Regularly Export Queries

Scenario: You want to export admin queries from your organization on a daily basis. This document explains how to do this by leveraging the sdm audit functionality to retrieve a list of queries and write them to a daily log file.

Writing your own daily log can be especially important if you intend to store logs long-term. If you store logs with StrongDM, they are retained for a period of 13 months. If you write to your own log files, you can store them indefinitely or according to your own policies. See our retention policy for more information.

Initial Setup

We recommend creating a new Linux system user with restricted permissions to run the daily audit. In this example, sdm is used.

Download and install the StrongDM client on Linux.

You do not need to log into the Client. The admin token will serve as authentication.

Create an Admin Token

To create an admin token, sign into the StrongDM Admin UI and go to Principals > Tokens. From there, you can create an admin token with the specific rights you require. In this case, you only need the Audit > Queries permission.

After you click Create, a dialog displays with the admin token. Copy the token, and save it for later use in /etc/sdm-admin.token in the format SDM_ADMIN_TOKEN=<YOUR_TOKEN>.

This file must be owned by your user.

chown sdm:sdm /etc/sdm-admin.token

Example Log Archiver Script

Here is an example log archiver script that, in the next step, is set up to run nightly. In this example, we store this script in /opt/strongdm/bin/.

sudo mkdir -p /opt/strongdm/bin/
sudo mkdir -p /var/log/sdm/
sudo tee "/opt/strongdm/bin/log-archiver.sh" > /dev/null <<'EOT'
#!/bin/bash

START=$(date -d "yesterday 00:00" '+%Y-%m-%d 00:00:00')
FN=$(date -d "yesterday 00:00" '+%Y-%m-%d')
END=$(date -d "today 00:00" '+%Y-%m-%d 00:00:00')
TARGET=/var/log/sdm

/opt/strongdm/bin/sdm audit queries --from "$START" --to "$END" >> "$TARGET/queries.$FN"
EOT
sudo chown sdm:sdm /var/log/sdm /opt/strongdm/ /opt/strongdm/bin/ /opt/strongdm/bin/log-archiver.sh
sudo chmod +x /opt/strongdm/bin/log-archiver.sh

Set up a systemd service and timer

This systemd service definition runs the script daily at the time that systemctl is configured to run daily services.

sudo tee "/etc/systemd/system/log-archiver.service" > /dev/null <<'EOT'
[Unit]
Description=SDM log archiver

[Service]
Type=oneshot
EnvironmentFile=/etc/sdm-admin.token
ExecStart=/opt/strongdm/bin/log-archiver.sh
User=sdm
EOT

sudo tee "/etc/systemd/system/log-archiver.timer" > /dev/null <<'EOT'
[Unit]
Description=Run log archiver daily
Requires=log-archiver.service

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target
EOT

Activate the timer

Execute the following to activate the timer:

sudo systemctl daemon-reload
sudo systemctl enable log-archiver.timer
sudo systemctl start log-archiver.timer

Last updated 14 days ago

Was this helpful?

hashtagInitial Setup

hashtagCreate an Admin Token

hashtagExample Log Archiver Script

hashtagSet up a systemd service and timer

hashtagActivate the timer

Initial Setup

Create an Admin Token

Example Log Archiver Script

Set up a systemd service and timer

Activate the timer