# Regularly Export Activities

**Scenario**: You want to export admin activities from your organization on a regular basis. This document explains how to do this by leveraging the `sdm audit` functionality to retrieve a list of activities every five minutes and write them to a JSON file. A separate tool can then import these files into a log aggregator or SIEM.

### Initial Setup

We recommend creating a new Linux system user with restricted permissions to run the audit. In this example, we use `sdm`. First, download and install the StrongDM client on [Linux](/users/client/linux.md).

{% hint style="info" %}
You do not need to log in to the SDM client. The admin token serves as authentication.
{% endhint %}

### Create an Admin Token

To create an admin token, sign into the StrongDM Admin UI and go to **Principals** > **Tokens**. From there you can create an admin token with the specific rights you require—in this case, only the **Audit > Activities** permission.

After you click **Create**, a dialog displays the admin token. Copy the token, and save it for later use in `/etc/sdm-admin.token` in the format `SDM_ADMIN_TOKEN=<YOUR_TOKEN>`.

This file must be owned by your user.

```bash
chown sdm:sdm /etc/sdm-admin.token
```

For more details on creating admin tokens, see [Create Admin Tokens](/admin/principals/admin-tokens.md).

### Example Activity Export Script

Here is an example activity export script that in the next step we set up to run periodically. You may note that this script is really just one command: we set it up as a script for clarity but if you prefer you can insert just the `sdm audit...` command directly into `crontab`.

{% hint style="info" %}
Check whether `date` can take the `-d` format in your OS; some versions use `-v` instead.
{% endhint %}

```bash
#!/bin/bash
export SDM_ADMIN_TOKEN=<insert admin token here>
START=$(date -d "5 minutes ago" '+%Y-%m-%dT%H:%M:00') # start of audit slice, defaulting to 5 minutes ago
FN=$(date -d "yesterday 00:00" '+%Y%m%d%H%M') # timestamp string to append to output filename
END=$(date '+%Y-%m-%dT%H:%M:00') # end of audit slice, defaulting to now, at the top of the minute
TARGET=/var/log/sdm # location where JSON files are written

/opt/strongdm/bin/sdm audit activities --from "$START" --to "$END" -j > "$TARGET/activities.$FN.json"
```

### Add Crontab Entry

Although most Linux systems have locations to place scripts that run daily, weekly, and so on, the script is configured by default to run every five minutes. As such, our best bet is to place it directly into the crontab file for a user or for the system.

Add this line to the crontab of your choice, modifying the interval to match what you set in the script:

```bash
*/5 * * * * /path/to/script.sh
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.strongdm.com/admin/audit/logs/scenarios/export-activities.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.