The Access Monitoring event reference includes a list of Access Monitoring events that you can query and view in reports, along with examples of @tctl@ commands you can run to query each event.

Access Monitoring tracks a subset of Teleport audit events that are relevant to identifying unusual access patterns. To view a comprehensive set of events, visit the Investigate view of Teleport Identity Security. For a reference of all audit events you can track with Teleport, see the Audit Event Reference.

access_list.create is emitted when an access list is created.

Example query:

tctl audit query exec \ 'select cluster_name,code,ei from access_list_create limit 1'

Columns:

SQL Name Type Description cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type expires varchar Set if resource expires message varchar A user-friendly message for successfull or unsuccessfull auth attempt name varchar A resource name success boolean Indicates the success or failure of the operation time varchar Event time ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource

access_list.delete is emitted when an access list is deleted.

Example query:

tctl audit query exec \ 'select cluster_name,code,ei from access_list_delete limit 1'

Columns:

SQL Name Type Description cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type expires varchar Set if resource expires message varchar A user-friendly message for successfull or unsuccessfull auth attempt name varchar A resource name success boolean Indicates the success or failure of the operation time varchar Event time ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource

access_list.member.create is emitted when an access list member is created.

Example query:

tctl audit query exec \ 'select access_list_name,cluster_name,code from access_list_member_create limit 1'

Columns:

SQL Name Type Description access_list_name varchar The name of the access list the members are being added to or removed from cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type expires varchar Set if resource expires members array(row(joined_on varchar, member_name varchar, reason varchar, removed_on varchar)) All members affected by the access list membership change message varchar A user-friendly message for successfull or unsuccessfull auth attempt name varchar A resource name success boolean Indicates the success or failure of the operation time varchar Event time ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource

access_list.member.delete is emitted when an access list member is deleted.

Example query:

tctl audit query exec \ 'select access_list_name,cluster_name,code from access_list_member_delete limit 1'

Columns:

SQL Name Type Description access_list_name varchar The name of the access list the members are being added to or removed from cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type expires varchar Set if resource expires members array(row(joined_on varchar, member_name varchar, reason varchar, removed_on varchar)) All members affected by the access list membership change message varchar A user-friendly message for successfull or unsuccessfull auth attempt name varchar A resource name success boolean Indicates the success or failure of the operation time varchar Event time ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource

access_list.member.update is emitted when an access list member is updated.

Example query:

tctl audit query exec \ 'select access_list_name,cluster_name,code from access_list_member_update limit 1'

Columns:

SQL Name Type Description access_list_name varchar The name of the access list the members are being added to or removed from cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type expires varchar Set if resource expires members array(row(joined_on varchar, member_name varchar, reason varchar, removed_on varchar)) All members affected by the access list membership change message varchar A user-friendly message for successfull or unsuccessfull auth attempt name varchar A resource name success boolean Indicates the success or failure of the operation time varchar Event time ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource

access_list.review is emitted when an access list is reviewed.

Example query:

tctl audit query exec \ 'select cluster_name,code,ei from access_list_review limit 1'

Columns:

SQL Name Type Description cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type expires varchar Set if resource expires membership_requirements_changed_roles array(varchar) The roles that changed as part of a review membership_requirements_changed_traits_key varchar membership_requirements_changed_traits_value varchar message varchar A user-friendly message for successfull or unsuccessfull auth attempt name varchar A resource name removed_members array(varchar) The members that were removed as part of the review review_day_of_month_changed varchar Populated if the review day of month has changed review_frequency_changed varchar Populated if the review frequency has changed review_id varchar The ID of the review success boolean Indicates the success or failure of the operation time varchar Event time ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource

access_list.update is emitted when an access list is updated.

Example query:

tctl audit query exec \ 'select cluster_name,code,ei from access_list_update limit 1'

Columns:

SQL Name Type Description cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type expires varchar Set if resource expires message varchar A user-friendly message for successfull or unsuccessfull auth attempt name varchar A resource name success boolean Indicates the success or failure of the operation time varchar Event time ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource

access_request.create is emitted when access request has been created or updated.

