Audit Logs
Retrieves audit log events from Tailscale for security monitoring and compliance. Audit logs capture all configuration changes, user actions, and administrative events across your Tailscale network.
Sync Type: Incremental
Requirements
Before configuring this input, you need to:
-
Create an OAuth Client — Tailscale OAuth documentation
- Go to the OAuth clients page in the Tailscale admin console
- Click "Generate OAuth client"
- Select the
logs:configuration:readscope - Click "Generate client"
- Copy both the Client ID and Client Secret (the secret will only be shown once)
- Click "Done"
-
Required Permissions:
- OAuth Client with
logs:configuration:readscope - Access to the Tailscale admin console to generate credentials
- OAuth Client with
-
Tailnet ID (required):
- Find your Tailnet ID in the Tailscale admin console under Settings > General
- The Tailnet ID is a unique identifier for your network used by the Tailscale API
- See Tailnet name documentation for more details
Details
Monad uses an incremental sync approach to fetch audit logs from Tailscale. The input tracks the last successfully retrieved timestamp and continues from that point on subsequent syncs.
- Data Retention: Tailscale retains audit logs for up to 90 days
- Time Window: Logs are fetched in 24-hour windows to avoid overwhelming the API
- Backfill Support: You can optionally specify a start date to backfill historical logs (up to 90 days old)
- Deduplication: Events are deduplicated using their event group ID to prevent duplicate records
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| tailnet_id | string | Yes | Your Tailnet ID. Find it in the Tailscale admin console under Settings > General. |
| backfill_start_time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| client_id | string | Yes | Your Tailscale OAuth Client ID. |
| client_secret | string | Yes | Your Tailscale OAuth Client Secret. |
Rate Limits
Tailscale does not publicly document rate limits for the Audit Logs API. The input uses a conservative approach:
| Scope | Limit | Window | Notes |
|---|---|---|---|
| API Requests | Not documented | - | Fetches logs in 24-hour windows with delays between requests |
Source: Tailscale API Documentation
Limitations
- Data Retention: Audit logs are retained for a maximum of 90 days
- Historical Data: Cannot backfill beyond 90 days
- No Official Rate Limits: Tailscale does not publish rate limit specifications; the input uses conservative defaults
Related Articles
Sample Record
{
"eventTime": "2025-01-26T15:30:45Z",
"type": "CONFIG",
"eventGroupID": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"origin": "WEB",
"actor": {
"id": "user123456789abcdefghijklmnop-CNTRL",
"type": "USER",
"loginName": "",
"displayName": "Alice Johnson"
},
"target": {
"id": "policy456789abcdefghijklmnopqrst-CNTRL",
"name": "Device Authorization Policy",
"type": "POLICY"
},
"action": "UPDATE"
}