# Log Stream Queries {% hint style="info" %} This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). {% endhint %} | Field | Type | Description | Example | | ---------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------- | | actorAccountID | String | Unique identifier of the account that performed the query | `"a-0abcdabcdab00000"` | | actorEmail | String | Email of the account that performed the query, at the time the query was executed | `"alice.glick@example.com"` | | actorExternalID | String | External ID of the account that performed the query, at the time the query was executed | `"e-bca5454"` | | actorFirstName | String | Given name of the account that performed the query, at the time the query was executed | `"Alice"` | | actorLastName | String | Family name of the account that performed the query, at the time the query was executed | `"Glick"` | | actorTags | Object | Tags of the account accessed, at the time the query was executed | `{ "tag1": "val1", "tag2": "val2" }` | | authenticationId | String | Authentication of the account associated with this query | `"auth-0000000000000001"` | | authz | Object | Authorization metadata from the policy evaluation associated with this query; only included for Enterprise organizations that have a policy in place that this event triggered | See the [Policy Info in Logs](https://docs.strongdm.com/admin/audit/logs/references/authz-logs-object) section for details. | | clientCommand | String | Command executed on the client for a Kubernetes session. | `"kubectl describe pods"` | | clientIP | String | IP address the query was performed from, as detected at the StrongDM control plane | `"1.11.222.333"` | | command | String | Command executed over an SSH or Kubernetes session | `"echo hi"` | | container | String | Target container of a Kubernetes operation | `"nginx"` | | durationMs | Integer | Duration of the query in milliseconds | `200` | | egressNodeID | String | Unique ID of the node through which the resource was accessed | `"n-56988fae64a73652"` | | formatVersion | String | Version of the log format | `"v1.0.0"` | | hash | String | Hash of the body of the query | `"0da22222ba9b212ecfed33a17147c466ae0929fb"` | | headers | Object | HTTP headers of a Kubernetes operation | `{ "header1": "value1", "header2": "value2" }` | | identityAlias | String | Username of the IdentityAlias used to access the resource | `"alice.glick"` | | isShell | Boolean | Whether the query was executed in a shell | `false` | | logType | String | Type of log, always "queries" for query logs | `"queries"` | | metadata | JSON string | Unique session identifier used on the server side to track the user's session in which the query was performed; Supported for MSSQL, Oracle, and Postgres resources | `{"SessionID":"54","SessionStartTime":"2025-06-05 08:42:26.255868 +0000 UTC"}` | | parentQueryUUID | String | UUID of the parent query event | `"k35hyudiY8ibVZzf5ioZ9N7nWMM8"` | | pod | String | Target pod of a Kubernetes operation | `"kube-dns-v20-8gsbl"` | | queryCategory | String | General category of resource against which query was performed | `"k8s", "queries" (datasources), "rdp", "ssh", "web", "cloud", "all"` | | requestBody | String | HTTP request body of a Kubernetes operation | | | requestMethod | String | HTTP request method of a Kubernetes operation | | | requestURI | String | HTTP request URI of a Kubernetes operation | | | resourceID | String | Unique identifier of the resource against which the query was performed | `"r-1caa595464152e78"` | | resourceName | String | Name of the resource accessed, at the time the query was executed | `"MySQL"` | | resourceTags | Object | Tags of the resource accessed, at the time the query was executed | `{"env": "dev"}` | | resourceType | String | Specific type of resource against which query was performed | `"mysql"` | | rowCount | Integer | Number of records returned by the query, for a database resource | `18` | | sdmOrgId | String | Organization identifier of the organization that emitted the event represented in the log | `"o-6dce5b5663c12e6b"` | | sourceIP | String | IP address the query was performed from, as detected at the ingress gateway; will be an internal address if the gateway is on the same local network or VPN as the client | `"1.11.222.333"` | | target | String | Target destination of the query, in host:port format | `"3.33.222.111:5432"` | | timestamp | String | Time at which the query was started, formatted as datetime | `"2024-08-01T13:13:20.895597162Z"` | | uuid | String | Unique identifier of the query | `"0CEGCEGCEGCEGCEGCEGCE1234ceg"` |