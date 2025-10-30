Version: 18.x

Audit Event Reference

Teleport components emit audit events to record activity within the cluster.

Audit event payloads have an event field that describes the event, which is often an operation performed against a dynamic resource (e.g., access_list.create for the creation of an Access List) or some other user behavior, such as a local user login ( user.login ). The code field includes a string with pattern [A-Z0-9]{6} that is unique to an audit event, such as TAP03I for the creation of an application resource.

In some cases, an audit event describes both a success state and a failure state, while the event field is the same for both states. In this case, the code field differs between states. For example, access_list.create describes both successful and failed Access List creations, while the success event has code TAL001I and the failure has code TAL001E . For other events, like db.session.query.failed and db.session.query , the event type describes only the success or failure state.

You can set up Teleport to export audit events to third-party services for storage, visualization, and analysis. For more information, read Exporting Teleport Audit Events.

Crown Jewel Created

Example:

{ "code" : "CJ001I" , "event" : "access_graph.crown_jewel.create" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Crown Jewel Deleted

Example:

{ "code" : "CJ003I" , "event" : "access_graph.crown_jewel.delete" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Crown Jewel Updated

Example:

{ "code" : "CJ002I" , "event" : "access_graph.crown_jewel.update" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Access Path Changed

Example:

{ "code" : "TAG001I" , "event" : "access_graph.path.changed" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

There are multiple events with the access_list.create type.

Access list created

Example:

{ "code" : "TAL001I" , "event" : "access_list.create" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "access-list" , "updated_by" : "mike" , "access_list_title" : "example_title" }

Access list create failed

Example:

{ "code" : "TAL001E" , "event" : "access_list.create" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "access-list" , "updated_by" : "mike" , "access_list_title" : "example_title" }

There are multiple events with the access_list.delete type.

Access list deleted

Example:

{ "code" : "TAL003I" , "event" : "access_list.delete" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "access-list" , "updated_by" : "mike" , "access_list_title" : "example_title" }

Access list delete failed

Example:

{ "code" : "TAL003E" , "event" : "access_list.delete" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "access-list" , "updated_by" : "mike" , "access_list_title" : "example_title" }

There are multiple events with the access_list.member.add type.

Access list member added

Example:

{ "code" : "TAL005I" , "event" : "access_list.member.add" , "time" : "2023-05-08T19:21:36.144Z" , "access_list_name" : "access-list" , "access_list_title" : "example_title" , "members" : [ { "member_name" : "user" } ] , "updated_by" : "mike" }

Access list member addition failure

Example:

{ "code" : "TAL005E" , "event" : "access_list.member.add" , "time" : "2023-05-08T19:21:36.144Z" , "access_list_name" : "access-list" , "access_list_title" : "example_title" , "members" : [ { "member_name" : "user" } ] , "updated_by" : "mike" }

There are multiple events with the access_list.member.delete type.

Access list member removed

Example:

{ "code" : "TAL007I" , "event" : "access_list.member.delete" , "time" : "2023-05-08T19:21:36.144Z" , "access_list_name" : "access-list" , "access_list_title" : "example_title" , "members" : [ { "member_name" : "user" } ] , "updated_by" : "mike" }

Access list member removal failure

Example:

{ "code" : "TAL007E" , "event" : "access_list.member.delete" , "time" : "2023-05-08T19:21:36.144Z" , "access_list_name" : "access-list" , "access_list_title" : "example_title" , "members" : [ { "member_name" : "carrot" } , { "member_name" : "apple" } , { "member_name" : "banana" } ] , "updated_by" : "mike" }

There are multiple events with the access_list.member.delete_all_members type.

All members removed from access list

Example:

{ "code" : "TAL008I" , "event" : "access_list.member.delete_all_members" , "time" : "2023-05-08T19:21:36.144Z" , "access_list_name" : "access-list" , "access_list_title" : "example_title" , "updated_by" : "mike" }

Access list member delete all members failure

Example:

{ "code" : "TAL008E" , "event" : "access_list.member.delete_all_members" , "time" : "2023-05-08T19:21:36.144Z" , "access_list_name" : "access-list" , "access_list_title" : "example_title" , "updated_by" : "mike" }

There are multiple events with the access_list.member.update type.

Access list member updated

Example:

{ "code" : "TAL006I" , "event" : "access_list.member.update" , "time" : "2023-05-08T19:21:36.144Z" , "access_list_name" : "access-list" , "access_list_title" : "example_title" , "members" : [ { "member_name" : "user" } ] , "updated_by" : "mike" }

Access list member update failure

Example:

{ "code" : "TAL006E" , "event" : "access_list.member.update" , "time" : "2023-05-08T19:21:36.144Z" , "access_list_name" : "access-list" , "access_list_title" : "example_title" , "members" : [ { "member_name" : "user" } ] , "updated_by" : "mike" }

There are multiple events with the access_list.review type.

Access list reviewed

Example:

{ "code" : "TAL004I" , "event" : "access_list.review" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "access-list" , "updated_by" : "mike" , "access_list_title" : "example_title" }

Access list review failed

Example:

{ "code" : "TAL004E" , "event" : "access_list.review" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "access-list" , "updated_by" : "mike" , "access_list_title" : "example_title" }

There are multiple events with the access_list.update type.

Access list updated

Example:

{ "code" : "TAL002I" , "event" : "access_list.update" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "access-list" , "updated_by" : "mike" , "access_list_title" : "example_title" }

Access list update failed

Example:

{ "code" : "TAL002E" , "event" : "access_list.update" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "access-list" , "updated_by" : "mike" , "access_list_title" : "example_title" }

Access Request Created

Example:

{ "id" : "66b827b2-1b0b-512b-965d-6c789388d3c9" , "code" : "T5000I" , "event" : "access_request.create" , "time" : "2020-06-05T19:26:53Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" , "user" : "Carrie_Sandoval" , "state" : "PENDING" , "roles" : [ "admin" ] }

Access Request Deleted

Example:

{ "id" : "66b827b2-1b0b-512b-965d-6c789388d3c9" , "code" : "T5003I" , "event" : "access_request.delete" , "time" : "2020-06-05T19:26:53Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Access Request Expired

Example:

{ "id" : "66b827b2-1b0b-512b-965d-6c789388d3c9" , "code" : "T5005I" , "event" : "access_request.expire" , "time" : "2020-06-05T19:26:53Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Access Request Reviewed

Example:

{ "code" : "T5002I" , "event" : "access_request.review" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Resource Access Search

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "T5004I" , "ei" : 0 , "event" : "access_request.search" , "namespace" : "default" , "resource_type" : "db_server" , "search_as_roles" : [ "admin" , "really-long-role-name-1" , "really-long-role-name-2" , "really-long-role-name-3" , "really-long-role-name-4" , "really-long-role-name-5" , "really-long-role-name-6" , "really-long-role-name-7" , "really-long-role-name-8" , "really-long-role-name-9" ] , "time" : "2022-06-08T15:10:35.368Z" , "uid" : "b13d61-b97-475f-86ef-1fedf" , "user" : "foo" }

Access Request Updated

Example:

{ "id" : "66b827b2-1b0b-512b-965d-6c789388d3c9" , "code" : "T5001I" , "event" : "access_request.update" , "time" : "2020-06-05T19:26:53Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" , "state" : "APPROVED" , "updated_by" : "Sam_Waters" }

Application Created

Example:

{ "code" : "TAP03I" , "ei" : 0 , "event" : "app.create" , "time" : "2022-09-27T19:07:35.00Z" , "uid" : "45cabf1e-3f19-4f83-a360-01ac0a176b67" , "aws_role_arn" : "arn:aws:iam::1234567890:role/steve" , "name" : "dynamic-app" , "user" : "mike" }

Application Deleted

Example:

{ "code" : "TAP05I" , "ei" : 0 , "event" : "app.delete" , "time" : "2022-09-27T19:11:35.00Z" , "uid" : "d2342a20-9697-4a5d-9658-5d473e04624a" , "aws_role_arn" : "arn:aws:iam::1234567890:role/steve" , "name" : "dynamic-app" , "user" : "mike" }

App Session Data

Example:

{ "code" : "T2008I" , "ei" : 0 , "event" : "app.session.chunk" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "session_chunk_id" : "3a54f32d-210f-4338-abf5-133bfe19ccc0" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2020-10-30T17:28:14.705Z" , "uid" : "8ea5be3d-07b1-4308-8e0d-2d2ec57cbb20" , "user" : "alice" , "app_name" : "test" }

App Session DynamoDB Request

Example:

{ "code" : "T2013I" , "ei" : 1 , "event" : "app.session.dynamodb.request" , "app_name" : "dyno1" , "app_public_addr" : "dynamodb.root.com" , "app_uri" : "https://console.aws.amazon.com/dynamodbv2/home" , "aws_host" : "dynamodb.us-west-2.amazonaws.com" , "aws_region" : "us-west-2" , "aws_role_arn" : "arn:aws:iam::123456789012:role/GavinDynamoDBRole" , "aws_service" : "dynamodb" , "body" : { "TableName" : "test-table" } , "cluster_name" : "root.com" , "method" : "POST" , "path" : "/" , "raw_query" : "" , "session_chunk_id" : "3a54f32d-210f-4338-abf5-133bfe19ccc0" , "status_code" : 200 , "target" : "DynamoDB_20120810.Scan" , "time" : "2022-10-19T19:04:07.763Z" , "uid" : "f6f38f69-46e9-4110-a773-2c88278d08ca" , "user" : "alice" }

App Session Ended

Example:

{ "app_name" : "ponger" , "app_public_addr" : "ponger.root.gravitational.io" , "app_uri" : "tcp://localhost:9876" , "cluster_name" : "root" , "code" : "T2011I" , "ei" : 0 , "event" : "app.session.end" , "namespace" : "default" , "server_id" : "8e70002c-7a07-4513-a3fa-ac556a1d7534" , "sid" : "11c328b4-5a1e-4adc-b7cb-206389e5f130" , "time" : "2022-08-10T19:54:40.444Z" , "uid" : "ac8c9b6b-46a0-4b0e-8d85-2204101d5615" , "user" : "alice" }

App Session Started

Example:

{ "addr.remote" : "50.34.48.113:56902" , "code" : "T2007I" , "ei" : 0 , "event" : "app.session.start" , "namespace" : "default" , "public_addr" : "dumper.test.domain.com" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2020-10-30T17:28:14.381Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "kimlisa" , "app_name" : "test" }

Application Updated

Example:

{ "code" : "TAP04I" , "ei" : 0 , "event" : "app.update" , "time" : "2022-09-27T19:09:35.00Z" , "uid" : "9909a8d6-b45f-455c-953d-ba1a62340810" , "aws_role_arn" : "arn:aws:iam::1234567890:role/steve" , "name" : "dynamic-app" , "user" : "mike" }

Auth Attempt Failed

Example:

{ "code" : "T3007W" , "error" : "ssh: principal \"fsdfdsf\" not in the set of valid principals for given certificate: [\"root\"]" , "event" : "auth" , "success" : false , "time" : "2019-04-22T02:09:06Z" , "uid" : "036659d6-fdf7-40a4-aa80-74d6ac73b9c0" , "user" : [email protected]" }

Cluster Authentication Preferences Updated

Example:

{ "code" : "TCAUTH001I" , "event" : "auth_preference.update" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Automatic Update Agent Rollout Forced Done.

