Version: 16.x

On this page

Database Access Audit Events Reference

You can view database session activity in the audit log. After a session is uploaded, you can play back the audit data with the tsh play command.

Database session ID will be in a UUID format (ex: 307b49d6-56c7-4d20-8cf0-5bc5348a7101 ) See the audit log to get a database session ID with a key of sid .

Example:

tsh play --format json database.session

{ "cluster_name" : "teleport.example.com" , "code" : "TDB02I" , "db_name" : "example" , "db_origin" : "dynamic" , "db_protocol" : "postgres" , "db_query" : "select * from sample;" , "db_roles" : [ "access" ] , "db_service" : "example" , "db_type" : "rds" , "db_uri" : "databases-1.us-east-1.rds.amazonaws.com:5432" , "db_user" : "alice" , "ei" : 2 , "event" : "db.session.query" , "sid" : "307b49d6-56c7-4d20-8cf0-5bc5348a7101" , "success" : true , "time" : "2023-10-06T10:58:32.88Z" , "uid" : "a649d925-9dac-44cc-bd04-4387c295580f" , "user" : "alice" }

The audit log is viewable in Activity under Management in the Web UI for users with permission to the event resources. Database sessions do not appear in the session recordings page.

Emitted when a client successfully connects to a database, or when a connection attempt fails due to access denied.

Successful connection event:

{ "cluster_name" : "root" , "code" : "TDB00I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 0 , "event" : "db.session.start" , "namespace" : "default" , "server_id" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e" , "sid" : "63b6fa11-cd44-477b-911a-602b75ab13b5" , "success" : true , "time" : "2021-04-27T23:00:26.014Z" , "uid" : "eac5b6c8-384a-4471-9559-e135834b1ab0" , "user" : "alice" }

Access denied event:

{ "cluster_name" : "root" , "code" : "TDB00W" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "superuser" , "ei" : 0 , "error" : "access to database denied" , "event" : "db.session.start" , "message" : "access to database denied" , "namespace" : "default" , "server_id" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e" , "sid" : "d18388e5-cc7c-4624-b22b-d36db60d0c50" , "success" : false , "time" : "2021-04-27T23:03:05.226Z" , "uid" : "507fe008-99a4-4247-8603-6ba03408d047" , "user" : "alice" }

Emitted when a client disconnects from the database.

{ "cluster_name" : "root" , "code" : "TDB01I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 3 , "event" : "db.session.end" , "sid" : "63b6fa11-cd44-477b-911a-602b75ab13b5" , "time" : "2021-04-27T23:00:30.046Z" , "uid" : "a626b22d-bbd0-40ef-9896-b7ff365664b0" , "user" : "alice" }

Emitted when a client executes a SQL query.

{ "cluster_name" : "root" , "code" : "TDB02I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_query" : "INSERT INTO public.test (id,\"timestamp\",json)

\tVALUES ($1,$2,$3)" , "db_query_parameters" : [ "test-id" , "2022-04-02 17:50:20-07" , "{\"k\": \"v\"}" ] , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 29 , "event" : "db.session.query" , "sid" : "691e6f70-3c31-4412-90aa-fe0558abb212" , "time" : "2021-04-27T23:04:57.395Z" , "uid" : "9f7b4179-b9cf-4302-bb7c-1408e404823f" , "user" : "alice" }

Emitted when a client executes a remote procedure call (RPC), or when an RPC execution attempt fails due to access denied.