Log Stream Queries
actorAccountID
String
Unique identifier of the account that performed the query
"a-0abcdabcdab00000"
actorEmail
String
Email of the account that performed the query, at the time the query was executed
actorExternalID
String
External ID of the account that performed the query, at the time the query was executed
"e-bca5454"
actorFirstName
String
Given name of the account that performed the query, at the time the query was executed
"Alice"
actorLastName
String
Family name of the account that performed the query, at the time the query was executed
"Glick"
actorTags
Object
Tags of the account accessed, at the time the query was executed
{ "tag1": "val1", "tag2": "val2" }
authenticationId
String
Authentication of the account associated with this query
"auth-0000000000000001"
authz
Object
Authorization metadata from the policy evaluation associated with this query; only included for Enterprise organizations that have a policy in place that this event triggered
See the Policy Info in Logs section for details.
clientCommand
String
Command executed on the client for a Kubernetes session.
"kubectl describe pods"
clientIP
String
IP address the query was performed from, as detected at the StrongDM control plane
"1.11.222.333"
command
String
Command executed over an SSH or Kubernetes session
"echo hi"
container
String
Target container of a Kubernetes operation
"nginx"
durationMs
Integer
Duration of the query in milliseconds
200
egressNodeID
String
Unique ID of the node through which the resource was accessed
"n-56988fae64a73652"
formatVersion
String
Version of the log format
"v1.0.0"
hash
String
Hash of the body of the query
"0da22222ba9b212ecfed33a17147c466ae0929fb"
headers
Object
HTTP headers of a Kubernetes operation
{ "header1": "value1", "header2": "value2" }
identityAlias
String
Username of the IdentityAlias used to access the resource
"alice.glick"
isShell
Boolean
Whether the query was executed in a shell
false
logType
String
Type of log, always "queries" for query logs
"queries"
metadata
JSON string
Unique session identifier used on the server side to track the user's session in which the query was performed
{"SessionID":"54","SessionStartTime":"2025-06-05 08:42:26.255868 +0000 UTC"}
pod
String
Target pod of a Kubernetes operation
"kube-dns-v20-8gsbl"
query
String
Captured content of the query; for queries against SSH, Kubernetes, and RDP resources, this contains a JSON representation of the QueryCapture
"select name from users"
queryCategory
String
General category of resource against which query was performed
"k8s", "queries" (datasources), "rdp", "ssh", "web", "cloud", "all"
requestBody
String
HTTP request body of a Kubernetes operation
requestMethod
String
HTTP request method of a Kubernetes operation
requestURI
String
HTTP request URI of a Kubernetes operation
resourceID
String
Unique identifier of the resource against which the query was performed
"r-1caa595464152e78"
resourceName
String
Name of the resource accessed, at the time the query was executed
"MySQL"
resourceTags
Object
Tags of the resource accessed, at the time the query was executed
{"env": "dev"}
resourceType
String
Specific type of resource against which query was performed
"mysql"
rowCount
Integer
Number of records returned by the query, for a database resource
18
sdmOrgId
String
Organization identifier of the organization that emitted the event represented in the log
"o-6dce5b5663c12e6b"
sourceIP
String
IP address the query was performed from, as detected at the ingress gateway; will be an internal address if the gateway is on the same local network or VPN as the client
"1.11.222.333"
target
String
Target destination of the query, in host:port format
"3.33.222.111:5432"
timestamp
String
Time at which the query was started, formatted as datetime
"2024-08-01T13:13:20.895597162Z"
uuid
String
Unique identifier of the query
"0CEGCEGCEGCEGCEGCEGCE1234ceg"
Last updated
Was this helpful?