Example query:

tctl audit query exec \ 'select access_requests,assume_start_time,aws_role_arn from access_request_create limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user assume_start_time varchar The time the requested roles can be assumed aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code delegator varchar Used by teleport plugins to indicate the identity which caused them to update state ei integer A monotonically incremented index in the event sequence event varchar The event type expires varchar Set if resource expires gcp_service_account varchar The GCP service account user assumes when accessing GCP API id varchar Access request ID impersonator varchar A user acting on behalf of another user login varchar OS login max_duration varchar Indicates how long the access should be granted for name varchar A resource name promoted_access_list_name varchar The name of the access list that this request was promoted to. This field is only populated when the request is in the PROMOTED state proposed_state varchar The state proposed by a review (only used in the access_request.review event variant) reason varchar An optional description of why the request is being created or updated required_private_key_policy varchar The private key policy enforced for this login resource_ids array(row(cluster varchar, kind varchar, name varchar, sub_resource varchar)) The set of resources to which access is being requested reviewer varchar The author of the review (only used in the access_request.review event variant) roles array(varchar) A list of roles for the user state varchar Access request state (in the access_request.review variant of the event this represents the post-review state of the request) time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource user varchar Teleport user name

access_request.review is emitted when access request has been created or updated.

Example query:

tctl audit query exec \ 'select access_requests,assume_start_time,aws_role_arn from access_request_review limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user assume_start_time varchar The time the requested roles can be assumed aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code delegator varchar Used by teleport plugins to indicate the identity which caused them to update state ei integer A monotonically incremented index in the event sequence event varchar The event type expires varchar Set if resource expires gcp_service_account varchar The GCP service account user assumes when accessing GCP API id varchar Access request ID impersonator varchar A user acting on behalf of another user login varchar OS login max_duration varchar Indicates how long the access should be granted for name varchar A resource name promoted_access_list_name varchar The name of the access list that this request was promoted to. This field is only populated when the request is in the PROMOTED state proposed_state varchar The state proposed by a review (only used in the access_request.review event variant) reason varchar An optional description of why the request is being created or updated required_private_key_policy varchar The private key policy enforced for this login resource_ids array(row(cluster varchar, kind varchar, name varchar, sub_resource varchar)) The set of resources to which access is being requested reviewer varchar The author of the review (only used in the access_request.review event variant) roles array(varchar) A list of roles for the user state varchar Access request state (in the access_request.review variant of the event this represents the post-review state of the request) time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource user varchar Teleport user name

auth is emitted upon a failed or successfull authentication attempt.

Example query:

tctl audit query exec \ 'select access_requests,addr_local,addr_remote from auth limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user addr_local varchar A target address on the host addr_remote varchar A client (user's) address aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login message varchar A user-friendly message for successfull or unsuccessfull auth attempt proto varchar Specifies protocol that was captured required_private_key_policy varchar The private key policy enforced for this login success boolean Indicates the success or failure of the operation time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name

bot.join records a bot join event.

Example query:

tctl audit query exec \ 'select bot_name,cluster_name,code from bot_join limit 1'

Columns:

SQL Name Type Description bot_name varchar The name of the bot which has joined cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type message varchar A user-friendly message for successfull or unsuccessfull auth attempt method varchar The event field indicating what join method was used success boolean Indicates the success or failure of the operation time varchar Event time token_name varchar The name of the provision token used to join uid varchar A unique event identifier

cert.create is emitted when a certificate is issued.

Example query:

tctl audit query exec \ 'select cert_type,cluster_name,code from cert_create limit 1'

Columns:

