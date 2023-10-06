Database Access Audit Events Reference
You can view database session activity in the audit log.
After a session is uploaded, you can play back the audit data
with the
tsh play command.
Database session ID will be in a UUID format (ex:
307b49d6-56c7-4d20-8cf0-5bc5348a7101)
See the audit log to get a database session ID with a key of
sid.
PostgreSQL database recordings are available in interactive format:
tsh play 307b49d6-56c7-4d20-8cf0-5bc5348a7101Session started to database "postgres-database" at Mon Jul 20 20:00 UTC
postgres=> SELECT * FROM products;SUCCESS(10 rows affected)
postgres=> INSERT INTO products (name, price) VALUES ('Phone', 150.00);ERROR: permission denied for table products (SQLSTATE 42501)
Session ended at Mon Jul 20 20:30 UTC
All database protocols recordings are supported in JSON format (
--format json):
tsh play --format json 307b49d6-56c7-4d20-8cf0-5bc5348a7101
{
"cluster_name": "teleport.example.com",
"code": "TDB02I",
"db_name": "example",
"db_origin": "dynamic",
"db_protocol": "postgres",
"db_query": "select * from sample;",
"db_roles": [
"access"
],
"db_service": "example",
"db_type": "rds",
"db_uri": "databases-1.us-east-1.rds.amazonaws.com:5432",
"db_user": "alice",
"ei": 2,
"event": "db.session.query",
"sid": "307b49d6-56c7-4d20-8cf0-5bc5348a7101",
"success": true,
"time": "2023-10-06T10:58:32.88Z",
"uid": "a649d925-9dac-44cc-bd04-4387c295580f",
"user": "alice"
}
The audit log is viewable under Audit in the left-hand pane via the Web UI
for users with permission to the
event resources. Database sessions are listed
on the session recordings page, but only PostgreSQL sessions are playable.
db.session.start (TDB00I/W)
Emitted when a client successfully connects to a database, or when a connection attempt fails due to access denied.
Successful connection event:
{
"cluster_name": "root", // Teleport cluster name.
"code": "TDB00I", // Event code.
"db_name": "test", // Database/schema name.
"db_protocol": "postgres", // Database protocol.
"db_service": "local", // Database service name.
"db_uri": "localhost:5432", // Database server endpoint.
"db_user": "postgres", // Database account name.
"ei": 0, // Event index within the session.
"event": "db.session.start", // Event name.
"namespace": "default", // Event namespace, always "default".
"server_id": "05ff66c9-a948-42f4-af0e-a1b6ba62561e", // Database Service host ID.
"sid": "63b6fa11-cd44-477b-911a-602b75ab13b5", // Unique database session ID.
"success": true, // Indicates successful connection.
"time": "2021-04-27T23:00:26.014Z", // Event timestamp.
"uid": "eac5b6c8-384a-4471-9559-e135834b1ab0", // Unique event ID.
"user": "alice" // Teleport user name.
}
Access denied event:
{
"cluster_name": "root", // Teleport cluster name.
"code": "TDB00W", // Event code.
"db_name": "test", // Database/schema name user attempted to connect to.
"db_protocol": "postgres", // Database protocol.
"db_service": "local", // Database service name.
"db_uri": "localhost:5432", // Database server endpoint.
"db_user": "superuser", // Database account name user attempted to log in as.
"ei": 0, // Event index within the session.
"error": "access to database denied", // Connection error.
"event": "db.session.start", // Event name.
"message": "access to database denied", // Detailed error message.
"namespace": "default", // Event namespace, always "default".
"server_id": "05ff66c9-a948-42f4-af0e-a1b6ba62561e", // Database Service host ID.
"sid": "d18388e5-cc7c-4624-b22b-d36db60d0c50", // Unique database session ID.
"success": false, // Indicates unsuccessful connection.
"time": "2021-04-27T23:03:05.226Z", // Event timestamp.
"uid": "507fe008-99a4-4247-8603-6ba03408d047", // Unique event ID.
"user": "alice" // Teleport user name.
}
db.session.end (TDB01I)
Emitted when a client disconnects from the database.
{
"cluster_name": "root", // Teleport cluster name.
"code": "TDB01I", // Event code.
"db_name": "test", // Database/schema name.
"db_protocol": "postgres", // Database protocol.
"db_service": "local", // Database service name.
"db_uri": "localhost:5432", // Database server endpoint.
"db_user": "postgres", // Database account name.
"ei": 3, // Event index within the session.
"event": "db.session.end", // Event name.
"sid": "63b6fa11-cd44-477b-911a-602b75ab13b5", // Unique database session ID.
"time": "2021-04-27T23:00:30.046Z", // Event timestamp.
"uid": "a626b22d-bbd0-40ef-9896-b7ff365664b0", // Unique event ID.
"user": "alice" // Teleport user name.
}
db.session.query (TDB02I)
Emitted when a client executes a SQL query.
{
"cluster_name": "root", // Teleport cluster name.
"code": "TDB02I", // Event code.
"db_name": "test", // Database/schema name.
"db_protocol": "postgres", // Database protocol.
"db_query": "INSERT INTO public.test (id,\"timestamp\",json)\n\tVALUES ($1,$2,$3)", // Query text.
"db_query_parameters": [ // Query parameters (for prepared statements).
"test-id",
"2022-04-02 17:50:20-07",
"{\"k\": \"v\"}"
],
"db_service": "local", // Database service name.
"db_uri": "localhost:5432", // Database server endpoint.
"db_user": "postgres", // Database account name.
"ei": 29, // Event index within the session.
"event": "db.session.query", // Event name.
"sid": "691e6f70-3c31-4412-90aa-fe0558abb212", // Unique database session ID.
"time": "2021-04-27T23:04:57.395Z", // Event timestamp.
"uid": "9f7b4179-b9cf-4302-bb7c-1408e404823f", // Unique event ID.
"user": "alice" // Teleport user name.
}
db.session.spanner.rpc (TSPN001I/W)
Emitted when a client executes a remote procedure call (RPC), or when an RPC execution attempt fails due to access denied.
{
"args": { // RPC arguments (specific to the "procedure" below).
"query_options": {},
"request_options": {},
"seqno": 1,
"session": "projects/project-id/instances/instance-id/databases/dev-db/sessions/ABCDEF1234567890",
"sql": "select * from TestTable",
"transaction": {
"Selector": {
"SingleUse": {
"Mode": {
"ReadOnly": {
"TimestampBound": {
"Strong": true
},
"return_read_timestamp": true
}
}
}
}
}
},
"cluster_name": "root", // Teleport cluster name.
"code": "TSPN001I", // Event code.
"db_name": "dev-db", // Database name.
"db_origin": "dynamic", // Teleport database service config origin.
"db_protocol": "spanner", // Database protocol.
"db_service": "teleport-spanner", // Database service name.
"db_type": "spanner", // Database type.
"db_uri": "spanner.googleapis.com:443", // Database service endpoint.
"db_user": "some-user", // Database account name, (a GCP IAM service account name without its @<project>.iam.gserviceaccount.com suffix).
"ei": 29, // Event index within the session.
"event": "db.session.spanner.rpc", // Event name.
"procedure": "ExecuteStreamingSql", // Name of the remote procedure call (RPC).
"sid": "406b9883-0e16-42f2-9d0b-b3bd956f9cd4", // Unique database session ID.
"success": true, // The RPC was allowed by Teleport RBAC.
"time": "2024-03-13T00:02:44.739Z", // Event timestamp.
"uid": "e0625e79-9399-4ea3-aa8b-dba1eb98658d", // Unique event ID.
"user": "[email protected]" // Teleport user name.
}