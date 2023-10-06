Version: 18.x

On this page

Database Access Audit Events Reference Report an issue with this page

You can view database session activity in the audit log. After a session is uploaded, you can play back the audit data with the tsh play command.

Database session ID will be in a UUID format (ex: 307b49d6-56c7-4d20-8cf0-5bc5348a7101 ) See the audit log to get a database session ID with a key of sid .

PostgreSQL database recordings are available in interactive format:

tsh play 307b49d6-56c7-4d20-8cf0-5bc5348a7101 Session started to database "postgres-database" at Mon Jul 20 20:00 UTC

postgres=> SELECT * FROM products; SUCCESS (10 rows affected)

postgres=> INSERT INTO products (name, price) VALUES ('Phone', 150.00); ERROR: permission denied for table products (SQLSTATE 42501)

Session ended at Mon Jul 20 20:30 UTC

All database protocols recordings are supported in JSON format ( --format json ):

tsh play --format json 307b49d6-56c7-4d20-8cf0-5bc5348a7101

{ "cluster_name" : "teleport.example.com" , "code" : "TDB02I" , "db_name" : "example" , "db_origin" : "dynamic" , "db_protocol" : "postgres" , "db_query" : "select * from sample;" , "db_roles" : [ "access" ] , "db_service" : "example" , "db_type" : "rds" , "db_uri" : "databases-1.us-east-1.rds.amazonaws.com:5432" , "db_user" : "alice" , "ei" : 2 , "event" : "db.session.query" , "sid" : "307b49d6-56c7-4d20-8cf0-5bc5348a7101" , "success" : true , "time" : "2023-10-06T10:58:32.88Z" , "uid" : "a649d925-9dac-44cc-bd04-4387c295580f" , "user" : "alice" }

The audit log is viewable under Audit in the left-hand pane via the Web UI for users with permission to the event resources. Database sessions are listed on the session recordings page, but only PostgreSQL sessions are playable.

Emitted when a client successfully connects to a database, or when a connection attempt fails due to access denied.

Successful connection event:

{ "cluster_name" : "root" , "code" : "TDB00I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 0 , "event" : "db.session.start" , "namespace" : "default" , "server_id" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e" , "sid" : "63b6fa11-cd44-477b-911a-602b75ab13b5" , "success" : true , "time" : "2021-04-27T23:00:26.014Z" , "uid" : "eac5b6c8-384a-4471-9559-e135834b1ab0" , "user" : "alice" }

Access denied event:

{ "cluster_name" : "root" , "code" : "TDB00W" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "superuser" , "ei" : 0 , "error" : "access to database denied" , "event" : "db.session.start" , "message" : "access to database denied" , "namespace" : "default" , "server_id" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e" , "sid" : "d18388e5-cc7c-4624-b22b-d36db60d0c50" , "success" : false , "time" : "2021-04-27T23:03:05.226Z" , "uid" : "507fe008-99a4-4247-8603-6ba03408d047" , "user" : "alice" }

Emitted when a client disconnects from the database.

{ "cluster_name" : "root" , "code" : "TDB01I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 3 , "event" : "db.session.end" , "sid" : "63b6fa11-cd44-477b-911a-602b75ab13b5" , "time" : "2021-04-27T23:00:30.046Z" , "uid" : "a626b22d-bbd0-40ef-9896-b7ff365664b0" , "user" : "alice" }

Emitted when a client executes a SQL query.

{ "cluster_name" : "root" , "code" : "TDB02I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_query" : "INSERT INTO public.test (id,\"timestamp\",json)

\tVALUES ($1,$2,$3)" , "db_query_parameters" : [ "test-id" , "2022-04-02 17:50:20-07" , "{\"k\": \"v\"}" ] , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 29 , "event" : "db.session.query" , "sid" : "691e6f70-3c31-4412-90aa-fe0558abb212" , "time" : "2021-04-27T23:04:57.395Z" , "uid" : "9f7b4179-b9cf-4302-bb7c-1408e404823f" , "user" : "alice" }

Emitted when a client executes a remote procedure call (RPC), or when an RPC execution attempt fails due to access denied.