SQL Name Type Description cert_type varchar The type of certificate that was just issued cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type identity_access_requests array(varchar) A list of UUIDs of active requests for this Identity identity_allowed_resource_ids array(row(cluster varchar, kind varchar, name varchar, sub_resource varchar)) The list of resources which the identity will be allowed to access. An empty list indicates that no resource-specific restrictions will be applied identity_aws_role_arns array(varchar) A list of allowed AWS role ARNs user can assume identity_azure_identities array(varchar) A list of allowed Azure identities user can assume identity_client_ip varchar An observed IP of the client that this Identity represents identity_database_names array(varchar) A list of allowed database names identity_database_users array(varchar) A list of allowed database users identity_disallow_reissue boolean A flag that, if set, instructs the auth server to deny any attempts to reissue new certificates while authenticated with this certificate identity_expires varchar Specifies whenever the session will expire identity_gcp_service_accounts array(varchar) A list of allowed GCP service accounts user can assume identity_impersonator varchar A username of a user impersonating this user identity_kubernetes_cluster varchar Specifies the target kubernetes cluster for TLS identities. This can be empty on older Teleport clients identity_kubernetes_groups array(varchar) A list of Kubernetes groups allowed identity_kubernetes_users array(varchar) A list of Kubernetes users allowed identity_logins array(varchar) A list of Unix logins allowed identity_mfa_device_uuid varchar The UUID of an MFA device when this Identity was confirmed immediately after an MFA check identity_prev_identity_expires varchar The expiry time of the identity/cert that this identity/cert was derived from. It is used to determine a session's hard deadline in cases where both require_session_mfa and disconnect_expired_cert are enabled. See https://github.com/gravitational/teleport/issues/18544 identity_private_key_policy varchar The private key policy of the user's private key identity_roles array(varchar) A list of groups (Teleport roles) encoded in the identity identity_route_to_app_aws_role_arn varchar The AWS role to assume when accessing AWS API identity_route_to_app_azure_identity varchar The Azure identity ot assume when accessing Azure API identity_route_to_app_cluster_name varchar The cluster where the application resides identity_route_to_app_gcp_service_account varchar The GCP service account to assume when accessing GCP API identity_route_to_app_name varchar The application name certificate is being requested for identity_route_to_app_public_addr varchar The application public address identity_route_to_app_session_id varchar The ID of the application session identity_route_to_cluster varchar Specifies the target cluster if present in the session identity_route_to_database_database varchar An optional database name to embed identity_route_to_database_protocol varchar The type of the database the cert is for identity_route_to_database_service_name varchar The Teleport database proxy service name the cert is for identity_route_to_database_username varchar An optional database username to embed identity_teleport_cluster varchar The name of the teleport cluster that this identity originated from. For TLS certs this may not be the same as cert issuer, in case of multi-hop requests that originate from a remote cluster identity_usage array(varchar) A list of usage restrictions encoded in the identity identity_user varchar A username or name of the node connection time varchar Event time uid varchar A unique event identifier

db.session.query is emitted when a user executes a database query.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from db_session_query limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code db_aws_redshift_cluster_id varchar Cluster ID for Redshift databases db_aws_region varchar AWS regions for AWS hosted databases db_gcp_instance_id varchar Instance ID for GCP hosted databases db_gcp_project_id varchar Project ID for GCP hosted databases db_labels_key varchar db_labels_value varchar db_name varchar The name of the database a user is connecting to db_origin varchar The database origin source db_protocol varchar The database type, e.g. postgres or mysql db_query varchar The executed query string db_query_parameters array(varchar) The query parameters for prepared statements db_roles array(varchar) A list of database roles for auto-provisioned users db_service varchar The name of the database service proxying the database db_type varchar The database type db_uri varchar The database URI to connect to db_user varchar The database username used to connect ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login message varchar A user-friendly message for successfull or unsuccessfull auth attempt private_key_policy varchar The private key policy of the private key used to start this session required_private_key_policy varchar The private key policy enforced for this login sid varchar A unique UUID of the session success boolean Indicates the success or failure of the operation time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name with_mfa varchar A UUID of an MFA device used to start this session

db.session.query.failed is emitted when a user executes a database query.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from db_session_query_failed limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code db_aws_redshift_cluster_id varchar Cluster ID for Redshift databases db_aws_region varchar AWS regions for AWS hosted databases db_gcp_instance_id varchar Instance ID for GCP hosted databases db_gcp_project_id varchar Project ID for GCP hosted databases db_labels_key varchar db_labels_value varchar db_name varchar The name of the database a user is connecting to db_origin varchar The database origin source db_protocol varchar The database type, e.g. postgres or mysql db_query varchar The executed query string db_query_parameters array(varchar) The query parameters for prepared statements db_roles array(varchar) A list of database roles for auto-provisioned users db_service varchar The name of the database service proxying the database db_type varchar The database type db_uri varchar The database URI to connect to db_user varchar The database username used to connect ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login message varchar A user-friendly message for successfull or unsuccessfull auth attempt private_key_policy varchar The private key policy of the private key used to start this session required_private_key_policy varchar The private key policy enforced for this login sid varchar A unique UUID of the session success boolean Indicates the success or failure of the operation time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name with_mfa varchar A UUID of an MFA device used to start this session

db.session.start is emitted when a user connects to a database.

