# Send Local Logs to S3 {% hint style="info" %} If you are interested in streaming logs to an S3 bucket, the [Log Stream](https://docs.strongdm.com/admin/audit/logs/log-stream) functionality is a more streamlined solution for that need. {% endhint %} **Scenario:** You want to save gateway/relay logs to an Amazon S3 bucket. This guide presents a simple method to send all gateway/relay logs to S3. {% hint style="info" %} As with all gateway/relay logs, the logs stored on the gateway/relay do not include Admin UI activities, which can be accessed via the `sdm audit activities` command. The following script includes an additional step to run that command and export those logs concurrently. {% endhint %} ### Set up the Export 1. Enable relay logging in the Admin UI under **Settings** > **Security** within the **Log Encryption & Storage** tab. Ensure logging is set to STDOUT. 2. Create an [admin token](https://docs.strongdm.com/admin/principals/admin-tokens) with only the **Audit > Activities** permission. Save this token to add to the script in step 5. 3. From the AWS IAM Dashboard, go to Access management > Users. On the Security credentials tab for the user, generate and AWS access key and AWS secret access key. 4. Ensure the gateway or relay has the `aws-cli` tools installed. 5. Save the following script as `s3export.sh`. This script exports in 15-minute intervals; if you prefer to do it more or less frequently change the FROMTIME and TOTIME variables. ```bash #!/bin/bash # day, hour, minute timestamp TIMESTAMP=`date +'%Y%m%d%H%M'` # to prevent overlapping records, do 16 min ago to 1 min ago FROMTIME=`date --date="16 minutes ago" +'%Y-%m-%d %H:%M:%S'` TOTIME=`date --date="1 minutes ago" +'%Y-%m-%d %H:%M:%S'` # this token needs only audit/activities permission export SDM_ADMIN_TOKEN=[token] S3NAME=strongdm-log-$TIMESTAMP.gz S3ACTIVITIESNAME=strongdm-activities-$TIMESTAMP.gz S3PATH=s3://bucket/path/to/logs # no trailing slash export AWS_ACCESS_KEY_ID=[token] export AWS_SECRET_ACCESS_KEY=[token] # ensure AWS environment variables are in place journalctl -q -o cat --since "$FROMTIME" --until "$TOTIME" -u sdm-proxy | \ gzip | aws s3 cp - $S3PATH/$S3NAME sdm audit activities --from "$FROMTIME" --to "$TOTIME" | \ gzip | aws s3 cp - $S3PATH/$S3ACTIVITIESNAME ``` 6. Add the following line to `/etc/crontab`. If you changed the export interval above, change the cron interval here to match. ``` 0,15,30,45 * * * * root /home/ubuntu/s3export.sh ``` 7. Verify that files are being generated every 15 minutes in your S3 bucket. ### Extract SSH Captures From Exported Logs If your organization requires or is interested in extracting captured SSH sessions from your exported activity logs, see section [View Logs from the CLI](https://docs.strongdm.com/admin/audit/logs/view-cli) for more information. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/audit/logs/scenarios/export-to-s3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.