Teleport 15 Unveiled: Elevating Access and Security Across Infrastructure
Feb 21
Virtual
Register Today
Teleport logoTry For Free
Fork me on GitHub

Teleport

Database Access Audit Events Reference

  • Available for:
  • OpenSource
  • Team
  • Cloud
  • Enterprise

You can view database session activity in the audit log. After a session is uploaded, you can play back the audit data with the tsh play command.

Database session ID will be in a UUID format (ex: 307b49d6-56c7-4d20-8cf0-5bc5348a7101) See the audit log to get a database session ID with a key of sid.

Example:

tsh play --format json database.session
    {
        "cluster_name": "teleport.example.com",
        "code": "TDB02I",
        "db_name": "example",
        "db_origin": "dynamic",
        "db_protocol": "postgres",
        "db_query": "select * from sample;",
        "db_roles": [
            "access"
        ],
        "db_service": "example",
        "db_type": "rds",
        "db_uri": "databases-1.us-east-1.rds.amazonaws.com:5432",
        "db_user": "alice",
        "ei": 2,
        "event": "db.session.query",
        "sid": "307b49d6-56c7-4d20-8cf0-5bc5348a7101",
        "success": true,
        "time": "2023-10-06T10:58:32.88Z",
        "uid": "a649d925-9dac-44cc-bd04-4387c295580f",
        "user": "alice"
    }

The audit log is viewable in Activity under Management in the Web UI for users with permission to the event resources. Database sessions do not appear in the session recordings page.

db.session.start (TDB00I/W)

Emitted when a client successfully connects to a database, or when a connection attempt fails due to access denied.

Successful connection event:

{
  "cluster_name": "root", // Teleport cluster name.
  "code": "TDB00I", // Event code.
  "db_name": "test", // Database/schema name.
  "db_protocol": "postgres", // Database protocol.
  "db_service": "local", // Database service name.
  "db_uri": "localhost:5432", // Database server endpoint.
  "db_user": "postgres", // Database account name.
  "ei": 0, // Event index within the session.
  "event": "db.session.start", // Event name.
  "namespace": "default", // Event namespace, always "default".
  "server_id": "05ff66c9-a948-42f4-af0e-a1b6ba62561e", // Database Service host ID.
  "sid": "63b6fa11-cd44-477b-911a-602b75ab13b5", // Unique database session ID.
  "success": true, // Indicates successful connection.
  "time": "2021-04-27T23:00:26.014Z", // Event timestamp.
  "uid": "eac5b6c8-384a-4471-9559-e135834b1ab0", // Unique event ID.
  "user": "alice" // Teleport user name.
}

Access denied event:

{
  "cluster_name": "root", // Teleport cluster name.
  "code": "TDB00W", // Event code.
  "db_name": "test", // Database/schema name user attempted to connect to.
  "db_protocol": "postgres", // Database protocol.
  "db_service": "local", // Database service name.
  "db_uri": "localhost:5432", // Database server endpoint.
  "db_user": "superuser", // Database account name user attempted to log in as.
  "ei": 0, // Event index within the session.
  "error": "access to database denied", // Connection error.
  "event": "db.session.start", // Event name.
  "message": "access to database denied", // Detailed error message.
  "namespace": "default", // Event namespace, always "default".
  "server_id": "05ff66c9-a948-42f4-af0e-a1b6ba62561e", // Database Service host ID.
  "sid": "d18388e5-cc7c-4624-b22b-d36db60d0c50", // Unique database session ID.
  "success": false, // Indicates unsuccessful connection.
  "time": "2021-04-27T23:03:05.226Z", // Event timestamp.
  "uid": "507fe008-99a4-4247-8603-6ba03408d047", // Unique event ID.
  "user": "alice" // Teleport user name.
}

db.session.end (TDB01I)

Emitted when a client disconnects from the database.

{
  "cluster_name": "root", // Teleport cluster name.
  "code": "TDB01I", // Event code.
  "db_name": "test", // Database/schema name.
  "db_protocol": "postgres", // Database protocol.
  "db_service": "local", // Database service name.
  "db_uri": "localhost:5432", // Database server endpoint.
  "db_user": "postgres", // Database account name.
  "ei": 3, // Event index within the session.
  "event": "db.session.end", // Event name.
  "sid": "63b6fa11-cd44-477b-911a-602b75ab13b5", // Unique database session ID.
  "time": "2021-04-27T23:00:30.046Z", // Event timestamp.
  "uid": "a626b22d-bbd0-40ef-9896-b7ff365664b0", // Unique event ID.
  "user": "alice" // Teleport user name.
}

db.session.query (TDB02I)

Emitted when a client executes a SQL query.

{
  "cluster_name": "root", // Teleport cluster name.
  "code": "TDB02I", // Event code.
  "db_name": "test", // Database/schema name.
  "db_protocol": "postgres", // Database protocol.
  "db_query": "INSERT INTO public.test (id,\"timestamp\",json)\n\tVALUES ($1,$2,$3)", // Query text.
  "db_query_parameters": [ // Query parameters (for prepared statements).
    "test-id",
    "2022-04-02 17:50:20-07",
    "{\"k\": \"v\"}"
  ],
  "db_service": "local", // Database service name.
  "db_uri": "localhost:5432", // Database server endpoint.
  "db_user": "postgres", // Database account name.
  "ei": 29, // Event index within the session.
  "event": "db.session.query", // Event name.
  "sid": "691e6f70-3c31-4412-90aa-fe0558abb212", // Unique database session ID.
  "time": "2021-04-27T23:04:57.395Z", // Event timestamp.
  "uid": "9f7b4179-b9cf-4302-bb7c-1408e404823f", // Unique event ID.
  "user": "alice" // Teleport user name.
}