Example query:

tctl audit query exec \ 'select access_requests,addr_local,addr_remote from db_session_start limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user addr_local varchar A target address on the host addr_remote varchar A client (user's) address aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code db_aws_redshift_cluster_id varchar Cluster ID for Redshift databases db_aws_region varchar AWS regions for AWS hosted databases db_gcp_instance_id varchar Instance ID for GCP hosted databases db_gcp_project_id varchar Project ID for GCP hosted databases db_labels_key varchar db_labels_value varchar db_name varchar The name of the database a user is connecting to db_origin varchar The database origin source db_protocol varchar The database type, e.g. postgres or mysql db_roles array(varchar) A list of database roles for auto-provisioned users db_service varchar The name of the database service proxying the database db_type varchar The database type db_uri varchar The database URI to connect to db_user varchar The database username used to connect ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type forwarded_by varchar Tells us if the metadata was sent by the node itself or by another node in it's place. We can't verify emit permissions fully for these events so care should be taken with them gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login message varchar A user-friendly message for successfull or unsuccessfull auth attempt namespace varchar A namespace of the server event private_key_policy varchar The private key policy of the private key used to start this session proto varchar Specifies protocol that was captured required_private_key_policy varchar The private key policy enforced for this login server_addr varchar The address of the server the session occurred on server_hostname varchar The hostname of the server the session occurred on server_id varchar The UUID of the server the session occurred on server_labels_key varchar server_labels_value varchar server_sub_kind varchar The sub kind of the server the session occurred on sid varchar A unique UUID of the session success boolean Indicates the success or failure of the operation time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name with_mfa varchar A UUID of an MFA device used to start this session

device.authenticate is a device-related event. See the "lib/events.DeviceEvent" and "lib/events.DeviceCode" for the various event types and codes, respectively. Replaces the previous [DeviceEvent] proto, presenting a more standard event interface with various embeds.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from device_authenticate limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code device_asset_tag varchar Inventory identifier device_credential_id varchar Credential identifier device_device_id varchar Of the device device_device_origin integer Origin device_os_type integer Of the device ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login message varchar A user-friendly message for successfull or unsuccessfull auth attempt required_private_key_policy varchar The private key policy enforced for this login success boolean Indicates the success or failure of the operation time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name

device.enroll is a device-related event. See the "lib/events.DeviceEvent" and "lib/events.DeviceCode" for the various event types and codes, respectively. Replaces the previous [DeviceEvent] proto, presenting a more standard event interface with various embeds.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from device_enroll limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code device_asset_tag varchar Inventory identifier device_credential_id varchar Credential identifier device_device_id varchar Of the device device_device_origin integer Origin device_os_type integer Of the device ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login message varchar A user-friendly message for successfull or unsuccessfull auth attempt required_private_key_policy varchar The private key policy enforced for this login success boolean Indicates the success or failure of the operation time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name

exec specifies command exec event.

Example query:

tctl audit query exec \ 'select access_requests,addr_local,addr_remote from exec limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user addr_local varchar A target address on the host addr_remote varchar A client (user's) address aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code command varchar The executed command name ei integer A monotonically incremented index in the event sequence event varchar The event type exitCode varchar Specifies command exit code exitError varchar An optional exit error, set if command has failed forwarded_by varchar Tells us if the metadata was sent by the node itself or by another node in it's place. We can't verify emit permissions fully for these events so care should be taken with them gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user kubernetes_cluster varchar A kubernetes cluster name kubernetes_container_image varchar The image of the container within the pod kubernetes_container_name varchar The name of the container within the pod kubernetes_groups array(varchar) A list of kubernetes groups for the user kubernetes_labels_key varchar kubernetes_labels_value varchar kubernetes_node_name varchar The node that runs the pod kubernetes_pod_name varchar The name of the pod kubernetes_pod_namespace varchar The namespace of the pod kubernetes_users array(varchar) A list of kubernetes usernames for the user login varchar OS login namespace varchar A namespace of the server event private_key_policy varchar The private key policy of the private key used to start this session proto varchar Specifies protocol that was captured required_private_key_policy varchar The private key policy enforced for this login server_addr varchar The address of the server the session occurred on server_hostname varchar The hostname of the server the session occurred on server_id varchar The UUID of the server the session occurred on server_labels_key varchar server_labels_value varchar server_sub_kind varchar The sub kind of the server the session occurred on sid varchar A unique UUID of the session time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name with_mfa varchar A UUID of an MFA device used to start this session

instance.join records an instance join event.

Example query:

tctl audit query exec \ 'select cluster_name,code,ei from instance_join limit 1'

Columns:

SQL Name Type Description cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type host_id varchar The unique host ID of the instance which attempted to join message varchar A user-friendly message for successfull or unsuccessfull auth attempt method varchar The event field indicating what join method was used node_name varchar The name of the instance which attempted to join role varchar The role that the node requested when attempting to join success boolean Indicates the success or failure of the operation time varchar Event time token_expires varchar Contain information about token expiration time. In case of static token the TokenExpiration time is to the Unix epoch start time token_name varchar The name of the token used to join. This will be omitted for the 'token' join method where the token name is a secret value uid varchar A unique event identifier

join_token.create event is emitted when a provisioning token (a.k.a. join token) of any role is created.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from join_token_create limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type expires varchar Set if resource expires gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user join_method varchar login varchar OS login name varchar A resource name required_private_key_policy varchar The private key policy enforced for this login roles array(varchar) time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource user varchar Teleport user name

kube.request specifies a Kubernetes API request event.

Example query:

tctl audit query exec \ 'select access_requests,addr_local,addr_remote from kube_request limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user addr_local varchar A target address on the host addr_remote varchar A client (user's) address aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type forwarded_by varchar Tells us if the metadata was sent by the node itself or by another node in it's place. We can't verify emit permissions fully for these events so care should be taken with them gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user kubernetes_cluster varchar A kubernetes cluster name kubernetes_groups array(varchar) A list of kubernetes groups for the user kubernetes_labels_key varchar kubernetes_labels_value varchar kubernetes_users array(varchar) A list of kubernetes usernames for the user login varchar OS login namespace varchar A namespace of the server event private_key_policy varchar The private key policy of the private key used to start this session proto varchar Specifies protocol that was captured request_path varchar The raw request URL path required_private_key_policy varchar The private key policy enforced for this login resource_api_group varchar The resource API group resource_kind varchar The API resource kind (e.g. "pod", "service", etc) resource_name varchar The API resource name resource_namespace varchar The resource namespace response_code integer The HTTP response code for this request server_addr varchar The address of the server the session occurred on server_hostname varchar The hostname of the server the session occurred on server_id varchar The UUID of the server the session occurred on server_labels_key varchar server_labels_value varchar server_sub_kind varchar The sub kind of the server the session occurred on sid varchar A unique UUID of the session time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name verb varchar The HTTP verb used for this request (e.g. GET, POST, etc) with_mfa varchar A UUID of an MFA device used to start this session

lock.created is emitted when a lock is created/updated. Locks are used to restrict access to a Teleport environment by disabling interactions involving a user, an RBAC role, a node, etc. See rfd/0009-locking.md for more details.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from lock_created limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type expires varchar Set if resource expires gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login name varchar A resource name required_private_key_policy varchar The private key policy enforced for this login target_access_request varchar Specifies the UUID of an access request target_device varchar The device ID of a trusted device. Requires Teleport Enterprise target_login varchar Specifies the name of a local UNIX user target_mfa_device varchar Specifies the UUID of a user MFA device target_node varchar Specifies the UUID of a Teleport node. A matching node is also prevented from heartbeating to the auth server. DEPRECATED: use ServerID instead target_role varchar Specifies the name of an RBAC role known to the root cluster. In remote clusters, this constraint is evaluated before translating to local roles target_server_id varchar The host id of the Teleport instance target_user varchar Specifies the name of a Teleport user target_windows_desktop varchar Specifies the name of a Windows desktop time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource user varchar Teleport user name

lock.deleted is emitted when a lock is deleted.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from lock_deleted limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type expires varchar Set if resource expires gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login name varchar A resource name required_private_key_policy varchar The private key policy enforced for this login time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource user varchar Teleport user name

recovery_code.used is emitted when a user's recovery code was used successfully or unsuccessfully.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from recovery_code_used limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login message varchar A user-friendly message for successfull or unsuccessfull auth attempt required_private_key_policy varchar The private key policy enforced for this login success boolean Indicates the success or failure of the operation time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name

reset_password_token.create is emitted when a user token is created.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from reset_password_token_create limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type expires varchar Set if resource expires gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login name varchar A resource name required_private_key_policy varchar The private key policy enforced for this login time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource user varchar Teleport user name

saml.idp.auth is emitted when a user has attempted to authorize against the SAML IdP.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from saml_idp_auth limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login message varchar A user-friendly message for successfull or unsuccessfull auth attempt private_key_policy varchar The private key policy of the private key used to start this session required_private_key_policy varchar The private key policy enforced for this login service_provider_entity_id varchar The entity ID of the service provider service_provider_shortcut varchar The shortcut name of a service provider sid varchar A unique UUID of the session success boolean Indicates the success or failure of the operation time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name with_mfa varchar A UUID of an MFA device used to start this session

session.command is a session command event.

Example query:

tctl audit query exec \ 'select access_requests,argv,aws_role_arn from session_command limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user argv array(varchar) The list of arguments to the program. Note, the first element does not contain the name of the process aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cgroup_id integer The internal cgroupv2 ID of the event cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type forwarded_by varchar Tells us if the metadata was sent by the node itself or by another node in it's place. We can't verify emit permissions fully for these events so care should be taken with them gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login namespace varchar A namespace of the server event path varchar The full path to the executable pid integer The ID of the process ppid integer The PID of the parent process private_key_policy varchar The private key policy of the private key used to start this session program varchar Name of the executable required_private_key_policy varchar The private key policy enforced for this login return_code integer The return code of execve server_addr varchar The address of the server the session occurred on server_hostname varchar The hostname of the server the session occurred on server_id varchar The UUID of the server the session occurred on server_labels_key varchar server_labels_value varchar server_sub_kind varchar The sub kind of the server the session occurred on sid varchar A unique UUID of the session time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name with_mfa varchar A UUID of an MFA device used to start this session

session.join emitted when another user joins a session.

Example query:

tctl audit query exec \ 'select access_requests,addr_local,addr_remote from session_join limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user addr_local varchar A target address on the host addr_remote varchar A client (user's) address aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type forwarded_by varchar Tells us if the metadata was sent by the node itself or by another node in it's place. We can't verify emit permissions fully for these events so care should be taken with them gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user kubernetes_cluster varchar A kubernetes cluster name kubernetes_groups array(varchar) A list of kubernetes groups for the user kubernetes_labels_key varchar kubernetes_labels_value varchar kubernetes_users array(varchar) A list of kubernetes usernames for the user login varchar OS login namespace varchar A namespace of the server event private_key_policy varchar The private key policy of the private key used to start this session proto varchar Specifies protocol that was captured required_private_key_policy varchar The private key policy enforced for this login server_addr varchar The address of the server the session occurred on server_hostname varchar The hostname of the server the session occurred on server_id varchar The UUID of the server the session occurred on server_labels_key varchar server_labels_value varchar server_sub_kind varchar The sub kind of the server the session occurred on sid varchar A unique UUID of the session time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name with_mfa varchar A UUID of an MFA device used to start this session

session.rejected event happens when a user hits a session control restriction.

Example query:

tctl audit query exec \ 'select access_requests,addr_local,addr_remote from session_rejected limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user addr_local varchar A target address on the host addr_remote varchar A client (user's) address aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type forwarded_by varchar Tells us if the metadata was sent by the node itself or by another node in it's place. We can't verify emit permissions fully for these events so care should be taken with them gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login max integer An event field specifying a maximal value (e.g. the value of max_connections for a session.rejected event) namespace varchar A namespace of the server event proto varchar Specifies protocol that was captured reason varchar A field that specifies reason for event, e.g. in disconnect event it explains why server disconnected the client required_private_key_policy varchar The private key policy enforced for this login server_addr varchar The address of the server the session occurred on server_hostname varchar The hostname of the server the session occurred on server_id varchar The UUID of the server the session occurred on server_labels_key varchar server_labels_value varchar server_sub_kind varchar The sub kind of the server the session occurred on time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name

session.start is a session start event.

Example query:

tctl audit query exec \ 'select access_requests,addr_local,addr_remote from session_start limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user addr_local varchar A target address on the host addr_remote varchar A client (user's) address aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type forwarded_by varchar Tells us if the metadata was sent by the node itself or by another node in it's place. We can't verify emit permissions fully for these events so care should be taken with them gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user initial_command array(varchar) The command used to start this session kubernetes_cluster varchar A kubernetes cluster name kubernetes_container_image varchar The image of the container within the pod kubernetes_container_name varchar The name of the container within the pod kubernetes_groups array(varchar) A list of kubernetes groups for the user kubernetes_labels_key varchar kubernetes_labels_value varchar kubernetes_node_name varchar The node that runs the pod kubernetes_pod_name varchar The name of the pod kubernetes_pod_namespace varchar The namespace of the pod kubernetes_users array(varchar) A list of kubernetes usernames for the user login varchar OS login namespace varchar A namespace of the server event private_key_policy varchar The private key policy of the private key used to start this session proto varchar Specifies protocol that was captured required_private_key_policy varchar The private key policy enforced for this login server_addr varchar The address of the server the session occurred on server_hostname varchar The hostname of the server the session occurred on server_id varchar The UUID of the server the session occurred on server_labels_key varchar server_labels_value varchar server_sub_kind varchar The sub kind of the server the session occurred on session_recording varchar The type of session recording sid varchar A unique UUID of the session size varchar Expressed as 'W:H' time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name with_mfa varchar A UUID of an MFA device used to start this session

user.create is emitted when the user is created or upserted.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from user_create limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code connector varchar The connector used to create the user ei integer A monotonically incremented index in the event sequence event varchar The event type expires varchar Set if resource expires gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login name varchar A resource name required_private_key_policy varchar The private key policy enforced for this login roles array(varchar) A list of roles for the user time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device ttl varchar A TTL of reset password token represented as duration, e.g. "10m" used for compatibility purposes for some events, Expires should be used instead as it's more useful (contains exact expiration date/time) uid varchar A unique event identifier updated_by varchar If set indicates the user who modified the resource user varchar Teleport user name

user.login records a successfully or failed user login event.

Example query:

tctl audit query exec \ 'select access_requests,addr_local,addr_remote from user_login limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user addr_local varchar A target address on the host addr_remote varchar A client (user's) address applied_login_rules array(varchar) Stores the name of each login rule that was applied during the login aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence error varchar Includes system error message for the failed attempt event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login message varchar A user-friendly message for successfull or unsuccessfull auth attempt method varchar The event field indicating how the login was performed mfa_device_mfa_device_name varchar The user-specified name of the MFA device mfa_device_mfa_device_type varchar The type of this MFA device mfa_device_mfa_device_uuid varchar The UUID of the MFA device generated by Teleport proto varchar Specifies protocol that was captured required_private_key_policy varchar The private key policy enforced for this login success boolean Indicates the success or failure of the operation time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name user_agent varchar Identifies the type of client that attempted the event

user.password_change is emitted when the user changes their own password.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from user_password_change limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code ei integer A monotonically incremented index in the event sequence event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login required_private_key_policy varchar The private key policy enforced for this login time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name

windows.desktop.session.end is emitted when a user ends a Windows desktop session.

Example query:

tctl audit query exec \ 'select access_requests,aws_role_arn,azure_identity from windows_desktop_session_end limit 1'

Columns:

SQL Name Type Description access_requests array(varchar) The IDs of access requests created by the user aws_role_arn varchar AWS IAM role user assumes when accessing AWS console azure_identity varchar The Azure identity user assumes when accessing Azure API cluster_name varchar Identifies the originating teleport cluster code varchar A unique event code desktop_addr varchar The address of the desktop being accessed desktop_labels_key varchar desktop_labels_value varchar desktop_name varchar The name of the desktop resource ei integer A monotonically incremented index in the event sequence event varchar The event type gcp_service_account varchar The GCP service account user assumes when accessing GCP API impersonator varchar A user acting on behalf of another user login varchar OS login participants array(varchar) A list of participants in the session private_key_policy varchar The private key policy of the private key used to start this session recorded boolean True if the session was recorded, false otherwise required_private_key_policy varchar The private key policy enforced for this login session_start varchar The timestamp at which the session began session_stop varchar The timestamp at which the session ended sid varchar A unique UUID of the session time varchar Event time trusted_device_asset_tag varchar Inventory identifier trusted_device_credential_id varchar Credential identifier trusted_device_device_id varchar Of the device trusted_device_device_origin integer Origin trusted_device_os_type integer Of the device uid varchar A unique event identifier user varchar Teleport user name windows_desktop_service varchar The name of the service proxying the RDP session windows_domain varchar The Active Directory domain of the desktop being accessed windows_user varchar The Windows username used to connect with_mfa varchar A UUID of an MFA device used to start this session

windows.desktop.session.start is emitted when a user connects to a desktop.

Example query:

tctl audit query exec \ 'select access_requests,addr_local,addr_remote from windows_desktop_session_start limit 1'

Columns: