongDM API.
Viewing logs at the CLI can involve not only knowing the correct cli audit
commands but also how to decrypt and/or interpret the data that is available. To learn more about decrypting gateway/relay log files or locating information within those files directly, see the Node Log Files section.
View Activities With the CLI
To review activities on the StrongDM Admin UI, you can use the sdm audit activities
command. By default, it returns the most recent Admin UI activities, from the last seven days.
Example:
$ sdm audit activities
Timestamp,IP Address,Actor ID,Actor Name,Activity,Description
2023-03-22 12:28:40.276507 +0000 UTC,71.232.116.201,1016,Joe Admin,user logged into the UI,Joe Admin (admin@company.com) logged into the UI.
2023-03-22 15:23:26.375064 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting local log storage to none.
2023-03-22 15:23:26.376804 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting local log encode to plaintext.
2023-03-22 18:05:49.45456 +0000 UTC,71.232.116.201,1016,Joe Admin,user suspended,Joe Admin (admin@company.com) suspended Bob User (bob.user@company.com).
2023-03-22 18:05:51.002598 +0000 UTC,71.232.116.201,1016,Joe Admin,user type changed,Joe Admin (admin@company.com) changed type of Bob User (bob.user@company.com) to user.
2023-03-22 18:05:51.07059 +0000 UTC,71.232.116.201,1016,Joe Admin,user added to role,Joe Admin (admin@company.com) assigned Bob User (bob.user@company.com) to Junk.
2023-03-22 19:51:53.343206 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting remote log encode to strongdm.
2023-03-22 19:51:53.346103 +0000 UTC,71.232.116.201,1016,Joe Admin,organization setting updated,Joe Admin (admin@company.com) changed the organization setting local log storage to stdout.
2023-03-23 14:37:43.710974 +0000 UTC,71.232.116.201,1016,Joe Admin,user logged out from the local client,Joe Admin (admin@company.com) logged out from the local client.
2023-03-23 14:38:16.927605 +0000 UTC,71.232.116.201,1016,Joe Admin,user logged into the local client,Joe Admin (admin@company.com) logged into the local client.
To look for activity in a specific timeframe, you can make use of the --from
and --to
flags. Each takes a timestamp of the form YYYY-MM-DD
or "YYYY-MM-DD HH:MM:SS"
(note the quotes). They can also take specific time values, such as five seconds (5s
), five minutes (5m
), or five days (5d
). When using these flags, you can specify --from
alone, or use --from
and --to
together. With these flags, the command returns all activities within the specified time frame. At this point, you can further narrow your search by using grep
or other text processing to look for specific user, datasource, or server activity.
To view a continuous stream of Admin UI activities or to redirect the output to another location, you can use the -f
(follow) flag.
View Queries With the CLI
Similarly to Activities, you can use the sdm audit queries
command to find the most recent queries. This command alone returns the most recent queries, but you can use the --from
and --to
flags to time-box your search, just as with sdm audit activities
. You can also use the -f
flag to get a streaming output to STDOUT.
Example:
$ sdm audit queries
Time,Datasource ID,Datasource Name,User ID,User Name,Duration (ms),Record Count,Query,Hash
2023-03-21 20:48:27.816603 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,SELECT VERSION(),bfdacb2e17fbd4ec7a8d1dc6d6d9da37926a1198
2023-03-21 20:49:28.022841 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,SHOW ALL,1ac37f50840217029812c9d0b779baf64e85261f
2023-03-21 20:49:28.530386 +0000 UTC,1333,Local pgsql,1016,Joe Admin,8,0,"SELECT oid, nspname, nspname = ANY (current_schemas(true)) AS is_on_search_path, oid = pg_my_temp_schema() AS is_my_temp_schema, pg_is_other_temp_schema(oid) AS is_other_temp_schema FROM pg_namespace",e2e88ed63a43677ee031d1e0a0ecb768ccdd92a1
2023-03-21 20:55:28.637862 +0000 UTC,1333,Local pgsql,1016,Joe Admin,0,0,"SELECT oid, nspname, nspname = ANY (current_schemas(true)) AS is_on_search_path, oid = pg_my_temp_schema() AS is_my_temp_schema, pg_is_other_temp_schema(oid) AS is_other_temp_schema FROM pg_namespace",e2e88ed63a43677ee031d1e0a0ecb768ccdd92a1
2023-03-21 20:55:28.920521 +0000 UTC,1333,Local pgsql,1016,Joe Admin,29,0,"SELECT rel.relname, rel.relkind, rel.reltuples, coalesce(rel.relpages,0) + coalesce(toast.relpages,0) AS num_total_pages, SUM(ind.relpages) AS index_pages, pg_roles.rolname AS owner FROM pg_class rel left join pg_class toast on (toast.oid = rel.reltoastrelid) left join pg_index on (indrelid=rel.oid) left join pg_class ind on (ind.oid = indexrelid) join pg_namespace on (rel.relnamespace =pg_namespace.oid ) left join pg_roles on ( rel.relowner = pg_roles.oid ) WHERE rel.relkind IN ('r','v','m','f','p') AND nspname = 'public'GROUP BY rel.relname, rel.relkind, rel.reltuples, coalesce(rel.relpages,0) + coalesce(toast.relpages,0), pg_roles.rolname;",8b62e88535286055252d080712a781afc1f2d53c
2023-03-21 20:56:29.153809 +0000 UTC,1333,Local pgsql,1016,Joe Admin,2,0,"SELECT rel.relname, rel.relkind, rel.reltuples, coalesce(rel.relpages,0) + coalesce(toast.relpages,0) AS num_total_pages, SUM(ind.relpages) AS index_pages, pg_roles.rolname AS owner FROM pg_class rel left join pg_class toast on (toast.oid = rel.reltoastrelid) left join pg_index on (indrelid=rel.oid) left join pg_class ind on (ind.oid = indexrelid) join pg_namespace on (rel.relnamespace =pg_namespace.oid ) left join pg_roles on ( rel.relowner = pg_roles.oid ) WHERE rel.relkind IN ('r','v','m','f','p') AND nspname = 'public'GROUP BY rel.relname, rel.relkind, rel.reltuples, coalesce(rel.relpages,0) + coalesce(toast.relpages,0), pg_roles.rolname;",8b62e88535286055252d080712a781afc1f2d53c
2023-03-21 20:56:32.125572 +0000 UTC,1333,Local pgsql,1016,Joe Admin,0,0,select 42;,cad5386a37b29383f33869ffa64d1585f9c93a0e
2023-03-21 20:57:17.261133 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f
2023-03-21 20:57:52.547195 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f
2023-03-21 20:58:37.72325 +0000 UTC,1333,Local pgsql,1016,Joe Admin,1,0,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f
If you have turned on StrongDM log encryption, you need to have the private key to view the query contents. You can use the -k <private.key>
flag to decrypt the queries and use the result. This flag can also be used in conjunction with the -f
flag to stream decrypted query logs to another location.
There is an additional option for this command, --full
, that pulls query logs from long-term storage. This has the following effects:
- The time frame precision is more coarse; results are returned in one-hour blocks.
- Query results may be delayed up to one hour (that is, results may not return queries performed within the last hour).
- All queries are returned, including those that skip the Admin UI and short-term storage.
View SSH Replays With the CLI
You can list SSH replays, play them, and grep for strings within replays via the CLI.
List SSH replays
Just like Activities and Queries, you can use sdm audit ssh
and sdm audit rdp
to list recent or time-specified SSH or RDP sessions, using the same flags.
$ sdm audit ssh
Time,Server ID,Server Name,User ID,User Name,Duration (ms),Capture ID,Hash
2023-03-21 20:51:16.098221 +0000 UTC,1334,prod-312-test,1016,Joe Admin,8572,s1lAGI1niKKwdSYQtwi62HIuYTIO,afb368770931a2aae89e6a8801b40eac44569d93
2023-03-21 20:53:01.4391 +0000 UTC,1334,prod-312-test,1016,Joe Admin,7515,s1lAxGI1uuKe7zpgJtwi6j2dIfjY,aa4aa0646469757df9f0b92fb5ca39a9c1bfd38d
2023-03-22 21:57:10.920914 +0000 UTC,1334,prod-312-test,1016,Joe Admin,10440,s1lAxGI1niKKwSYQtwi6229NmTpG,aa4aa0646469757df9f0b92fb5ca39a9c1bfd38d
2023-03-22 23:16:40.170815 +0000 UTC,1334,prod-312-test,1016,Joe Admin,5433,s1lAGI7rekCY29NmTpGQD5G22WlK,883b03873229301e58fb6c9ccf1a3f584953d13c
2023-03-22 23:21:49.987304 +0000 UTC,1334,prod-312-test,1016,Joe Admin,4529,s1lAGIfjYkNrEW5MDbi62HIuYTIO,883b03873229301e58fb6c9ccf1a3f584953d13c
2023-03-23 01:18:02.167322 +0000 UTC,1334,prod-312-test,1016,Joe Admin,6318,s1lAA4Jkn4LPkosDulWmyHgCqqeB,883b03873229301e58fb6c9ccf1a3f584953d13c
View SSH replays
In addition, you may view live replays of SSH sessions, much like the replay window in the StrongDM Admin UI. To do so, you first need the Capture ID, which is conveniently displayed in the output of the sdm audit ssh
command. Once you have the Capture ID of the capture you want to replay, you can use the sdm ssh play
command to replay it in your command-line window.
$ sdm ssh play s1lAA4Jkn4LPkosDulWmyHgCqqeB
[... output elided ...]
If you just want to dump the commands and outputs from an SSH session to a file, perhaps for further analysis, you can use sdm ssh dump
with the same syntax. This command dumps the contents of the session to STDOUT, letting you redirect the output to a file if you choose.
Similarly to queries, you need to use the -k <private.key>
flag with capture replay/dump if you have turned on StrongDM log encryption.
View Kubernetes Replays With the CLI
You can list Kubernetes replays and play them from the CLI.
List Kubernetes replays
Similar to SSH, you can use sdm audit kubernetes
to list recent, or time-specified Kubernetes sessions, using the same flags.
Time,Resource ID,Resource Name,Pod,Container,User ID,User Name,Duration (ms),Client Command,Request URI,Query ID,Hash,Replay,Identity Alias Username,Source IP,Target,Authorization Decision
...
2024-09-06 03:50:04.456764253 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,,,a-1234abc123ab1234,Alice Glick,0,,,02lgH414jEIwP7GoQrMNKcz86NTq,da39a3ee5e6b4b0d3244bfef12301555afd12341,false,,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,allow
2024-09-06 03:50:05.231376408 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,,,a-1234abc123ab1234,Alice Glick,55,,/api/v1/namespaces/default/pods/shell-demo,k2lgH4FFFb7bKWUqhuqG6BjE1GRM,e5f19047ca76a58925c4d8193a076a2a141148ec,false,alice,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,
2024-09-06 03:50:06.48886773 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,shell-demo,nginx,a-1234abc123ab1234,Alice Glick,103,kubectl exec shell-demo -c nginx -it /bin/bash,/api/v1/namespaces/default/pods/shell-demo/exec?command=%2Fbin%2Fbash&container=nginx&stdin=true&stdout=true&tty=true,k2lgH4GblXwL4Fp33i0dJ8QdIRP2,da0b8ff55d43a5d5090cfe435ea43d08f2a89776,true,alice,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,
2024-09-06 03:50:42.719211575 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,,,a-1234abc123ab1234,Alice Glick,52,,/api/v1/namespaces/default/pods/shell-demo,k2lgH8nDz69NPccerRrfB7KQzBZk,e5f19047ca76a58925c4d8193a076a2a141148ec,false,alice,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,
2024-09-06 03:50:43.389475637 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,shell-demo,nginx,a-1234abc123ab1234,Alice Glick,89,kubectl exec shell-demo -c nginx -it /bin/bash,/api/v1/namespaces/default/pods/shell-demo/exec?command=%2Fbin%2Fbash&container=nginx&stdin=true&stdout=true&tty=true,k2lgH8y0D40gZOzaScnzSlcXscUI,d98e02f88e52aa92e7a2d7e7be0c837048ad8406,true,alice,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,
2024-09-06 03:50:44.20127368 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,shell-demo,nginx,a-1234abc123ab1234,Alice Glick,22099,kubectl exec shell-demo -c nginx -it /bin/bash,/api/v1/namespaces/default/pods/shell-demo/exec?command=%2Fbin%2Fbash&container=nginx&stdin=true&stdout=true&tty=true,k2lgH94T4xOLqwDdq6v3ptOqQgVT,ef4c49334bc9f7dc4b797dcbcb2537e0105a0ff8,true,alice,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,
2024-09-06 03:50:05.901160685 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,shell-demo,nginx,a-1234abc123ab1234,Alice Glick,89,kubectl exec shell-demo -c nginx -it /bin/bash,/api/v1/namespaces/default/pods/shell-demo/exec?command=%2Fbin%2Fbash&container=nginx&stdin=true&stdout=true&tty=true,k2lgH48gGSUZCazNWYtbsoxVUCc5,d98e02f88e52aa92e7a2d7e7be0c837048ad8406,true,alice,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,
2024-09-06 03:50:45.260431444 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,shell-demo,nginx,a-1234abc123ab1234,Alice Glick,0,kubectl exec shell-demo -c nginx -it /bin/bash,/api/v1/namespaces/default/pods/shell-demo/exec?command=%2Fbin%2Fbash&container=nginx&stdin=true&stdout=true&tty=true,k2lgH94T4xOLqwDdq6v3ptOqQgVT,da0b8ff55d43a5d5090cfe435ea43d08f2a89776,true,alice,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,
2024-09-06 03:50:41.881588734 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,,,a-1234abc123ab1234,Alice Glick,0,,,02lgH8frjMmDhXpytP5OsW7zzpEF,da39a3ee5e6b4b0d3244bfef12301555afd12341,false,,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,allow
2024-09-06 03:50:43.437773331 +0000 UTC,rs-1n123ffa11aad78c,TestCluster,,,a-1234abc123ab1234,Alice Glick,0,,,02lgH8yDDSEjEC3zgj2t3ATrJZAr,da39a3ee5e6b4b0d3244bfef12301555afd12341,false,,136.56.222.198,testcluster-dns-adsfg5hi.hcp.awsregion.azmk8s.io:443,allow
...
View Kubernetes replays
For any Kubernetes replay listed that has true
as the value for Replay
, you should be able to view a replay.
bob.belcher@PC-100 ~ % sdm kubernetes play k2lgH94T4xOLqwDdq6v3ptOqQgVT
This outputs a line by line replay of the Kubernetes session:
root@aks-agentpool-12345678-vmss000000:/# echo hello
hello
root@aks-agentpool-12345678-vmss000000:/# exit
exit
Render and View RDP Replays Locally
Because RDP Replays are binary objects, and not typical logs, they must be kept in object storage systems (such as AWS S3, Azure Blob, Google Cloud Storage, and so forth) and not in logging systems (such as AWS CloudWatch, Azure Monitor, Splunk, and so forth) to ensure they don’t get corrupted.
Only the most minimal of RDP settings are supported for RDP via StrongDM. Trying to use advanced options or configurations may prevent replays from being rendered and played.
Render RDP sessions using Docker
It is possible to render RDP sessions locally via a Docker image:
docker run --rm -ti -v ~/.sdm/logs:/logs public.ecr.aws/strongdm/rdpreplay:latest --format 'csv' r1po3p80VaPnzSSjAobzV2RavzWW
Pointers for using the Docker image:
- You need the FFmpeg package installed locally in order to play RDP session videos.
- If you have changed your SDM HOME location away from the default
~/.sdm
, change that path in the above command. - Substitute the sample session ID in the above command with the session ID you intend to replay.
- Completed MP4 files are deposited in the
/logs
folder.
Render RDP sessions using the CLI
The local rendering can be done via the CLI as well, if desired:
sdm replay rdp
NAME:
sdm replay rdp - render a RDP session in movie format.
USAGE:
sdm replay rdp [command options] <sessionID> <relay-log-file-path1> <relay-log-file-path2> <relay-log-file-pathN>...
OPTIONS:
--format value define the file format of the relay log file ('json' or 'csv') (default: "json")
--tmpdir value, -t value for long sessions, a larger temporary directory might be necessary for rendering (default: "C:\\Users\\sebas\\.sdm\\logs")
Log References
To view a list of all available fields and their descriptions for each event type, please see the Log References section.