Audit Logs
Sync Type: Incremental
Overview
The Teleport Audit Logs input collects comprehensive audit trail data from your Teleport cluster, providing visibility into security events, user activities, and system changes. This integration captures detailed logs including user logins, access requests, Kubernetes API calls, application access events, RBAC changes, and failed authentication attempts.
Authentication
This integration uses Teleport's native mTLS authentication via identity files. The identity file contains:
- Private key for authentication
- Signed TLS certificate for the Auth Service
- Signed SSH certificate for tunnel connections
- CA certificates for server verification
The credentials are automatically used to establish a secure gRPC connection to the Teleport Auth Service.
Prerequisites
1. Teleport Cluster Access
You must have access to a Teleport cluster with appropriate permissions to create users, roles, and generate identity files. Administrative access via tctl is required for setup.
Important Security Note: The identity file contains private keys and certificates that grant access to your Teleport cluster. Treat this file as a sensitive credential, store it securely, and follow the principle of least privilege when assigning roles.
2. tctl and tsh clients
You must have tctl and tsh cli clients installed to generate identity file which will be required for this input to work.
Identity File Setup
1. Create a user.
Running this command will create a user api-admin with editor role:
tctl users add api-admin --roles=editor
2. Create a session.
tsh login --user=api-admin --proxy=tele.example.com
This command will prompt for your Teleport user's password and two factor auth (if setup).
3. Generate the Identity File
Generate an identity file for the api-admin user. The --ttl flag specifies how long the credentials are valid:
tctl auth sign --user=teleport-event-handler --out=identity --ttl=8760h
This creates an identity file in your current directory. The example above sets a TTL of 1 year (8760 hours). Adjust based on your security requirements and cluster policies.
4. Retrieve Your Proxy Address
Your Teleport proxy address can be found by running:
tsh status
Look for the Profile URL field. The proxy address should include the port (typically :443), for example: teleport.example.com:443.
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Domain | string | true | Your Teleport proxy address including port (e.g., teleport.example.com:443) |
| Backfill Start Time | string | false | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Setting | Type | Required | Description |
|---|---|---|---|
| Identity Secret | string | true | The complete contents of the identity file generated by tctl auth sign |
Related Articles
Sample Record
{
"cluster_name":"test.teleport-test.sh",
"code":"T543I",
"ei":0,
"event":"account.settings.updated",
"expires":"0001-01-01T00:00:00Z",
"name":"admin",
"time":"2025-12-02T07:14:36Z",
"uid":"f1d66612-8f98-df5c-a9a0-724daf43a08e",
"user":"system"
}