Example:

{ "ei" : 0 , "event" : "auto_update_agent_rollout.force_done" , "code" : "AUAR002I" , "time" : "0001-01-01T00:00:00Z" , "user" : "system" , "groups" : [ "prod" ] , "success" : true }

Automatic Update Agent Rollout Rollback

Example:

{ "ei" : 0 , "event" : "auto_update_agent_rollout.rollback" , "code" : "AUAR003I" , "time" : "0001-01-01T00:00:00Z" , "user" : "system" , "groups" : [ "prod" ] , "success" : true }

Automatic Update Agent Rollout Triggered

Example:

{ "ei" : 0 , "event" : "auto_update_agent_rollout.trigger" , "code" : "AUAR001I" , "time" : "0001-01-01T00:00:00Z" , "user" : "system" , "groups" : [ "dev" , "prod" ] , "success" : true }

Automatic Update Config Created

Example:

{ "addr.remote" : "127.0.0.1:46790" , "cluster_name" : "autest.cloud.gravitational.io" , "code" : "AUC001I" , "ei" : 0 , "event" : "auto_update_config.create" , "expires" : "0001-01-01T00:00:00Z" , "name" : "autoupdate-config" , "success" : true , "time" : "2025-03-04T15:49:31.946Z" , "uid" : "6fcbf7ed-b44c-4b83-bb70-02a574564e0b" , "updated_by" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user_kind" : 1 }

Automatic Update Config Deleted

Example:

{ "addr.remote" : "127.0.0.1:39518" , "cluster_name" : "autest.cloud.gravitational.io" , "code" : "AUC003I" , "ei" : 0 , "event" : "auto_update_config.delete" , "expires" : "0001-01-01T00:00:00Z" , "name" : "autoupdate-config" , "success" : true , "time" : "2025-03-04T15:49:21.869Z" , "uid" : "af17ab4a-d5a2-44a3-93ce-89390b50d52f" , "updated_by" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user_kind" : 1 }

Automatic Update Config Updated

Example:

{ "addr.remote" : "127.0.0.1:46798" , "cluster_name" : "autest.cloud.gravitational.io" , "code" : "AUC002I" , "ei" : 0 , "event" : "auto_update_config.update" , "expires" : "0001-01-01T00:00:00Z" , "name" : "autoupdate-config" , "success" : true , "time" : "2025-03-04T15:49:37.633Z" , "uid" : "94c580a9-6f87-4a23-9fe5-f93de4390cff" , "updated_by" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user_kind" : 1 }

Automatic Update Version Created

Example:

{ "addr.remote" : "127.0.0.1:41608" , "cluster_name" : "autest.cloud.gravitational.io" , "code" : "AUV001I" , "ei" : 0 , "event" : "auto_update_version.create" , "expires" : "0001-01-01T00:00:00Z" , "name" : "autoupdate-version" , "success" : true , "time" : "2025-03-04T15:41:24.433Z" , "uid" : "3d677d2f-91d0-4b5a-966d-183a59cec888" , "updated_by" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user_kind" : 1 }

Automatic Update Version Deleted

Example:

{ "addr.remote" : "127.0.0.1:50316" , "cluster_name" : "autest.cloud.gravitational.io" , "code" : "AUV003I" , "ei" : 0 , "event" : "auto_update_version.delete" , "expires" : "0001-01-01T00:00:00Z" , "name" : "autoupdate-version" , "success" : true , "time" : "2025-03-04T15:25:44.805Z" , "uid" : "c4d0d165-3a17-46ac-baa7-c7f521629997" , "updated_by" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user_kind" : 1 }

Automatic Update Version Updated

Example:

{ "addr.remote" : "127.0.0.1:42540" , "cluster_name" : "autest.cloud.gravitational.io" , "code" : "AUV002I" , "ei" : 0 , "event" : "auto_update_version.update" , "expires" : "0001-01-01T00:00:00Z" , "name" : "autoupdate-version" , "success" : true , "time" : "2025-03-04T15:27:36.039Z" , "uid" : "b7f9dde2-2899-46f1-bd4e-699d7b630e33" , "updated_by" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user" : "b6eae9ed-bfde-40ba-a880-948a2c598b2b.autest.cloud.gravitational.io" , "user_kind" : 1 }

AWS IAM Identity Center Resource Sync Failed

Example:

{ "code" : "TAIC001E" , "event" : "aws_identity_center.resource_sync.failed" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

AWS IAM Identity Center Resource Sync Completed

Example:

{ "code" : "TAIC001I" , "event" : "aws_identity_center.resource_sync.success" , "message" : "Periodic account, permission set and account assignment sync" , "success" : true , "time" : "2025-02-11T15:29:30.045Z" , "total_account_assignments" : 12 , "total_accounts" : 4 , "total_permission_sets" : 3 , "total_user_groups" : 5 }

Credit Card Added

Example:

{ "cluster_name" : "some-name" , "code" : "TBL00I" , "ei" : 0 , "event" : "billing.create_card" , "time" : "2021-03-18T16:29:05.044Z" , "uid" : "5c40b62a-4ddd-466c-87a0-fa2922f743d0" , "user" : "root" }

Credit Card Deleted

Example:

{ "cluster_name" : "some-name" , "code" : "TBL01I" , "ei" : 0 , "event" : "billing.delete_card" , "time" : "2021-03-18T16:28:51.219Z" , "uid" : "056517e0-f7e1-4286-b437-c75f3a865af4" , "user" : "root" }

Credit Card Updated

Example:

{ "cluster_name" : "some-name" , "code" : "TBL02I" , "ei" : 0 , "event" : "billing.update_card" , "time" : "2021-03-18T16:28:49.067Z" , "uid" : "0a06aba1-b87c-4d58-8922-e173f6b9729f" , "user" : "root" }

Billing Information Updated

Example:

{ "cluster_name" : "some-name" , "code" : "TBL03I" , "ei" : 0 , "event" : "billing.update_info" , "time" : "2021-03-18T16:29:15.719Z" , "uid" : "95344b33-d25c-4875-896e-f21abc911547" , "user" : "root" }

Bot Created

Example:

{ "cluster_name" : "leaf.tele.ottr.sh:443" , "code" : "TB001I" , "ei" : 0 , "event" : "bot.create" , "expires" : "0001-01-01T00:00:00Z" , "name" : "made-by-noah" , "time" : "2023-12-08T10:53:39.798Z" , "uid" : "0efbb33d-fa50-44e0-8dec-4ac89c0dd4ab" , "user" : "noah" }

Bot Deleted

Example:

{ "cluster_name" : "leaf.tele.ottr.sh:443" , "code" : "TB003I" , "ei" : 0 , "event" : "bot.delete" , "expires" : "0001-01-01T00:00:00Z" , "name" : "review2" , "time" : "2023-12-08T09:52:30.579Z" , "uid" : "0efbb33d-fa50-44e0-8dec-4ac89c0dd4ab" , "user" : "noah" }

There are multiple events with the bot.join type.

Bot Joined

Example:

{ "attributes" : { "actor" : "strideynet" , "actor_id" : "16336790" , "base_ref" : "" , "environment" : "" , "event_name" : "push" , "head_ref" : "" , "job_workflow_ref" : "strideynet/sandbox/.github/workflows/build.yaml@refs/heads/main" , "ref" : "refs/heads/main" , "ref_type" : "branch" , "repository" : "strideynet/sandbox" , "repository_id" : "539963344" , "repository_owner" : "strideynet" , "repository_owner_id" : "16336790" , "repository_visibility" : "private" , "run_attempt" : "6" , "run_id" : "3547291254" , "run_number" : "73" , "sha" : "758c69462083ad67f0714112aab31fdeb1ba3a59" , "sub" : "repo:strideynet/sandbox:ref:refs/heads/main" , "workflow" : "Demo" } , "bot_name" : "github-demo" , "cluster_name" : "root.tele.ottr.sh" , "code" : "TJ001I" , "ei" : 0 , "event" : "bot.join" , "method" : "github" , "success" : true , "time" : "2022-12-05T17:11:03.268Z" , "token_name" : "github-bot" , "uid" : "15a82555-b5aa-4eb8-820e-551f991bf902" }

Bot Join Failed

Example:

{ "attributes" : { "actor" : "strideynet" , "actor_id" : "16336790" , "base_ref" : "" , "environment" : "" , "event_name" : "push" , "head_ref" : "" , "job_workflow_ref" : "strideynet/sandbox/.github/workflows/build.yaml@refs/heads/main" , "ref" : "refs/heads/main" , "ref_type" : "branch" , "repository" : "strideynet/sandbox" , "repository_id" : "539963344" , "repository_owner" : "strideynet" , "repository_owner_id" : "16336790" , "repository_visibility" : "private" , "run_attempt" : "3" , "run_id" : "8604159359" , "run_number" : "100" , "sha" : "0c9c5361d15154caf1c151dc1f430ea3552c9b93" , "sub" : "repo:strideynet/sandbox:ref:refs/heads/main" , "workflow" : "Demo" } , "bot_name" : "unknown" , "cluster_name" : "leaf.tele.ottr.sh" , "code" : "TJ001E" , "ei" : 0 , "error" : "id token claims did not match any allow rules" , "event" : "bot.join" , "method" : "unknown" , "success" : false , "time" : "2024-04-08T17:33:48.877Z" , "uid" : "2bc5e2cb-5ba1-47d7-a7ae-381cf323ae7f" }

Bot Updated

Example:

{ "code" : "TB002I" , "event" : "bot.update" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Certificate Issued

Example:

{ "cert_type" : "user" , "code" : "TC000I" , "event" : "cert.create" , "identity" : { "user" : "alice" } , "time" : "2022-02-04T19:43:23.529Z" }

Client Disconnected

Example:

{ "code" : "T3006I" , "event" : "client.disconnect" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Cluster Networking Configuration Updated

Example:

{ "code" : "TCNET002I" , "event" : "cluster_networking_config.update" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Contact Created

Example:

{ "code" : "TCTC001I" , "event" : "contact.create" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Contact Deleted

Example:

{ "code" : "TCTC002I" , "event" : "contact.delete" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Database Created

Example:

{ "cluster_name" : "root" , "code" : "TDB03I" , "db_labels" : { "env" : "local" , "teleport.dev/origin" : "dynamic" } , "db_protocol" : "postgres" , "db_uri" : "localhost:5432" , "ei" : 0 , "event" : "db.create" , "expires" : "0001-01-01T00:00:00Z" , "name" : "postgres-local" , "time" : "2021-10-08T15:42:15.39Z" , "uid" : "9d37514f-aef5-426f-9fda-31fd35d070f5" , "user" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e.root" }

Database Deleted

Example:

{ "cluster_name" : "root" , "code" : "TDB05I" , "ei" : 0 , "event" : "db.delete" , "expires" : "0001-01-01T00:00:00Z" , "name" : "postgres-local" , "time" : "2021-10-08T15:42:36.005Z" , "uid" : "74f5e6b9-50c4-4195-bb26-d615641255bc" , "user" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e.root" }

Cassandra Batch

Example:

{ "ei" : 0 , "event" : "db.session.cassandra.batch" , "code" : "TCA01I" , "time" : "2022-06-02T08:46:33.825Z" , "cluster_name" : "im-a-cluster-name" , "user" : "alice" , "sid" : "a724c7e8-8e00-45a6-afac-82023d0f86b6" , "db_service" : "cassandra" , "db_protocol" : "cassandra" , "db_uri" : "localhost:65054" , "db_user" : "cassandra" , "consistency" : "ConsistencyLevel QUORUM [0x0004]" , "batch_type" : "BatchType LOGGED [0x00]" , "children" : [ { "query" : "INSERT INTO batch_table (id) VALUES 1" } , { "query" : "INSERT INTO batch_table (id) VALUES 2" } ] }

Cassandra Execute

Example:

{ "ei" : 0 , "event" : "db.session.cassandra.execute" , "code" : "TCA03I" , "time" : "2022-06-02T08:46:33.825Z" , "cluster_name" : "im-a-cluster-name" , "user" : "alice" , "sid" : "2126ee07-cfe1-4213-8032-70b3e6e1ac79" , "db_service" : "cassandra" , "db_protocol" : "cassandra" , "db_uri" : "localhost:65054" , "db_user" : "cassandra" , "query_id" : "d34e638934721c3bcd69933f992a00cb" }

Cassandra Prepare Event

Example:

{ "ei" : 0 , "event" : "db.session.cassandra.prepare" , "code" : "TCA02I" , "time" : "2022-06-02T08:46:33.825Z" , "cluster_name" : "im-a-cluster-name" , "user" : "alice" , "sid" : "2126ee07-cfe1-4213-8032-70b3e6e1ac79" , "db_service" : "cassandra" , "db_protocol" : "cassandra" , "db_uri" : "localhost:65054" , "db_user" : "cassandra" , "query" : "SELECT * FROM system_schema.keyspaces" }

Cassandra Register

Example:

{ "ei" : 0 , "event" : "db.session.cassandra.register" , "code" : "TCA04I" , "time" : "2022-06-02T08:46:33.825Z" , "cluster_name" : "im-a-cluster-name" , "user" : "alice" , "sid" : "2126ee07-cfe1-4213-8032-70b3e6e1ac79" , "db_service" : "cassandra" , "db_protocol" : "cassandra" , "db_uri" : "localhost:65054" , "db_user" : "cassandra" , "event_types" : [ "TOPOLOGY_CHANGE" , "STATUS_CHANGE" , "SCHEMA_CHANGE" ] }

There are multiple events with the db.session.dynamodb.request type.

DynamoDB Request

Example:

DynamoDB Request Failed

Example:

There are multiple events with the db.session.elasticsearch.request type.

Elasticsearch Request

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TES00I" , "body" : null , "category" : 0 , "db_protocol" : "elasticsearch" , "db_service" : "myelastic" , "db_uri" : "localhost:9201" , "db_user" : "elasticuser" , "ei" : 101 , "event" : "db.session.elasticsearch.request" , "headers" : { "Accept" : [ "*/*" ] , "User-Agent" : [ "curl/7.79.1" ] } , "method" : "GET" , "path" : "/" , "query" : "" , "raw_query" : "" , "sid" : "b739c817-bc11-4eaa-b256-c6646d7fcc21" , "target" : "" , "time" : "2022-09-27T11:43:58.433Z" , "uid" : "730a8de0-79a9-486f-b9c6-3820c3a6977c" , "user" : "alice" }

Elasticsearch Request Failed

Example:

{ "code" : "TES00E" , "event" : "db.session.elasticsearch.request" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Database Session Ended

Example:

Database Malformed Packet

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TDB06I" , "db_name" : "master" , "db_protocol" : "sqlserver" , "db_service" : "sqlserver02" , "db_uri" : "localhost:1433" , "db_user" : "sqlserver" , "ei" : 50 , "event" : "db.session.malformed_packet" , "payload" : "AwEAkAAAAgByAGEAbQBfADEAIABuAHYAYQByAGMAaABhAHIAKAA0ADAAMAAwACkAC0AAXwBtAHMAcABhAHIAYQBtAF8AMAAA50AfCQTQADQWAHMAcAB0AF8AbQBvAG4AaQB0AG8AcgALQABfAG0AcwBwAGEAcgBhAG0AXwAxAADnQB8JBNAANAYAZABiAG8A" , "sid" : "3ed38c42-eef0-419b-b893-f2f10990f117" , "time" : "2022-06-02T08:46:33.825Z" , "uid" : "503e310d-8d88-4bea-bbbb-a1b35456a03a" , "user" : "alice" }

MySQL Create Database

Example:

MySQL Debug

Example:

MySQL Drop Database

Example:

MySQL Change Database

Example:

MySQL Kill Process

Example:

MySQL Refresh

Example:

MySQL Shut Down

Example:

MySQL Statement Bulk Execute

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TMY06I" , "db_name" : "test" , "db_protocol" : "mysql" , "db_service" : "self-hosted-mysql" , "db_uri" : "localhost:3306" , "db_user" : "alice" , "ei" : 0 , "event" : "db.session.mysql.statements.bulk_execute" , "parameters" : null , "statement_id" : 1 , "time" : "2022-02-10T20:57:53.000Z" , "user" : [email protected]" }

MySQL Statement Close

Example:

MySQL Statement Execute

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TMY01I" , "db_name" : "test" , "db_protocol" : "mysql" , "db_service" : "self-hosted-mysql" , "db_uri" : "localhost:3306" , "db_user" : "alice" , "ei" : 0 , "event" : "db.session.mysql.statements.execute" , "parameters" : null , "statement_id" : 1 , "time" : "2022-02-10T20:57:54.000Z" , "user" : [email protected]" }

MySQL Statement Fetch

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TMY05I" , "db_name" : "test" , "db_protocol" : "mysql" , "db_service" : "self-hosted-mysql" , "db_uri" : "localhost:3306" , "db_user" : "alice" , "ei" : 0 , "event" : "db.session.mysql.statements.fetch" , "rows_count" : 5 , "statement_id" : 1 , "time" : "2022-02-10T20:57:55.000Z" , "uid" : "0a2bd129-7c2f-4e68-9c84-a17dc4415444" , "user" : [email protected]" }

MySQL Statement Prepare

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TMY00I" , "db_name" : "test" , "db_protocol" : "mysql" , "db_service" : "self-hosted-mysql" , "db_uri" : "localhost:3306" , "db_user" : "alice" , "ei" : 0 , "event" : "db.session.mysql.statements.prepare" , "query" : "UPDATE `test`.`user` SET `age` = '7' WHERE (`name` = 'alice')" , "time" : "2022-02-10T20:57:50.000Z" , "user" : [email protected]" }

MySQL Statement Reset

Example:

MySQL Statement Send Long Data

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TMY02I" , "db_name" : "test" , "db_protocol" : "mysql" , "db_service" : "self-hosted-mysql" , "db_uri" : "localhost:3306" , "db_user" : "alice" , "ei" : 0 , "event" : "db.session.mysql.statements.send_long_data" , "statement_id" : 1 , "parameter_id" : 2 , "data_size" : 32 , "time" : "2022-02-10T20:57:51.000Z" , "user" : [email protected]" }

There are multiple events with the db.session.opensearch.request type.

OpenSearch Request

Example:

{ "category" : 2 , "cluster_name" : "im-a-cluster-name" , "code" : "TOS00I" , "db_protocol" : "opensearch" , "db_service" : "opensearch-aws" , "db_uri" : "opensearch-aws-aaa111.eu-central-1.es.amazonaws.com:443" , "db_user" : "arn:aws:iam::1234567890:role/teleport-db-role" , "ei" : 1 , "event" : "db.session.opensearch.request" , "headers" : { "Accept-Encoding" : [ "gzip" ] , "Content-Type" : [ "application/json" ] , "User-Agent" : [ "Go-http-client/1.1" ] } , "method" : "GET" , "path" : "/_count" , "query" : "" , "raw_query" : "" , "sid" : "370e5d86-84a6-4995-8476-dbea80f9eacf" , "status_code" : 200 , "target" : "" , "time" : "2023-03-11T11:08:29.954Z" , "uid" : "d15f795c-1f63-4076-bdd4-ffe88cde716e" , "user" : [email protected]" }

OpenSearch Request Failed

Example:

{ "category" : 2 , "cluster_name" : "im-a-cluster-name" , "code" : "TOS00E" , "db_protocol" : "opensearch" , "db_service" : "opensearch-aws" , "db_uri" : "opensearch-aws-aaa111.eu-central-1.es.amazonaws.com:443" , "db_user" : "arn:aws:iam::1234567890:role/does-not-exist" , "ei" : 1 , "event" : "db.session.opensearch.request" , "headers" : { "Accept-Encoding" : [ "gzip" ] , "Content-Type" : [ "application/json" ] , "User-Agent" : [ "Go-http-client/1.1" ] } , "method" : "GET" , "path" : "/_count" , "query" : "" , "raw_query" : "" , "sid" : "2d9a43c1-14ab-40fa-88db-195312f3401c" , "status_code" : 0 , "target" : "" , "time" : "2023-03-11T11:08:29.954Z" , "uid" : "01ad9a74-c8d6-497f-83db-e1c0be83d8da" , "user" : [email protected]" }

Database User Permissions Updated

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TDB07I" , "db_name" : "master" , "db_protocol" : "postgres" , "db_service" : "postgres-local" , "db_uri" : "localhost:1433" , "db_user" : "alice" , "ei" : 50 , "event" : "db.session.permissions.update" , "sid" : "3ed38c42-eef0-419b-b893-f2f10990f117" , "time" : "2022-06-02T08:46:33.825Z" , "uid" : "503e310d-8d88-4bea-bbbb-a1b35456a03a" , "user" : "alice" , "permission_summary" : [ { "counts" : { "table" : 1 , "view" : 2 } , "permission" : "INSERT" } , { "counts" : { "table" : 2 , "view" : 4 } , "permission" : "SELECT" } , { "counts" : { "table" : 3 } , "permission" : "UPDATE" } ] }

PostgreSQL Function Call

Example:

{ "cluster_name" : "root" , "code" : "TPG04I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 23 , "event" : "db.session.postgres.function" , "sid" : "5e0c50cc-4ee7-4110-8d6e-735bf1f06f1f" , "function_oid" : "123" , "function_args" : [ "qweqweqwe" ] , "time" : "2021-12-16T00:40:37.073Z" , "uid" : "295c88fc-4725-4de0-9049-64040fc69ec7" , "user" : "alice" }

PostgreSQL Statement Bind

Example:

{ "cluster_name" : "root" , "code" : "TPG01I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 20 , "event" : "db.session.postgres.statements.bind" , "parameters" : [ "qweqweqwe" ] , "portal_name" : "" , "sid" : "5e0c50cc-4ee7-4110-8d6e-735bf1f06f1f" , "statement_name" : "test-ps" , "time" : "2021-12-16T00:40:37.071Z" , "uid" : "d5bed7e5-6a15-441b-b8ee-a2abd73f3136" , "user" : "alice" }

PostgreSQL Statement Close

Example:

{ "cluster_name" : "root" , "code" : "TPG03I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 22 , "event" : "db.session.postgres.statements.close" , "portal_name" : "" , "sid" : "5e0c50cc-4ee7-4110-8d6e-735bf1f06f1f" , "statement_name" : "test-ps" , "time" : "2021-12-16T00:40:37.073Z" , "uid" : "295c88fc-4725-4de0-9049-64040fc69ec7" , "user" : "alice" }

PostgreSQL Statement Execute

Example:

{ "cluster_name" : "root" , "code" : "TPG02I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 21 , "event" : "db.session.postgres.statements.execute" , "portal_name" : "" , "sid" : "5e0c50cc-4ee7-4110-8d6e-735bf1f06f1f" , "time" : "2021-12-16T00:40:37.071Z" , "uid" : "a0f045a2-45a4-4a4d-b14a-5f986c1818ff" , "user" : "alice" }

PostgreSQL Statement Parse

Example:

{ "cluster_name" : "root" , "code" : "TPG00I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 19 , "event" : "db.session.postgres.statements.parse" , "query" : "select id from test where id = $1::varchar" , "sid" : "5e0c50cc-4ee7-4110-8d6e-735bf1f06f1f" , "statement_name" : "test-ps" , "time" : "2021-12-16T00:40:37.069Z" , "uid" : "06781ebf-6c5b-463b-ad32-e7395afd4a59" , "user" : "alice" }

Database Query

Example:

Database Query Failed

Example:

{ "cluster_name" : "root" , "code" : "TDB02W" , "db_name" : "houston" , "db_protocol" : "mongodb" , "db_query" : "{\"find\": \"test\",\"filter\": {},\"lsid\": {\"id\": {\"$binary\":{\"base64\":\"2KMk23/TTCKUtiAVU0fbgg==\",\"subType\":\"04\"}}},\"$clusterTime\": {\"clusterTime\": {\"$timestamp\":{\"t\":\"1626246227\",\"i\":\"1\"}},\"signature\": {\"hash\": {\"$binary\":{\"base64\":\"zBJKAl6VcjwQrr05N0O4qrQ92PY=\",\"subType\":\"00\"}},\"keyId\": {\"$numberLong\":\"6969719000615878659\"}}},\"$db\": \"houston\"}" , "db_service" : "mongo-primary" , "db_uri" : "mongodb://mongo-1:27017,mongo-2:27018/?replicaSet=rs0" , "db_user" : "alice" , "ei" : 13 , "error" : "access to database denied" , "event" : "db.session.query.failed" , "message" : "access to database denied" , "sid" : "13c04d4b-2e94-4106-a3a1-5ab8aae10465" , "success" : false , "time" : "2021-07-14T07:05:22.32Z" , "uid" : "21796ef9-a5dc-4595-a833-b893ac620488" , "user" : [email protected]" }

There are multiple events with the db.session.spanner.rpc type.

Spanner RPC Denied

Example:

{ "args" : { "database" : "projects/project-id/instances/instance-id/databases/prod-db" , "session_count" : 100 , "session_template" : { } } , "cluster_name" : "root" , "code" : "TSPN001W" , "db_name" : "prod-db" , "db_origin" : "dynamic" , "db_protocol" : "spanner" , "db_service" : "teleport-spanner" , "db_type" : "spanner" , "db_uri" : "spanner.googleapis.com:443" , "db_user" : "some-user" , "error" : "access to db denied. User does not have permissions. Confirm database user and name." , "event" : "db.session.spanner.rpc" , "message" : "access to db denied. User does not have permissions. Confirm database user and name." , "procedure" : "BatchCreateSessions" , "sid" : "04364984-a6d0-4e2c-93c7-5c44e2359502" , "success" : false , "time" : "2024-03-13T01:25:48.568Z" , "uid" : "1de57538-2eea-438b-a52d-3098f8093b28" , "user" : [email protected]" }

Spanner RPC

Example:

{ "args" : { "query_options" : { } , "request_options" : { } , "seqno" : 1 , "session" : "projects/project-id/instances/instance-id/databases/dev-db/sessions/ABCDEF1234567890Aye8_QwuELYD9rxa74YTWc-lu9LNuDDADbi4EOGm2C2j0ixe" , "sql" : "select * from TestTable" , "transaction" : { "Selector" : { "SingleUse" : { "Mode" : { "ReadOnly" : { "TimestampBound" : { "Strong" : true } , "return_read_timestamp" : true } } } } } } , "cluster_name" : "root" , "code" : "TSPN001I" , "db_name" : "dev-db" , "db_origin" : "dynamic" , "db_protocol" : "spanner" , "db_service" : "teleport-spanner" , "db_type" : "spanner" , "db_uri" : "spanner.googleapis.com:443" , "db_user" : "some-user" , "event" : "db.session.spanner.rpc" , "procedure" : "ExecuteStreamingSql" , "sid" : "406b9883-0e16-42f2-9d0b-b3bd956f9cd4" , "success" : true , "time" : "2024-03-13T00:02:44.739Z" , "uid" : "e0625e79-9399-4ea3-aa8b-dba1eb98658d" , "user" : [email protected]" }

SQLServer RPC Request

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TMS00I" , "db_name" : "master" , "db_protocol" : "sqlserver" , "db_service" : "sqlserver02" , "db_uri" : "localhost:1433" , "db_user" : "sqlserver" , "ei" : 7 , "event" : "db.session.sqlserver.rpc_request" , "parameters" : [ "SELECT

dtb.collation_name AS [Collation],

dtb.name AS [DatabaseName2]

FROM

master.sys.databases AS dtb

WHERE

(dtb.name=@_msparam_0)" ] , "proc_name" : "Sp_ExecuteSql" , "sid" : "6b37d89b-0d9c-4681-976b-ba12588a1bcd" , "time" : "2022-06-02T08:29:17.693Z" , "uid" : "a29dfad1-5a71-4c48-b4e0-10d1d857a23c" , "user" : "alice" }

There are multiple events with the db.session.start type.

Database Session Started

Example:

Database Session Denied

Example:

{ "code" : "TDB00W" , "event" : "db.session.start" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

There are multiple events with the db.session.user.create type.

Database User Created

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TDB08I" , "db_name" : "master" , "db_protocol" : "postgres" , "db_service" : "postgres-local" , "db_uri" : "localhost:1433" , "db_user" : "alice" , "ei" : 0 , "event" : "db.session.user.create" , "private_key_policy" : "none" , "roles" : null , "sid" : "47f20b91-f5c3-4eef-85e1-9509252238e7" , "success" : true , "time" : "2022-06-02T08:46:33.825Z" , "uid" : "95e74359-e5a1-4c76-970e-c522b550dbb9" , "user" : "alice" , "user_kind" : 1 , "username" : "alice" }

Database User Creation Failed

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TDB08W" , "db_name" : "master" , "db_protocol" : "postgres" , "db_service" : "postgres-local" , "db_uri" : "localhost:1433" , "db_user" : "alice" , "ei" : 0 , "error" : "dummy error" , "event" : "db.session.user.create" , "message" : "dummy error" , "private_key_policy" : "none" , "roles" : null , "sid" : "3fd14bfe-be21-40a4-b1da-744fa14f5108" , "success" : false , "time" : "2022-06-02T08:46:33.825Z" , "uid" : "4a4a6a70-c81d-4326-8565-3f7bd23b874f" , "user" : "ben" , "user_kind" : 1 , "username" : "ben" }

There are multiple events with the db.session.user.deactivate type.

Database User Deactivated

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TDB09I" , "db_name" : "master" , "db_protocol" : "postgres" , "db_service" : "postgres-local" , "db_uri" : "localhost:1433" , "db_user" : "alice" , "delete" : false , "ei" : 5 , "event" : "db.session.user.deactivate" , "private_key_policy" : "none" , "sid" : "c362e10b-dbc4-44e5-b90f-0bee5dd0c623" , "success" : true , "time" : "2022-06-02T08:46:33.825Z" , "uid" : "0ab70491-4d33-4bc5-be58-27922a647f50" , "user" : "ben" , "user_kind" : 1 , "username" : "ben" }

Database User Deactivate Failure

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TDB09W" , "db_name" : "master" , "db_protocol" : "postgres" , "db_service" : "postgres-local" , "db_uri" : "localhost:1433" , "db_user" : "alice" , "delete" : false , "ei" : 4 , "error" : "dummy error" , "event" : "db.session.user.deactivate" , "message" : "dummy error" , "private_key_policy" : "none" , "sid" : "3bb429a1-be03-4c03-827c-98ff846dacf7" , "success" : false , "time" : "2022-06-02T08:46:33.825Z" , "uid" : "c6569248-ac06-417d-b5b6-e0bf94eccb1a" , "user" : "ben" , "user_kind" : 1 , "username" : "ben" }

Database Updated

Example:

{ "cluster_name" : "root" , "code" : "TDB04I" , "db_labels" : { "env" : "local" , "teleport.dev/origin" : "dynamic" } , "db_protocol" : "postgres" , "db_uri" : "localhost:5432" , "ei" : 0 , "event" : "db.update" , "expires" : "0001-01-01T00:00:00Z" , "name" : "postgres-local" , "time" : "2021-10-08T15:42:24.581Z" , "uid" : "fe631a5a-6418-49d6-99e7-5280654663ec" , "user" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e.root" }

Clipboard Data Received

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TDP03I" , "desktop_addr" : "100.104.52.89:3389" , "desktop_name" : "desktop-name" , "ei" : 0 , "event" : "desktop.clipboard.receive" , "sid" : "b7f734d8-bdc2-4996-8959-0b42a11708e7" , "time" : "2021-10-18T23:39:13.105Z" , "uid" : "84d408d1-3314-4a30-b7b7-35970633c9de" , "user" : "joe" , "length" : 512 }

Clipboard Data Sent

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TDP02I" , "desktop_addr" : "100.104.52.89:3389" , "desktop_name" : "desktop-name" , "ei" : 0 , "event" : "desktop.clipboard.send" , "sid" : "b7f734d8-bdc2-4996-8959-0b42a11708e7" , "time" : "2021-10-18T23:39:13.105Z" , "uid" : "84d408d1-3314-4a30-b7b7-35970633c9de" , "user" : "joe" , "length" : 512 }

There are multiple events with the desktop.directory.read type.

Directory Sharing Read

Example:

{ "addr.remote" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "cluster_name" : "im-a-cluster-name" , "code" : "TDP05I" , "desktop_addr" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "desktop_name" : "desktop-name" , "directory_id" : 2 , "directory_name" : "windows-server-2012-shared" , "ei" : 9766 , "event" : "desktop.directory.read" , "file_path" : "powershell-scripts/domain-controller.ps1" , "length" : 734 , "offset" : 0 , "proto" : "tdp" , "sid" : "b9329a34-ab0c-4aa0-9fc8-1054d491e818" , "success" : true , "time" : "2022-10-21T23:07:36.496189Z" , "uid" : "a6ea5e5b-daac-47c2-9ce5-3f868e51a146" , "user" : "joe" }

Directory Sharing Read Failed

Example:

{ "addr.remote" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "cluster_name" : "im-a-cluster-name" , "code" : "TDP05W" , "desktop_addr" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "desktop_name" : "desktop-name" , "directory_id" : 2 , "directory_name" : "windows-server-2012-shared" , "ei" : 9766 , "event" : "desktop.directory.read" , "file_path" : "powershell-scripts/domain-controller.ps1" , "length" : 734 , "offset" : 0 , "proto" : "tdp" , "sid" : "b9329a34-ab0c-4aa0-9fc8-1054d491e818" , "success" : false , "time" : "2022-10-21T23:07:36.496189Z" , "uid" : "a6ea5e5b-daac-47c2-9ce5-3f868e51a146" , "user" : "joe" }

There are multiple events with the desktop.directory.share type.

Directory Sharing Started

Example:

{ "addr.remote" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "cluster_name" : "im-a-cluster-name" , "code" : "TDP04I" , "desktop_addr" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "desktop_name" : "desktop-name" , "directory_id" : 2 , "directory_name" : "windows-server-2012-shared" , "ei" : 3317 , "event" : "desktop.directory.share" , "proto" : "tdp" , "sid" : "6ecf916d-dedf-4769-afc0-d08e55fbebf7" , "success" : true , "time" : "2022-10-21T22:36:27.314409Z" , "uid" : "f38b07d4-2f3e-400b-a91a-bad7283db775" , "user" : "joe" }

Directory Sharing Start Failed

Example:

{ "addr.remote" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "cluster_name" : "im-a-cluster-name" , "code" : "TDP04W" , "desktop_addr" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "desktop_name" : "desktop-name" , "directory_id" : 2 , "directory_name" : "windows-server-2012-shared" , "ei" : 3317 , "event" : "desktop.directory.share" , "proto" : "tdp" , "sid" : "6ecf916d-dedf-4769-afc0-d08e55fbebf7" , "success" : false , "time" : "2022-10-21T22:36:27.314409Z" , "uid" : "f38b07d4-2f3e-400b-a91a-bad7283db775" , "user" : "joe" }

There are multiple events with the desktop.directory.write type.

Directory Sharing Write

Example:

{ "addr.remote" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "cluster_name" : "im-a-cluster-name" , "code" : "TDP06I" , "desktop_addr" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "desktop_name" : "desktop-name" , "directory_id" : 2 , "directory_name" : "windows-server-2012-shared" , "ei" : 7428 , "event" : "desktop.directory.write" , "file_path" : "powershell-scripts/domain-controller.ps1" , "length" : 734 , "offset" : 0 , "proto" : "tdp" , "sid" : "ea959406-27e4-4b11-85c4-1a485ff48417" , "success" : true , "time" : "2022-10-21T23:19:34.519058Z" , "uid" : "6bb2ebdf-d7e2-4a03-80ae-514ff9a5c71f" , "user" : "joe" }

Directory Sharing Write Failed

Example:

{ "addr.remote" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "cluster_name" : "im-a-cluster-name" , "code" : "TDP06W" , "desktop_addr" : "ec2-54-162-177-255.compute-1.amazonaws.com:3389" , "desktop_name" : "desktop-name" , "directory_id" : 2 , "directory_name" : "windows-server-2012-shared" , "ei" : 7428 , "event" : "desktop.directory.write" , "file_path" : "powershell-scripts/domain-controller.ps1" , "length" : 734 , "offset" : 0 , "proto" : "tdp" , "sid" : "ea959406-27e4-4b11-85c4-1a485ff48417" , "success" : false , "time" : "2022-10-21T23:19:34.519058Z" , "uid" : "6bb2ebdf-d7e2-4a03-80ae-514ff9a5c71f" , "user" : "joe" }

Device Enrolled

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TV005I" , "device" : { "asset_tag" : "M2CQVQV64R" , "device_id" : "99d39707-efdd-436c-94f3-6a1aeef1fbf2" , "os_type" : 2 } , "ei" : 0 , "event" : "device" , "status" : { "success" : true } , "time" : "2023-01-12T19:28:36.842Z" , "uid" : "94d33b77-82cd-4558-8893-0320699bf755" , "user" : { "user" : "this user wont render properly" } }

Device Authenticated

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TV006I" , "ei" : 0 , "event" : "device.authenticate" , "success" : true , "time" : "2023-01-12T19:34:48.1Z" , "uid" : "fa279611-91d8-47b5-9fad-b8ea3e5286e0" , "user" : "lisa" }

Device Web Authentication Confirmed

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TV009I" , "device" : { "device_id" : "f84f6b35-6226-4e73-8205-3bcbd7d12970" , "web_authentication" : true , "web_session_id" : "my-session-id-12345" } , "ei" : 0 , "event" : "device.authenticate.confirm" , "success" : false , "time" : "2024-04-08T19:35:48.1Z" , "uid" : "b1361d51-70fa-4f1b-803c-a252c2877707" , "user" : "llama" , "user_kind" : 1 }

Device Registered

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TV001I" , "device" : { "asset_tag" : "M2CQVQV64R" , "device_id" : "99d39707-efdd-436c-94f3-6a1aeef1fbf2" , "os_type" : 2 } , "ei" : 0 , "event" : "device.create" , "success" : true , "time" : "2023-01-12T19:28:36.842Z" , "uid" : "94d33b77-82cd-4558-8893-0320699bf755" , "user" : "3827e8ad-7cbe-4423-a80f-dfc89e83eb86.im-a-cluster-name" }

Device Deleted

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TV002I" , "device" : { "device_id" : "99d39707-efdd-436c-94f3-6a1aeef1fbf2" } , "ei" : 0 , "event" : "device.delete" , "success" : true , "time" : "2023-01-12T20:33:20.527Z" , "uid" : "a12e693e-1c45-43e4-a9d1-5fd8399e303c" , "user" : "3827e8ad-7cbe-4423-a80f-dfc89e83eb86.im-a-cluster-name" }

Device Enroll Token Created

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TV003I" , "device" : { "device_id" : "99d39707-efdd-436c-94f3-6a1aeef1fbf2" } , "ei" : 0 , "event" : "device.token.create" , "success" : true , "time" : "2023-01-12T19:51:54.168Z" , "uid" : "24cce2a0-57b7-494e-a196-c7fd2482b10c" , "user" : "3827e8ad-7cbe-4423-a80f-dfc89e83eb86.im-a-cluster-name" }

Device Enroll Token Spent

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TV004I" , "device" : { "asset_tag" : "M2CQVQV64R" , "device_id" : "0e288b23-f99f-4635-b182-06e9308095a8" , "os_type" : 2 } , "ei" : 0 , "event" : "device.token.spent" , "success" : true , "time" : "2023-01-12T21:31:29.191Z" , "uid" : "bbbc496f-820b-4f49-ae0d-1c1b29faee85" , "user" : "lisa" }

Device Updated

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TV007I" , "device" : { "asset_tag" : "M2CQVQV64R" , "device_id" : "0e288b23-f99f-4635-b182-06e9308095a8" , "os_type" : 2 } , "ei" : 0 , "event" : "device.update" , "success" : true , "time" : "2023-01-12T21:31:29.191Z" , "uid" : "bbbc496f-820b-4f49-ae0d-1c1b29faee85" , "user" : "lisa" }

Device Web Token Created

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TV008I" , "device" : { "asset_tag" : "M2CQVQV64R" , "credential_id" : "c7572891-8426-4e62-874f-c793029d53a6" , "device_id" : "f84f6b35-6226-4e73-8205-3bcbd7d12970" , "os_type" : 2 } , "ei" : 0 , "event" : "device.webtoken.create" , "success" : true , "time" : "2024-03-05T17:18:43.296Z" , "uid" : "b1361d51-70fa-4f1b-803c-a252c2877707" , "user" : "llama" , "user_kind" : 1 }

Discovery Config Created

Example:

{ "code" : "DC001I" , "event" : "discovery_config.create" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "discovery-config" , "updated_by" : "joe" }

Discovery Config Deleted

Example:

{ "code" : "DC003I" , "event" : "discovery_config.delete" , "time" : "2023-05-08T19:21:38.144Z" , "name" : "discovery-config" , "updated_by" : "joe" }

All Discovery Configs Deleted

Example:

{ "code" : "DC004I" , "event" : "discovery_config.delete_all" , "time" : "2023-05-08T19:21:39.144Z" , "name" : "discovery-config" , "updated_by" : "joe" }

Discovery Config Updated

Example:

{ "code" : "DC002I" , "event" : "discovery_config.update" , "time" : "2023-05-08T19:21:37.144Z" , "name" : "discovery-config" , "updated_by" : "joe" }

There are multiple events with the exec type.

Command Execution

Example:

{ "code" : "T3002I" , "proto" : "kube" , "kubernetes_cluster" : "clusterOne" , "ei" : 0 , "addr.local" : "172.31.28.130:3022" , "addr.remote" : "151.181.228.114:51752" , "event" : "exec" , "namespace" : "default" , "sid" : "8d57a9d5-3848-5ce2-a326-85eb4a6d2eed" , "time" : "2020-10-30T17:28:14.705Z" , "uid" : "8ea5be3d-07b1-4308-8e0d-2d2ec57cbb20" , "user" : "alex" }

Command Execution Failed

Example:

{ "code" : "T3002E" , "event" : "exec" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

External Audit Storage Disabled

Example:

{ "code" : "TEA002I" , "event" : "external_audit_storage.disable" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

External Audit Storage Enabled

Example:

{ "code" : "TEA001I" , "event" : "external_audit_storage.enable" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

There are multiple events with the git.command type.

Git Command Failed

Example:

{ "code" : "TGIT001E" , "event" : "git.command" , "time" : "2024-12-07T11:11:11.111Z" , "uid" : "7699b806-e717-4821-85a5-d2f41acbe373" , "user" : "Linus.Torvalds" , "service" : "git-upload-pack" , "exitError" : "some-error" , "path" : "my-org/my-repo" }

Git Command

Example:

{ "code" : "TGIT001I" , "event" : "git.command" , "time" : "2024-12-07T11:11:11.112Z" , "uid" : "7699b806-e717-4821-85a5-d2f41acbe373" , "user" : "Linus.Torvalds" , "service" : "git-upload-pack" , "path" : "my-org/my-repo" }

GitHub Auth Connector Created

Example:

{ "code" : "T8000I" , "event" : "github.created" , "name" : "new_github_connector" , "time" : "2020-06-05T19:28:00Z" , "uid" : "2b7bb323-35d1-4b9c-9a6d-00ab34c95fb8" , "user" : "unimplemented" }

GitHub Auth Connector Deleted

Example:

{ "code" : "T8001I" , "event" : "github.deleted" , "name" : "new_github_connector" , "time" : "2020-06-05T19:28:28Z" , "uid" : "26f12a67-d593-40df-b3d3-965faee60143" , "user" : "unimplemented" }

GitHub Auth Connector Updated

Example:

{ "code" : "T80002I" , "event" : "github.updated" , "name" : "new_github_connector" , "time" : "2020-06-05T19:28:28Z" , "uid" : "26f12a67-d593-40df-b3d3-965faee60143" , "user" : "unimplemented" }

Health Check Config Created

Example:

{ "cluster_name" : "gavin-leaf.cloud.gravitational.io" , "code" : "THCC001I" , "ei" : 0 , "event" : "health_check_config.create" , "expires" : "0001-01-01T00:00:00Z" , "name" : "example-cfg" , "time" : "2025-03-04T15:49:21.869Z" , "uid" : "0efbb33d-fa50-44e0-8dec-4ac89c0dd4ab" , "user" : "gavin" }

Health Check Config Deleted

Example:

{ "cluster_name" : "gavin-leaf.cloud.gravitational.io" , "code" : "THCC003I" , "ei" : 0 , "event" : "health_check_config.delete" , "expires" : "0001-01-01T00:00:00Z" , "name" : "example-cfg" , "time" : "2025-03-04T15:49:21.869Z" , "uid" : "0efbb33d-fa50-44e0-8dec-4ac89c0dd4ab" , "user" : "gavin" }

Health Check Config Updated

Example:

{ "cluster_name" : "gavin-leaf.cloud.gravitational.io" , "code" : "THCC002I" , "ei" : 0 , "event" : "health_check_config.update" , "expires" : "0001-01-01T00:00:00Z" , "name" : "example-cfg" , "time" : "2025-03-04T15:49:21.869Z" , "uid" : "0efbb33d-fa50-44e0-8dec-4ac89c0dd4ab" , "user" : "gavin" }

There are multiple events with the instance.join type.

Instance Joined

Example:

{ "cluster_name" : "root.tele.ottr.sh" , "code" : "TJ002I" , "ei" : 0 , "event" : "instance.join" , "method" : "token" , "node_name" : "noah-laptop-follower" , "role" : "Instance" , "success" : true , "time" : "2022-12-06T09:17:06.392Z" , "token_name" : "************************a2418147" , "uid" : "c1ea0e6c-ee3a-4f7e-9a98-9df283b01a98" }

Instance Join Failed

Example:

{ "code" : "TJ002E" , "event" : "instance.join" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Integration Created

Example:

{ "code" : "IG001I" , "event" : "integration.create" , "time" : "2023-05-09T19:21:36.144Z" , "name" : "integration" , "updated_by" : "joe" }

Integration Deleted

Example:

{ "code" : "IG003I" , "event" : "integration.delete" , "time" : "2023-05-09T19:21:38.144Z" , "name" : "integration" , "updated_by" : "joe" }

Integration Updated

Example:

{ "code" : "IG002I" , "event" : "integration.update" , "time" : "2023-05-09T19:21:37.144Z" , "name" : "integration" , "updated_by" : "joe" }

Bound Keypair Join Verification Failed

Example:

{ "code" : "TBK003W" , "event" : "join_token.bound_keypair.join_state_verification_failed" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Bound Keypair Recovery

Example:

{ "code" : "TBK001I" , "event" : "join_token.bound_keypair.recovery" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Bound Keypair Rotation

Example:

{ "code" : "TBK002I" , "event" : "join_token.bound_keypair.rotation" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Join Token Created

Example:

{ "code" : "TJT00I" , "event" : "join_token.create" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Kubernetes Created

Example:

{ "cluster_name" : "root" , "code" : "T3010I" , "kube_labels" : { "env" : "local" , "teleport.dev/origin" : "dynamic" } , "ei" : 0 , "event" : "kube.create" , "expires" : "0001-01-01T00:00:00Z" , "name" : "kube-local" , "time" : "2022-09-08T15:42:36.005Z" , "uid" : "9d37514f-aef5-426f-9fda-31fd35d070f5" , "user" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e.root" }

Kubernetes Deleted

Example:

{ "cluster_name" : "root" , "code" : "T3012I" , "ei" : 0 , "event" : "kube.delete" , "expires" : "0001-01-01T00:00:00Z" , "name" : "kube-local" , "time" : "2022-09-08T15:42:36.005Z" , "uid" : "74f5e6b9-50c4-4195-bb26-d615641255bc" , "user" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e.root" }

Kubernetes Request

Example:

{ "addr.local" : "127.0.0.1:3027" , "addr.remote" : "[::1]:43026" , "code" : "T3009I" , "ei" : 0 , "event" : "kube.request" , "kubernetes_cluster" : "gke_teleport-a" , "login" : "awly" , "namespace" : "default" , "proto" : "kube" , "request_path" : "/api/v1/namespaces/teletest/pods/test-pod" , "resource_api_group" : "core/v1" , "resource_kind" : "pods" , "resource_name" : "test-pod" , "resource_namespace" : "teletest" , "response_code" : 200 , "server_id" : "9b67377e-d61e-4865-96d6-fa71989fd9e9" , "time" : "2020-11-12T20:35:44.978Z" , "uid" : "8c1459a8-9199-4d25-bc5d-38e000ddd9ab" , "user" : "alex" , "verb" : "GET" }

Kubernetes Updated

Example:

{ "cluster_name" : "root" , "code" : "T3011I" , "kube_labels" : { "env" : "local" , "teleport.dev/origin" : "dynamic" } , "ei" : 0 , "event" : "kube.update" , "expires" : "0001-01-01T00:00:00Z" , "name" : "kube-local" , "time" : "2022-09-08T15:42:36.005Z" , "uid" : "fe631a5a-6418-49d6-99e7-5280654663ec" , "user" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e.root" }

Lock Created

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TLK00I" , "ei" : 0 , "event" : "lock.created" , "expires" : "0001-01-01T00:00:00Z" , "name" : "lock-name" , "time" : "2021-08-06T18:47:19.75Z" , "uid" : "070fcb2a-e1cf-5b84-8190-14448cc63c76" , "user" : "df83fda8-1111-5567-8bcc-c282dec3290e.im-a-cluster-name" }

Lock Deleted

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TLK01I" , "ei" : 0 , "event" : "lock.deleted" , "expires" : "0001-01-01T00:00:00Z" , "name" : "lock-name" , "time" : "2021-08-06T18:49:51.626Z" , "uid" : "e4630384-ac85-5a43-9ba9-3355b8d5cae4" , "user" : "df83fda8-1111-5567-8bcc-c282dec3290e.im-a-cluster-name" }

Login Rule Created

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TLR00I" , "ei" : 0 , "event" : "login_rule.create" , "expires" : "0001-01-01T00:00:00Z" , "name" : "test_rule" , "time" : "2023-01-25T19:21:36.144Z" , "uid" : "266e8563-729e-412f-ba26-1050fbec0cd6" , "user" : "nic" }

Login Rule Deleted

Example:

{ "cluster_name" : "im-a-cluster-name" , "code" : "TLR01I" , "ei" : 0 , "event" : "login_rule.delete" , "expires" : "0001-01-01T00:00:00Z" , "name" : "test_rule" , "time" : "2023-01-25T19:21:36.144Z" , "uid" : "266e8563-729e-412f-ba26-1050fbec0cd6" , "user" : "nic" }

There are multiple events with the mcp.session.end type.

MCP Session Ended

Example:

{ "code" : "TMCP002I" , "ei" : 0 , "event" : "mcp.session.end" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T12:22:22.222Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" , "success" : true }

MCP Session End Failure

Example:

{ "code" : "TMCP002E" , "ei" : 0 , "event" : "mcp.session.end" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T12:22:22.222Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" , "success" : true , "error" : "HTTP 405 Method Not Allowed" }

MCP Session Invalid Request

Example:

{ "code" : "TMCP006E" , "ei" : 0 , "event" : "mcp.session.invalid_http_request" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T12:22:22.222Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" , "method" : "OPTIONS" , "path" : "/" }

There are multiple events with the mcp.session.listen_sse_stream type.

MCP Session Listen

Example:

{ "code" : "TMCP005I" , "ei" : 0 , "event" : "mcp.session.listen_sse_stream" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T12:22:22.222Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" , "success" : true }

MCP Session Listen Failure

Example:

{ "code" : "TMCP005E" , "ei" : 0 , "event" : "mcp.session.listen_sse_stream" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T12:22:22.222Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" , "success" : false , "error" : "HTTP 405 Method Not Allowed" }

There are multiple events with the mcp.session.notification type.

MCP Session Notification

Example:

{ "code" : "TMCP004I" , "ei" : 0 , "event" : "mcp.session.notification" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T11:11:11.333Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" , "success" : true , "message" : { "method" : "notifications/initialized" , "jsonrpc" : "2.0" } }

MCP Session Notification Failure

Example:

{ "code" : "TMCP004E" , "ei" : 0 , "event" : "mcp.session.notification" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T11:11:11.333Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" , "success" : false , "message" : { "method" : "notifications/initialized" , "jsonrpc" : "2.0" } , "error" : "HTTP 401 Unauthorized" }

There are multiple events with the mcp.session.request type.

MCP Session Request

Example:

{ "code" : "TMCP003I" , "ei" : 0 , "event" : "mcp.session.request" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T11:11:11.222Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" , "success" : true , "message" : { "id" : 0 , "method" : "initialize" , "params" : { "clientInfo" : { "name" : "claude-ai" , "version" : "0.1.0" } , "protocolVersion" : "2024-11-05" } , "jsonrpc" : "2.0" } }

MCP Session Request Failure

Example:

{ "code" : "TMCP003E" , "ei" : 0 , "event" : "mcp.session.request" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T11:11:11.555Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" , "success" : false , "error" : "access denied" , "message" : { "id" : 2 , "method" : "tools/call" , "params" : { "name" : "write_file" , "arguments" : { "path" : "/etc/passwd" } } , "jsonrpc" : "2.0" } }

MCP Session Started

Example:

{ "code" : "TMCP001I" , "ei" : 0 , "event" : "mcp.session.start" , "namespace" : "default" , "server_id" : "a0518380-0d53-4188-ac8b-8ddd8103e45b" , "sid" : "6593cf87-9839-4f18-abf8-c54873aaeb4e" , "time" : "2025-05-23T11:11:11.111Z" , "uid" : "80400ed9-644e-4a6e-ab99-b264b34d0f55" , "user" : "ai-user" , "app_name" : "mcp-everything" }

There are multiple events with the mfa.delete type.

MFA Device Added

Example:

{ "cluster_name" : "localhost" , "code" : "T1006I" , "mfa_device_name" : "usb-c" , "mfa_device_type" : "U2F" , "mfa_device_uuid" : "7a6fbf23-d75c-4c62-8215-e962d0f2a1f3" , "ei" : 0 , "event" : "mfa.delete" , "time" : "2021-03-03T22:58:34.737Z" , "uid" : "9be91d9e-79ec-422b-b6ae-ccf7235476d4" , "user" : "awly" }

MFA Device Deleted

Example:

{ "cluster_name" : "localhost" , "code" : "T1007I" , "mfa_device_name" : "usb-c" , "mfa_device_type" : "U2F" , "mfa_device_uuid" : "7a6fbf23-d75c-4c62-8215-e962d0f2a1f3" , "ei" : 0 , "event" : "mfa.delete" , "time" : "2021-03-03T22:58:44.737Z" , "uid" : "c6afe861-d53c-42ce-837c-7920d2398b44" , "user" : "awly" }

MFA Authentication Attempt

Example:

{ "challenge_allow_reuse" : false , "challenge_scope" : "CHALLENGE_SCOPE_LOGIN" , "cluster_name" : "zarq" , "code" : "T1015I" , "ei" : 0 , "event" : "mfa_auth_challenge.create" , "time" : "2024-04-16T21:46:59.317Z" , "uid" : "815bbcf4-fb05-4e08-917c-7259e9332d69" , "user" : "llama" , "user_kind" : 1 }

There are multiple events with the mfa_auth_challenge.validate type.

MFA Authentication Success

Example:

{ "code" : "T1016I" , "event" : "mfa_auth_challenge.validate" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

MFA Authentication Failure

Example:

{ "code" : "T1016W" , "event" : "mfa_auth_challenge.validate" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

OIDC Auth Connector Created

Example:

{ "code" : "T8100I" , "event" : "oidc.created" , "name" : "new_oidc_connector" , "time" : "2020-06-05T19:29:14Z" , "uid" : "6208b4b9-0077-41aa-967a-f173b6bcc0d3" , "user" : "unimplemented" }

OIDC Auth Connector Deleted

Example:

{ "code" : "T8101I" , "event" : "oidc.deleted" , "name" : "new_oidc_connector" , "time" : "2020-06-05T19:29:14Z" , "uid" : "6208b4b9-0077-41aa-967a-f173b6bcc0d3" , "user" : "unimplemented" }

OIDC Auth Connector Updated

Example:

{ "code" : "T8102I" , "event" : "oidc.updated" , "name" : "new_oidc_connector" , "time" : "2020-06-05T19:29:14Z" , "uid" : "6208b4b9-0077-41aa-967a-f173b6bcc0d3" , "user" : "unimplemented" }

There are multiple events with the okta.access_list.sync type.

Okta access list synchronization completed

Example:

{ "code" : "TOK006I" , "event" : "okta.access_list.sync" , "time" : "2023-05-08T19:21:36.144Z" }

Okta access list synchronization failed

Example:

{ "code" : "TOK006E" , "event" : "okta.access_list.sync" , "time" : "2023-05-08T19:21:36.144Z" }

Okta applications have been updated

Example:

{ "code" : "TOK002I" , "event" : "okta.applications.update" , "time" : "2023-05-08T19:21:36.144Z" , "added" : 5 , "updated" : 1 , "deleted" : 7 }

There are multiple events with the okta.assignment.cleanup type.

Okta assignment has been cleaned up

Example:

{ "code" : "TOK005I" , "event" : "okta.assignment.cleanup" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "assignment-id" , "source" : "source" , "user" : "mike" }

Okta assignment failed to clean up

Example:

{ "code" : "TOK005E" , "event" : "okta.assignment.cleanup" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "assignment-id" , "source" : "source" , "user" : "mike" }

There are multiple events with the okta.assignment.process type.

Okta assignment has been processed

Example:

{ "code" : "TOK004I" , "event" : "okta.assignment.process" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "assignment-id" , "source" : "source" , "user" : "mike" }

Okta assignment failed to process

Example:

{ "code" : "TOK004E" , "event" : "okta.assignment.process" , "time" : "2023-05-08T19:21:36.144Z" , "name" : "assignment-id" , "source" : "source" , "user" : "mike" }

Okta groups have been updated

Example:

{ "code" : "TOK001I" , "event" : "okta.groups.update" , "time" : "2023-05-08T19:21:36.144Z" , "added" : 5 , "updated" : 1 , "deleted" : 7 }

Okta synchronization failed

Example:

{ "code" : "TOK003E" , "event" : "okta.sync.failure" , "time" : "2023-05-08T19:21:36.144Z" }

There are multiple events with the okta.user.sync type.

Okta user synchronization completed

Example:

{ "code" : "TOK007I" , "event" : "okta.user.sync" , "time" : "2023-05-08T19:21:36.144Z" , "num_users_created" : 5 , "num_users_deleted" : 1 , "num_users_modified" : 7 }

Okta user synchronization failed

Example:

{ "code" : "TOK007E" , "event" : "okta.user.sync" , "time" : "2023-05-08T19:21:36.144Z" }

Plugin Created

Example:

{ "code" : "PG001I" , "event" : "plugin.create" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Plugin Deleted

Example:

{ "code" : "PG003I" , "event" : "plugin.delete" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Plugin Updated

Example:

{ "code" : "PG002I" , "event" : "plugin.update" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

There are multiple events with the port type.

Port Forwarding Start

Example:

{ "code" : "T3003I" , "event" : "port" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Port Forwarding Failure

Example:

{ "code" : "T3003E" , "event" : "port" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Port Forwarding Stop

Example:

{ "code" : "T3003S" , "event" : "port" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Privilege Token Created

Example:

Recovery Codes Generated

Example:

There are multiple events with the recovery_code.used type.

Recovery Code Used

Example:

Recovery Code Use Failed

Example:

{ "cluster_name" : "localhost" , "code" : "T1009W" , "ei" : 0 , "error" : "recovery code did not match" , "event" : "recovery_code.used" , "message" : "recovery code did not match" , "success" : false , "time" : "2021-08-05T23:32:41.273Z" , "uid" : "714625ab-48d5-51d0-ab1f-c4b267881594" , "user" : [email protected]" }

Recovery Token Created

Example:

Reset Password Token Created

Example:

{ "code" : "T6000I" , "name" : "hello" , "event" : "reset_password_token.create" , "time" : "2020-06-05T16:24:22Z" , "ttl" : "8h0m0s" , "uid" : "85fef5df-6dca-475e-a049-393f4cf1d6a3" , "user" : "b331fb6c-85f9-4cb0-b308-3452420bf81e.one" }

Terminal Resize

Example:

User Role Created

Example:

{ "code" : "T9000I" , "event" : "role.created" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

User Role Deleted

Example:

{ "code" : "T9001I" , "event" : "role.deleted" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

User Role Updated

Example:

{ "code" : "T9002I" , "event" : "role.updated" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

SAML Connector Created

Example:

{ "code" : "T8200I" , "event" : "saml.created" , "name" : "new_saml_connector" , "time" : "2020-06-05T19:29:14Z" , "uid" : "6208b4b9-0077-41aa-967a-f173b6bcc0d3" , "user" : "unimplemented" }

SAML Connector Deleted

Example:

{ "code" : "T8201I" , "event" : "saml.deleted" , "name" : "new_saml_connector" , "time" : "2020-06-05T19:29:14Z" , "uid" : "6208b4b9-0077-41aa-967a-f173b6bcc0d3" , "user" : "unimplemented" }

SAML IdP authentication

Example:

{ "code" : "TSI000I" , "event" : "saml.idp.auth" , "time" : "2023-01-25T19:21:36.144Z" , "user" : "mike" , "session_id" : "123456" , "success" : true , "service_provider_entity_id" : "valid-entity-id" }

There are multiple events with the saml.idp.service.provider.create type.

SAML IdP service provider created

Example:

{ "code" : "TSI001I" , "event" : "saml.idp.service.provider.create" , "time" : "2023-01-25T19:21:36.144Z" , "name" : "saml-idp" , "updated_by" : "mike" , "service_provider_entity_id" : "valid-entity-id" }

SAML IdP service provider create failed

Example:

{ "code" : "TSI001W" , "event" : "saml.idp.service.provider.create" , "time" : "2023-01-25T19:21:36.144Z" , "name" : "saml-idp" , "updated_by" : "mike" , "service_provider_entity_id" : "valid-entity-id" }

There are multiple events with the saml.idp.service.provider.delete type.

SAML IdP service provider deleted

Example:

{ "code" : "TSI003I" , "event" : "saml.idp.service.provider.delete" , "time" : "2023-01-25T19:21:36.144Z" , "name" : "saml-idp" , "updated_by" : "mike" , "service_provider_entity_id" : "valid-entity-id" }

SAML IdP service provider delete failed

Example:

{ "code" : "TSI003W" , "event" : "saml.idp.service.provider.delete" , "time" : "2023-01-25T19:21:36.144Z" , "name" : "saml-idp" , "updated_by" : "mike" , "service_provider_entity_id" : "valid-entity-id" }

All SAML IdP service provider deleted

Example:

{ "code" : "TSI004I" , "event" : "saml.idp.service.provider.delete" , "time" : "2023-01-25T19:21:36.144Z" , "name" : "saml-idp" , "updated_by" : "mike" }

SAML IdP service provider delete failed

Example:

{ "code" : "TSI004W" , "event" : "saml.idp.service.provider.delete" , "time" : "2023-01-25T19:21:36.144Z" , "name" : "saml-idp" , "updated_by" : "mike" }

There are multiple events with the saml.idp.service.provider.update type.

SAML IdP service provider updated

Example:

{ "code" : "TSI002I" , "event" : "saml.idp.service.provider.update" , "time" : "2023-01-25T19:21:36.144Z" , "name" : "saml-idp" , "updated_by" : "mike" , "service_provider_entity_id" : "valid-entity-id" }

SAML IdP service provider update failed

Example:

{ "code" : "TSI002W" , "event" : "saml.idp.service.provider.update" , "time" : "2023-01-25T19:21:36.144Z" , "name" : "saml-idp" , "updated_by" : "mike" , "service_provider_entity_id" : "valid-entity-id" }

SAML Connector Updated

Example:

{ "code" : "T8202I" , "event" : "saml.updated" , "name" : "new_saml_connector" , "time" : "2020-06-05T19:29:14Z" , "uid" : "6208b4b9-0077-41aa-967a-f173b6bcc0d3" , "user" : "unimplemented" }

There are multiple events with the scim.create type.

SCIM Resource Creation Succeeded

Example:

{ "ei" : 163 , "time" : "2023-05-08T19:21:36.144Z" , "cluster" : "dev" , "code" : "TSCIM001I" , "event" : "scim.create" , "success" : true , "request" : { "id" : "ff5cea87-db00-4fa8-a30f-99f220f61075" , "source_address" : "127.0.0.1" , "user_agent" : "carrier pigeon" , "method" : "PUT" , "path" : "/scim/v2/Users" , "body" : { "active" : true , "id" : "external-id-0987654321" , "nickName" : "bofh" , "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:User" ] , "userName" : "root@localhost" } } , "integration" : "okta" , "resource_type" : "user" , "external_id" : "external-id-0987654321" , "teleport_id" : "root@localhost" }

SCIM Resource Creation Failed

Example:

{ "time" : "2023-05-08T19:21:36.144Z" , "cluster" : "dev" , "code" : "TSCIM001E" , "event" : "scim.create" , "success" : false , "error" : "Too many candidates" , "integration" : "okta" , "resource_type" : "group" , "teleport_id" : "access-list-guid" , "external_id" : "0987654321" , "display" : "Some group" }

There are multiple events with the scim.delete type.

SCIM Delete Succeeded

Example:

SCIM Delete Failed

Example:

{ "time" : "2023-05-08T19:21:37.000Z" , "cluster" : "dev" , "code" : "TSCIM003E" , "event" : "scim.delete" , "resource_type" : "group" , "success" : false , "error" : "no such group" , "integration" : "okta" , "teleport_id" : "access-list-guid" , "external_id" : "external-id-00123456789" , "display" : "some group" }

There are multiple events with the scim.get type.

SCIM Resource Fetch Succeeded

Example:

{ "code" : "TSCIM004I" , "event" : "scim.get" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

SCIM Resource Fetch Failed

Example:

{ "code" : "TSCIM004E" , "event" : "scim.get" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

There are multiple events with the scim.list type.

SCIM Resource Listing Succeeded

Example:

{ "ei" : 163 , "time" : "2023-05-08T19:21:36.144Z" , "cluster" : "dev" , "code" : "TSCIM005I" , "event" : "scim.list" , "success" : true , "integration" : "okta" , "resource_type" : "user" , "teleport_id" : "root@localhost" , "external_id" : "external-id-0987654321" , "display" : "local admin" }

SCIM Resource Listing Failed

Example:

{ "code" : "TSCIM005IE" , "event" : "scim.list" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

There are multiple events with the scim.update type.

SCIM Update Succeeded

Example:

SCIM Update Failed

Example:

There are multiple events with the scp type.

SCP Download

Example:

SCP Download Failed

Example:

{ "action" : "download" , "addr.local" : "192.168.0.105:3022" , "addr.remote" : "127.0.0.1:39932" , "cluster_name" : "im-a-cluster-name" , "code" : "T3004E" , "command" : "/home/path scp --remote-addr=\"127.0.0.1:39932\" --local-addr=\"111.222.0.105:3022\" -f ~/sdfsdf" , "ei" : 0 , "event" : "scp" , "exitCode" : "1" , "exitError" : "exit status 1" , "login" : "root" , "namespace" : "default" , "path" : "~/sdfsdf" , "server_id" : "8045a8cc-49bb-4e02-bdc99313" , "sid" : "8ff117ec-70a2-4481-8e359cf6" , "time" : "2019-04-22T19:41:23Z" , "uid" : "30e13b84-a51f-467676258b9bf" , "user" : "root" }

SCP Upload

Example:

{ "action" : "upload" , "addr.local" : "192.168.0.105:3022" , "addr.remote" : "127.0.0.1:57058" , "cluster_name" : "im-a-cluster-name" , "code" : "T3005I" , "command" : "/home/path scp --remote-addr=\"127.0.0.1:57058\" --local-addr=\"111.222.0.105:3022\" -t ~/" , "ei" : 0 , "event" : "scp" , "exitCode" : "0" , "login" : "root" , "namespace" : "default" , "path" : "~/" , "server_id" : "8045a8cc-49bb-4e02-bdc5-a782a313" , "sid" : "b484b5cc-9065-40fa-9a0c-db3" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" }

SCP Upload Failed

Example:

{ "code" : "T3005E" , "event" : "scp" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

SCP Disallowed

Example:

{ "code" : "T3010E" , "event" : "scp" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Access Monitoring Query Executed

Example:

{ "cluster_name" : "root.com" , "code" : "SRE001I" , "data_scanned_in_bytes" : 4045 , "days" : 90 , "event" : "secreports.audit.query.run" , "query" : "select * FROM cert_create" , "success" : true , "time" : "2023-10-09T10:09:10.473Z" , "total_execution_time_in_millis" : 1440 , "uid" : "dc29d36c-c5b6-4ffc-9aa7-2d9ba18a3953" , "user" : "marek" }

Access Monitoring Report Executed

Example:

{ "cluster_name" : "root.com" , "code" : "SRE002I" , "data_scanned_in_bytes" : 13258 , "event" : "secreports.report.run" , "name" : "privilege_access_report_90_days" , "success" : true , "time" : "2023-10-09T09:10:03.633Z" , "total_execution_time_in_millis" : 14082 , "uid" : "f44871b9-7247-467b-a760-8159d3f47bac" , "user" : "system" }

Session Command

Example:

{ "argv" : [ "google.com" ] , "cgroup_id" : 4294968064 , "code" : "T4000I" , "ei" : 5 , "event" : "session.command" , "login" : "root" , "namespace" : "default" , "path" : "/bin/ping" , "pid" : 2653 , "ppid" : 2660 , "program" : "ping" , "return_code" : 0 , "server_id" : "96f2bed2-ebd1-494a-945c-2fd57de41644" , "sid" : "44c6cea8-362f-11ea-83aa-125400432324" , "time" : "2020-01-13T18:05:53.919Z" , "uid" : "734930bb-00e6-4ee6-8798-37f1e9473fac" , "user" : "benarent" }

Session Connected

Example:

{ "addr.local" : "192.168.0.106:43858" , "addr.remote" : "192.168.0.106:3022" , "cluster_name" : "im-a-cluster-name" , "code" : "T2010I" , "ei" : 0 , "event" : "session.connect" , "server_addr" : "192.168.0.106:43858" , "server_id" : "bd5eff-f59b-4fb3-b8ed-757c52ff" , "time" : "2022-02-04T18:15:28.572Z" , "uid" : "f2a0f9-d78c-4c38-b3fa-ca63453b" }

Session Data

Example:

{ "addr.local" : "172.10.1.1:3022" , "addr.remote" : "172.10.1.254:46992" , "code" : "T2006I" , "ei" : 2147483646 , "event" : "session.data" , "login" : "root" , "rx" : 3974 , "server_id" : "b331fb6c-85f9-4cb0-b308-3452420bf81e" , "sid" : "5fc8bf85-a73e-11ea-afd1-0242ac0a0101" , "time" : "2020-06-05T15:14:51Z" , "tx" : 4730 , "uid" : "2f2f07d0-8a01-4abe-b1c0-5001fd86829b" , "user" : "Stanley_Cooper" }

Session File Access

Example:

{ "code" : "T4001I" , "event" : "session.disk" , "namespace" : "default" , "sid" : "44c6cea8-362f-11ea-83aa-125400432324" , "server_id" : "96f2bed2" , "login" : "root" , "user" : "benarent" , "pid" : 2653 , "cgroup_id" : 4294968064 , "program" : "bash" , "path" : "/etc/profile.d/" , "flags" : 2100000 , "return_code" : 0 , "time" : "2019-04-22T19:39:26.676Z" }

Session Ended

Example:

{ "cluster_name" : "kimlisa.cloud.gravitational.io" , "code" : "T2004I" , "ei" : 1 , "enhanced_recording" : false , "event" : "session.end" , "interactive" : false , "login" : "root" , "namespace" : "default" , "participants" : [ "foo" ] , "server_addr" : "172.31.30.254:32962" , "server_hostname" : "ip-172-31-30-254" , "server_id" : "d3ddd1f8-b602-488b-00c66e29879f" , "session_start" : "2021-05-21T22:23:55.313562027Z" , "session_stop" : "2021-05-21T22:54:27.122508023Z" , "sid" : "9d92ad96-a45c-4add-463cc7bc48b1" , "time" : "2021-05-21T22:54:27.123Z" , "uid" : "984ac949-6605-4f0a-e450aa5665f4" , "user" : "foo" }

User Joined

Example:

User Disconnected

Example:

{ "code" : "T2003I" , "event" : "session.leave" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Session Network Connection

Example:

{ "code" : "T4002I" , "event" : "session.network" , "namespace" : "default" , "sid" : "44c6cea8-362f-11ea-83aa-125400432324" , "server_id" : "96f2bed2" , "login" : "root" , "user" : "benarent" , "pid" : 2653 , "cgroup_id" : 4294968064 , "program" : "bash" , "src_addr" : "10.217.136.161" , "dst_addr" : "190.58.129.4" , "dst_port" : "3000" , "version" : 4 , "time" : "2019-04-22T19:39:26.676Z" , "action" : 1 }

Session Process Exit

Example:

{ "code" : "T4003I" , "event" : "session.process_exit" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Session Recording Accessed

Example:

Session Rejected

Example:

{ "code" : "T1006W" , "event" : "session.rejected" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Session Started

Example:

Session Uploaded

Example:

{ "code" : "T2005I" , "event" : "session.upload" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Session Recording Configuration Updated

Example:

{ "code" : "TCREC003I" , "event" : "session_recording_config.update" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

There are multiple events with the sftp type.

SFTP Open

Example:

{ "action" : 1 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS001I" , "ei" : 0 , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Open Failed

Example:

{ "action" : 1 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS001E" , "ei" : 0 , "error" : "EOF" , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Setstat

Example:

{ "action" : 7 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS007I" , "ei" : 0 , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Setstat Failed

Example:

{ "action" : 7 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS007E" , "ei" : 0 , "error" : "EOF" , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Opendir

Example:

{ "action" : 9 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS009I" , "ei" : 0 , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Opendir Failed

Example:

{ "action" : 9 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS009E" , "ei" : 0 , "error" : "EOF" , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Readdir

Example:

{ "action" : 10 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS010I" , "ei" : 0 , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Readdir Failed

Example:

{ "action" : 10 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS010E" , "ei" : 0 , "error" : "EOF" , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Remove

Example:

{ "action" : 11 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS011I" , "ei" : 0 , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Remove Failed

Example:

{ "action" : 11 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS011E" , "ei" : 0 , "error" : "EOF" , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Mkdir

Example:

{ "action" : 12 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS012I" , "ei" : 0 , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Mkdir Failed

Example:

{ "action" : 12 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS012E" , "ei" : 0 , "error" : "EOF" , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Rmdir

Example:

{ "action" : 13 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS013I" , "ei" : 0 , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Rmdir Failed

Example:

{ "action" : 13 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS013E" , "ei" : 0 , "error" : "EOF" , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Rename

Example:

{ "action" : 16 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS016I" , "ei" : 0 , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Rename Failed

Example:

{ "action" : 16 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS016E" , "ei" : 0 , "error" : "EOF" , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Symlink

Example:

{ "action" : 18 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS018I" , "ei" : 0 , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Symlink Failed

Example:

{ "action" : 18 , "addr.local" : "[::1]:3022" , "addr.remote" : "127.0.0.1:41106" , "cluster_name" : "im-a-cluster-name" , "code" : "TS018E" , "ei" : 0 , "error" : "EOF" , "event" : "sftp" , "login" : "root" , "namespace" : "default" , "path" : "/tmp/file" , "server_hostname" : "im-a-server-hostname" , "server_id" : "e106fdd0-51db-4efa-a9ab-c3afa7a1565a" , "sid" : "" , "time" : "2019-04-22T19:41:23Z" , "uid" : "16bfdc34-2766-a5d3-dfd6f7ff7ad6" , "user" : "root" , "working_directory" : "/root" }

SFTP Link

Example:

{ "code" : "TS019I" , "event" : "sftp" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

SFTP Link Failed

Example:

{ "code" : "TS019E" , "event" : "sftp" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

SFTP Disallowed

Example:

{ "code" : "TS020E" , "event" : "sftp" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

File Transfer Completed

Example:

{ "code" : "TS021I" , "event" : "sftp_summary" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Sigstore Policy Created

Example:

{ "addr.remote" : "203.0.113.77:64794" , "cluster_name" : "clustername" , "code" : "TSSP001I" , "ei" : 0 , "event" : "sigstore_policy.create" , "expires" : "0001-01-01T00:00:00Z" , "name" : "default" , "time" : "2025-03-26T01:14:36.881Z" , "uid" : "e52def2f-4109-4cc9-91a8-150c6792f89f" , "user" : "bob" , "user_kind" : 1 }

Sigstore Policy Deleted

Example:

{ "addr.remote" : "203.0.113.77:64794" , "cluster_name" : "clustername" , "code" : "TSSP003I" , "ei" : 0 , "event" : "sigstore_policy.delete" , "expires" : "0001-01-01T00:00:00Z" , "name" : "default" , "time" : "2025-03-26T01:14:36.881Z" , "uid" : "e52def2f-4109-4cc9-91a8-150c6792f89f" , "user" : "bob" , "user_kind" : 1 }

Sigstore Policy Updated

Example:

{ "addr.remote" : "203.0.113.77:64794" , "cluster_name" : "clustername" , "code" : "TSSP002I" , "ei" : 0 , "event" : "sigstore_policy.update" , "expires" : "0001-01-01T00:00:00Z" , "name" : "default" , "time" : "2025-03-26T01:14:36.881Z" , "uid" : "e52def2f-4109-4cc9-91a8-150c6792f89f" , "user" : "bob" , "user_kind" : 1 }

There are multiple events with the spiffe.svid.issued type.

SPIFFE SVID Issued

Example:

{ "addr.remote" : "127.0.0.1:54378" , "cluster_name" : "leaf.tele.ottr.sh" , "code" : "TSPIFFE000I" , "dns_sans" : null , "ei" : 0 , "event" : "spiffe.svid.issued" , "hint" : "" , "ip_sans" : null , "serial_number" : "d1:e5:fc:bf:19:67:e7:8c:7a:21:37:b5:05:ea:77:41" , "spiffe_id" : "spiffe://example.teleport.com/bar" , "svid_type" : "x509" , "time" : "2024-02-02T15:48:25.35Z" , "uid" : "45e13afc-0890-4ffb-b125-99d93c26d7de" , "user" : "bot-test12" , "user_kind" : 2 }

SPIFFE SVID Issued Failure

Example:

{ "code" : "TSPIFFE000E" , "event" : "spiffe.svid.issued" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

There are multiple events with the ssm.run type.

SSM Command Executed

Example:

{ "account_id" : "278576220453" , "cluster_name" : "localhost" , "code" : "TDS00I" , "command_id" : "e8a5f3ba-e9e5-4cbd-979b-18fd1e7ad00f" , "ei" : 0 , "event" : "ssm.run" , "exit_code" : 0 , "instance_id" : "i-057d0ffe877128673" , "region" : "eu-central-1" , "status" : "Success" , "time" : "2022-09-14T14:45:38.122Z" , "uid" : "d053a9a4-6362-4d46-8868-55d83b7b338f" }

SSM Command Execution Failed

Example:

{ "account_id" : "278576220453" , "cluster_name" : "localhost" , "code" : "TDS00W" , "command_id" : "c2936d68-fc0c-4c16-a860-916a97f57644" , "ei" : 0 , "event" : "ssm.run" , "exit_code" : 1 , "instance_id" : "i-057d0ffe877128673" , "region" : "eu-central-1" , "status" : "Failure" , "time" : "2022-09-14T14:45:38.122Z" , "uid" : "ad123558-1d20-42dd-bf82-a7c544d76550" }

Stable UNIX user created

Example:

{ "code" : "TSUU001I" , "event" : "stable_unix_user.create" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Static Host User Created

Example:

{ "code" : "SHU001I" , "event" : "static_host_user.create" , "time" : "2023-05-09T19:21:36.144Z" , "name" : "test-user" , "user" : "bob" }

Static Host User Deleted

Example:

{ "code" : "SHU003I" , "updated_by" : "joe" , "event" : "static_host_user.delete" , "time" : "2023-05-09T19:21:38.144Z" , "name" : "test-user" , "user" : "bob" }

Static Host User Updated

Example:

{ "code" : "SHU002I" , "event" : "static_host_user.update" , "time" : "2023-05-09T19:21:37.144Z" , "name" : "test-user" , "user" : "bob" }

There are multiple events with the subsystem type.

Subsystem Requested

Example:

{ "code" : "T3001I" , "event" : "subsystem" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Subsystem Request Failed

Example:

{ "code" : "T3001E" , "event" : "subsystem" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Trusted Cluster Created

Example:

{ "code" : "T7000I" , "event" : "trusted_cluster.create" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Trusted Cluster Deleted

Example:

{ "code" : "T7001I" , "event" : "trusted_cluster.delete" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Trusted Cluster Token Created

Example:

{ "code" : "T7002I" , "event" : "trusted_cluster_token.create" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Unknown Event

Example:

{ "code" : "TCC00E" , "event" : "unknown" , "time" : "2020-06-05T16:24:05Z" , "uid" : "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0" }

Upgrade Window Start Updated

Example:

User Created

Example:

{ "code" : "T1002I" , "connector" : "local" , "name" : "hello" , "event" : "user.create" , "expires" : "0001-01-01T00:00:00Z" , "roles" : [ "admin" ] , "time" : "2020-06-05T16:24:05Z" , "uid" : "22a273678c-ee78-5ffc-a298-68a841555c98" , "user" : "b331fb6c-85f9-4cb0-b308-3452420bf81e.one" }

User Deleted

Example:

{ "code" : "T1004I" , "uid" : "b121fc4c-e419-56a2-a760-19cd746c0650" , "time" : "2020-06-05T16:24:05Z" , "event" : "user.delete" , "name" : "bob" , "user" : "benarent" }

There are multiple events with the user.login type.

Local Login

Example:

Local Login Failed

Example:

{ "code" : "T1000W" , "error" : "user(name=\"fsdfsdf\") not found" , "event" : "user.login" , "method" : "local" , "success" : false , "time" : "2019-04-22T18:06:32Z" , "uid" : "597bf08b-75b2-4dda-a578-e387c5ce9b76" , "user" : "fsdfsdf" }

SSO Test Flow Login

Example:

{ "attributes" : { "amr" : [ "pwd" ] , "at_hash" : "7_foQ_0QRVU5dIq_B72_zw" , "aud" : "0oa17kaknnntGFKiJ0h8" , "auth_time" : 1653294514 , "email" : [email protected]" , "email_verified" : true , "exp" : 1653298115 , "groups" : [ "Everyone" , "okta-admin" , "okta-dev" ] , "iat" : 1653294515 , "idp" : "00oafg105f5D4gv5Y0h7" , "iss" : "https://dev-813354.oktapreview.com" , "jti" : "ID.e_EKsCvMELMLa-Gx0aciOazUvPEFdZSxhTj42zccz3g" , "sub" : "00uafg106hK16pwqE0h7" , "ver" : 1 } , "cluster_name" : "boson.tener.io" , "code" : "T1010I" , "ei" : 0 , "event" : "user.login" , "method" : "oidc" , "success" : true , "time" : "2022-05-23T08:28:37.067Z" , "uid" : "7d440ee1-15f6-4b56-9391-344e8984fd97" , "user" : [email protected]" }

SSO Test Flow Login Failed

Example: