# How to Read Node Log Files Nodes (gateways/relays) store log events in log files, if your organization is configured to retain local logs on nodes. These log files contain information about queries as well as replay data. These logs can be reviewed at the Admin UI and CLI (if StrongDM log retention is enabled) but they can also be reviewed by directly viewing the log files on any given node. ### Encrypted Log Files If you have configured node (gateway/relay) log encryption, your logs are not directly readable. To decrypt them, you need to use the `sdm crypto parse-logs` utility with the `private.key` file present. Example: ```bash cat logfile | sdm crypto parse-log private.key > decrypted-log ``` ### Locate Queries in Log Files To find queries in the node logs, look for `start` events that are of the following forms, containing the actual query. The easiest way to find queries is to use `grep` to search for the particular resource or query. **CSV example** ```plaintext `2023-03-23 18:10:54.265186636 +0000 UTC,start,af9e303c-07f7-42ee-84c4-279ca7b9de28,1333,psql-server-6,1016,Joe Admin,"SELECT name, setting FROM pg_settings WHERE source = 'session';",dc1952385fab5663c36c17579337686e71d6145f` ``` **JSON example** ```json { "type": "start", "timestamp": "2023-01-01T13:14:15.820199164Z", "uuid": "01a2B3cd4Efghi567jKlMnop8qRs", "datasourceId": "rs-123a45678910b123", "datasourceName": "cli_example mysql", "userId": "a-0a12b34c567d89d1", "userName": "Jane Admin", "query": "/* ApplicationName=DBeaver 7.3.5 - Metadata */ SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='mysql' AND TABLE_NAME='db' ORDER BY ORDINAL_POSITION", "hash": "1234a56b7c891dab012ef3456g78h9i1jk2l3m45" } ``` For more details about the `start` event type, see the [Node Logs - Start Event](/admin/audit/logs/references/node-start.md) reference. ### Read Log Files to Find Capture IDs Knowing a replay's capture ID is necessary to review it. #### Find capture IDs by manually searching log files One way to get the capture ID is to look in the node logs. The capture ID is shown in the logs in `start` events that are of the following form, containing a JSON object with connection parameters. In the following example, the capture ID is `9d880e13-f608-4fe0-b1e7-deeb35bb9f2c`: ```plaintext 2023-03-23 18:10:02.970395873 +0000 UTC,start,9d880e13-f608-4fe0-b1e7-deeb35bb9f2c,1334,prod-312-test,1016,Joe Admin,"{""version"":1,""width"":92,""height"":25,""duration"":0,""command"":"""",""title"":null,""env"":{""TERM"":""xterm-256color""},""type"":""shell"",""fileName"":null,""fileSize"":0,""stdout"":null,""lastChunkId"":0}` ``` #### Find Capture IDs with the CLI Another way to collect your capture IDs is to use `sdm audit ssh`. You can use the `sdm audit ssh` command to collect a list of SSH sessions that occurred during a specific time frame, and get their capture IDs. #### Extract SSH replay data Once you have the capture ID, you can use the `sdm ssh split` command to extract all captures from a log file. They are saved as individual SSH files named after the capture ID. Example: ```sh $ sdm ssh split relay.1521828535.0.log 5783cb5e-e1c8-44ba-b8ee-4bc4d8c28c7d.ssh 9d880e13-f608-4fe0-b1e7-deeb35bb9f2c.ssh ``` If you have encrypted node logs, you can either decrypt them first, with `sdm crypto parse-logs`, or run the `sdm ssh split` command directly on the encrypted log by adding the `-k` flag: ```sh sdm ssh split -k private.key relay.1521828535.0.log ``` If you have chosen to save your StrongDM gateway or relay logs in JSON, you need to add the `-j` option to perform this operation correctly: ```sh sdm ssh split -j relay.1521828535.0.log ``` Once you have the SSH file(s) for the session you want to review, you can dump it to a text file and look at it in a text editor. Alternatively, you can `cat` the file to replay it at full speed. ### View Replays To view replays for SSH, Kubernetes, or RDP sessions from the command line, see the [View Logs from the CLI](/admin/audit/logs/view-cli.md) section. ### Log References To view a list of all available fields and their descriptions for each event type, please see the [Log References](/admin/audit/logs/references.md) section. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/audit/logs/node-log-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.