Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Desktop Access Audit Events Reference

This guide lists the structures and field names of audit events related to connecting to remote desktops with Teleport. Use this guide to understand desktop-related audit events and configure your log management solutions if you are exporting audit events.

windows.desktop.session.start (TDP00I/W)

Emitted when a client successfully connects to a desktop or when a connection attempt fails because access was denied.

Successful connection event:

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP00I",
  "desktop_addr": "192.168.1.206:3389",
  "desktop_labels": {
    "teleport.dev/computer_name": "WIN-I44F9TN11M3",
    "teleport.dev/dns_host_name": "WIN-I44F9TN11M3.teleport.example.com",
    "teleport.dev/is_domain_controller": "true",
    "teleport.dev/origin": "dynamic",
    "teleport.dev/os": "Windows Server 2012 R2 Standard Evaluation",
    "teleport.dev/os_version": "6.3 (9600)",
    "teleport.dev/windows_domain": "teleport.example.com"
  },
  "ei": 0,
  "event": "windows.desktop.session.start",
  "login": "administrator",
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true,
  "time": "2022-02-16T16:43:30.459Z",
  "uid": "1605346b-d90b-4df7-8148-67a3e2d85673",
  "user": "alice",
  "windows_desktop_service": "316a3ffa-23e6-4d85-92a1-5e44754f8189",
  "windows_domain": "teleport.example.com",
  "windows_user": "administrator"
}

Access denied event:

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP00W",
  "desktop_addr": "192.168.1.206:3389",
  "desktop_labels": {
    "teleport.dev/computer_name": "WIN-I44F9TN11M3",
    "teleport.dev/dns_host_name": "WIN-I44F9TN11M3.teleport.example.com",
    "teleport.dev/is_domain_controller": "true",
    "teleport.dev/origin": "dynamic",
    "teleport.dev/os": "Windows Server 2012 R2 Standard Evaluation",
    "teleport.dev/os_version": "6.3 (9600)",
    "teleport.dev/windows_domain": "teleport.example.com"
  },
  "ei": 0,
  "error": "access to desktop denied", // Connection error
  "event": "windows.desktop.session.start",
  "message": "access to desktop denied", // Detailed error message.
  "login": "administrator",
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": false, // Indicates unsuccessful connection
  "time": "2022-02-16T16:43:30.459Z",
  "uid": "1605346b-d90b-4df7-8148-67a3e2d85673",
  "user": "alice",
  "windows_desktop_service": "316a3ffa-23e6-4d85-92a1-5e44754f8189",
  "windows_domain": "teleport.example.com",
  "windows_user": "administrator"
}

windows.desktop.session.end (TDP01I)

Emitted when a client disconnects from the desktop.

{
  "cluster_name": "root",
  "code": "TDP01I",
  "desktop_addr": "192.168.1.206:3389",
  "desktop_labels": {
    "teleport.dev/computer_name": "WIN-I44F9TN11M3",
    "teleport.dev/dns_host_name": "WIN-I44F9TN11M3.teleport.example.com",
    "teleport.dev/is_domain_controller": "true",
    "teleport.dev/origin": "dynamic",
    "teleport.dev/os": "Windows Server 2012 R2 Standard Evaluation",
    "teleport.dev/os_version": "6.3 (9600)",
    "teleport.dev/windows_domain": "teleport.example.com"
  },
  "desktop_name": "WIN-I44F9TN11M3-teleport-example-com",
  "ei": 0,
  "event": "windows.desktop.session.end",
  "login": "administrator",
  "participants": ["alice"],
  "recorded": true,
  "session_start": "2022-02-16T16:43:30.459Z",
  "session_stop": "2022-02-16T16:46:50.894Z",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "time": "2022-02-16T16:46:50.895Z",
  "uid": "c7956a81-597f-4452-90d7-800506f7a05b",
  "user": "alice",
  "windows_desktop_service": "316a3ffa-23e6-4d85-92a1-5e44754f8189",
  "windows_domain": "teleport.example.com",
  "windows_user": "administrator"
}

desktop.clipboard.send (TDP02I)

Emitted when clipboard data is sent from a user's workstation to Teleport. In order to avoid capturing sensitive data, the event only records the number of bytes that were sent.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP02I",
  "desktop_addr": "192.168.1.206:3389",
  "ei": 0,
  "event": "desktop.clipboard.send",
  "length": 4, // number of bytes sent
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "time": "2022-02-16T16:43:40.010217Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.clipboard.receive (TDP03I)

Emitted when Teleport receives clipboard data from a remote desktop. In order to avoid capturing sensitive data, the event only records the number of bytes that were received.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP03I",
  "desktop_addr": "192.168.1.206:3389",
  "ei": 0,
  "event": "desktop.clipboard.receive",
  "length": 4, // number of bytes received
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "time": "2022-02-16T16:43:40.010217Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.directory.share (TDP04I/W)

Emitted when Teleport starts sharing a directory on a local machine to the remote desktop.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP04I", // TDP04W if the operation failed
  "desktop_addr": "192.168.1.206:3389",
  "directory_id": 2,
  "directory_name": "local-files",
  "ei": 0,
  "event": "desktop.directory.share",
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true, // false if the operation failed
  "time": "2022-10-21T22:36:27.314409Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.directory.read (TDP05I/W)

This event is part of the directory sharing feature, and is emitted when Teleport reads data from a file on the user's local machine and sends it to the remote Windows desktop.

In order to avoid capturing sensitive data, the event only records the offset from the start of the file from which the read began and the number of bytes that were sent.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP05I", // TDP05W if the operation failed
  "desktop_addr": "192.168.1.206:3389",
  "directory_id": 2,
  "directory_name": "local-files",
  "ei": 0,
  "event": "desktop.directory.read",
  "file_path": "powershell-scripts/a-script.ps1", // relative path from the root of the shared directory (local-files in this case)
  "length": 734, // the number of bytes read
  "offset": 0, // the offset from the start of the file from which the read began
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true, // false if the operation failed
  "time": "2022-10-21T22:36:27.314409Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.directory.write (TDP06I/W)

This event is part of the directory sharing feature, and is emitted when Teleport reads writes from the remote desktop to a file on the user's local machine.

In order to avoid capturing sensitive data, the event only records the offset from the start of the file from which the write began and the number of bytes that were written.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP06I", // TDP06W if the operation failed
  "desktop_addr": "192.168.1.206:3389",
  "directory_id": 2,
  "directory_name": "local-files",
  "ei": 0,
  "event": "desktop.directory.read",
  "file_path": "powershell-scripts/a-script.ps1", // relative path from the root of the shared directory (local-files in this case)
  "length": 734, // the number of bytes written
  "offset": 0, // the offset from the start of the file from which the write began
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true, // false if the operation failed
  "time": "2022-10-21T22:36:27.314409Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}