Scaling Privileged Access for Modern Infrastructure: Real-World Insights
Apr 25
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Fork me on GitHub

Teleport

Desktop Access Audit Events Reference

Version 15.x

windows.desktop.session.start (TDP00I/W)

Emitted when a client successfully connects to a desktop or when a connection attempt fails because access was denied.

Successful connection event:

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP00I",
  "desktop_addr": "192.168.1.206:3389",
  "desktop_labels": {
    "teleport.dev/computer_name": "WIN-I44F9TN11M3",
    "teleport.dev/dns_host_name": "WIN-I44F9TN11M3.teleport.example.com",
    "teleport.dev/is_domain_controller": "true",
    "teleport.dev/origin": "dynamic",
    "teleport.dev/os": "Windows Server 2012 R2 Standard Evaluation",
    "teleport.dev/os_version": "6.3 (9600)",
    "teleport.dev/windows_domain": "teleport.example.com"
  },
  "ei": 0,
  "event": "windows.desktop.session.start",
  "login": "administrator",
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true,
  "time": "2022-02-16T16:43:30.459Z",
  "uid": "1605346b-d90b-4df7-8148-67a3e2d85673",
  "user": "alice",
  "windows_desktop_service": "316a3ffa-23e6-4d85-92a1-5e44754f8189",
  "windows_domain": "teleport.example.com",
  "windows_user": "administrator"
}

Access denied event:

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP00W",
  "desktop_addr": "192.168.1.206:3389",
  "desktop_labels": {
    "teleport.dev/computer_name": "WIN-I44F9TN11M3",
    "teleport.dev/dns_host_name": "WIN-I44F9TN11M3.teleport.example.com",
    "teleport.dev/is_domain_controller": "true",
    "teleport.dev/origin": "dynamic",
    "teleport.dev/os": "Windows Server 2012 R2 Standard Evaluation",
    "teleport.dev/os_version": "6.3 (9600)",
    "teleport.dev/windows_domain": "teleport.example.com"
  },
  "ei": 0,
  "error": "access to desktop denied", // Connection error
  "event": "windows.desktop.session.start",
  "message": "access to desktop denied", // Detailed error message.
  "login": "administrator",
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": false, // Indicates unsuccessful connection
  "time": "2022-02-16T16:43:30.459Z",
  "uid": "1605346b-d90b-4df7-8148-67a3e2d85673",
  "user": "alice",
  "windows_desktop_service": "316a3ffa-23e6-4d85-92a1-5e44754f8189",
  "windows_domain": "teleport.example.com",
  "windows_user": "administrator"
}

windows.desktop.session.end (TDP01I)

Emitted when a client disconnects from the desktop.

{
  "cluster_name": "root",
  "code": "TDP01I",
  "desktop_addr": "192.168.1.206:3389",
  "desktop_labels": {
    "teleport.dev/computer_name": "WIN-I44F9TN11M3",
    "teleport.dev/dns_host_name": "WIN-I44F9TN11M3.teleport.example.com",
    "teleport.dev/is_domain_controller": "true",
    "teleport.dev/origin": "dynamic",
    "teleport.dev/os": "Windows Server 2012 R2 Standard Evaluation",
    "teleport.dev/os_version": "6.3 (9600)",
    "teleport.dev/windows_domain": "teleport.example.com"
  },
  "desktop_name": "WIN-I44F9TN11M3-teleport-example-com",
  "ei": 0,
  "event": "windows.desktop.session.end",
  "login": "administrator",
  "participants": ["alice"],
  "recorded": true,
  "session_start": "2022-02-16T16:43:30.459Z",
  "session_stop": "2022-02-16T16:46:50.894Z",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "time": "2022-02-16T16:46:50.895Z",
  "uid": "c7956a81-597f-4452-90d7-800506f7a05b",
  "user": "alice",
  "windows_desktop_service": "316a3ffa-23e6-4d85-92a1-5e44754f8189",
  "windows_domain": "teleport.example.com",
  "windows_user": "administrator"
}

desktop.clipboard.send (TDP02I)

Emitted when clipboard data is sent from a user's workstation to Teleport. In order to avoid capturing sensitive data, the event only records the number of bytes that were sent.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP02I",
  "desktop_addr": "192.168.1.206:3389",
  "ei": 0,
  "event": "desktop.clipboard.send",
  "length": 4, // number of bytes sent
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "time": "2022-02-16T16:43:40.010217Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.clipboard.receive (TDP03I)

Emitted when Teleport receives clipboard data from a remote desktop. In order to avoid capturing sensitive data, the event only records the number of bytes that were received.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP03I",
  "desktop_addr": "192.168.1.206:3389",
  "ei": 0,
  "event": "desktop.clipboard.receive",
  "length": 4, // number of bytes received
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "time": "2022-02-16T16:43:40.010217Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.directory.share (TDP04I/W)

Emitted when Teleport starts sharing a directory on a local machine to the remote desktop.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP04I", // TDP04W if the operation failed
  "desktop_addr": "192.168.1.206:3389",
  "directory_id": 2,
  "directory_name": "local-files",
  "ei": 0,
  "event": "desktop.directory.share",
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true, // false if the operation failed
  "time": "2022-10-21T22:36:27.314409Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.directory.read (TDP05I/W)

This event is part of the directory sharing feature, and is emitted when Teleport reads data from a file on the user's local machine and sends it to the remote Windows desktop.

In order to avoid capturing sensitive data, the event only records the offset from the start of the file from which the read began and the number of bytes that were sent.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP05I", // TDP05W if the operation failed
  "desktop_addr": "192.168.1.206:3389",
  "directory_id": 2,
  "directory_name": "local-files",
  "ei": 0,
  "event": "desktop.directory.read",
  "file_path": "powershell-scripts/a-script.ps1", // relative path from the root of the shared directory (local-files in this case)
  "length": 734, // the number of bytes read
  "offset": 0, // the offset from the start of the file from which the read began
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true, // false if the operation failed
  "time": "2022-10-21T22:36:27.314409Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.directory.write (TDP06I/W)

This event is part of the directory sharing feature, and is emitted when Teleport reads writes from the remote desktop to a file on the user's local machine.

In order to avoid capturing sensitive data, the event only records the offset from the start of the file from which the write began and the number of bytes that were written.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP06I", // TDP06W if the operation failed
  "desktop_addr": "192.168.1.206:3389",
  "directory_id": 2,
  "directory_name": "local-files",
  "ei": 0,
  "event": "desktop.directory.read",
  "file_path": "powershell-scripts/a-script.ps1", // relative path from the root of the shared directory (local-files in this case)
  "length": 734, // the number of bytes written
  "offset": 0, // the offset from the start of the file from which the write began
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true, // false if the operation failed
  "time": "2022-10-21T22:36:27.314409Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}