Version: 18.x (unreleased)

On this page

Desktop Access Audit Events Reference

This guide lists the structures and field names of audit events related to connecting to remote desktops with Teleport. Use this guide to understand desktop-related audit events and configure your log management solutions if you are exporting audit events.

Emitted when a client successfully connects to a desktop or when a connection attempt fails because access was denied.

Successful connection event:

{ "addr.remote" : "192.168.1.206:3389" , "cluster_name" : "root" , "code" : "TDP00I" , "desktop_addr" : "192.168.1.206:3389" , "desktop_labels" : { "teleport.dev/computer_name" : "WIN-I44F9TN11M3" , "teleport.dev/dns_host_name" : "WIN-I44F9TN11M3.teleport.example.com" , "teleport.dev/is_domain_controller" : "true" , "teleport.dev/origin" : "dynamic" , "teleport.dev/os" : "Windows Server 2012 R2 Standard Evaluation" , "teleport.dev/os_version" : "6.3 (9600)" , "teleport.dev/windows_domain" : "teleport.example.com" } , "ei" : 0 , "event" : "windows.desktop.session.start" , "login" : "administrator" , "proto" : "tdp" , "sid" : "4a0ed655-1e0b-412b-b14a-348e840e7fa2" , "success" : true , "time" : "2022-02-16T16:43:30.459Z" , "uid" : "1605346b-d90b-4df7-8148-67a3e2d85673" , "user" : "alice" , "windows_desktop_service" : "316a3ffa-23e6-4d85-92a1-5e44754f8189" , "windows_domain" : "teleport.example.com" , "windows_user" : "administrator" }

Access denied event:

{ "addr.remote" : "192.168.1.206:3389" , "cluster_name" : "root" , "code" : "TDP00W" , "desktop_addr" : "192.168.1.206:3389" , "desktop_labels" : { "teleport.dev/computer_name" : "WIN-I44F9TN11M3" , "teleport.dev/dns_host_name" : "WIN-I44F9TN11M3.teleport.example.com" , "teleport.dev/is_domain_controller" : "true" , "teleport.dev/origin" : "dynamic" , "teleport.dev/os" : "Windows Server 2012 R2 Standard Evaluation" , "teleport.dev/os_version" : "6.3 (9600)" , "teleport.dev/windows_domain" : "teleport.example.com" } , "ei" : 0 , "error" : "access to desktop denied" , "event" : "windows.desktop.session.start" , "message" : "access to desktop denied" , "login" : "administrator" , "proto" : "tdp" , "sid" : "4a0ed655-1e0b-412b-b14a-348e840e7fa2" , "success" : false , "time" : "2022-02-16T16:43:30.459Z" , "uid" : "1605346b-d90b-4df7-8148-67a3e2d85673" , "user" : "alice" , "windows_desktop_service" : "316a3ffa-23e6-4d85-92a1-5e44754f8189" , "windows_domain" : "teleport.example.com" , "windows_user" : "administrator" }

Emitted when a client disconnects from the desktop.

{ "cluster_name" : "root" , "code" : "TDP01I" , "desktop_addr" : "192.168.1.206:3389" , "desktop_labels" : { "teleport.dev/computer_name" : "WIN-I44F9TN11M3" , "teleport.dev/dns_host_name" : "WIN-I44F9TN11M3.teleport.example.com" , "teleport.dev/is_domain_controller" : "true" , "teleport.dev/origin" : "dynamic" , "teleport.dev/os" : "Windows Server 2012 R2 Standard Evaluation" , "teleport.dev/os_version" : "6.3 (9600)" , "teleport.dev/windows_domain" : "teleport.example.com" } , "desktop_name" : "WIN-I44F9TN11M3-teleport-example-com" , "ei" : 0 , "event" : "windows.desktop.session.end" , "login" : "administrator" , "participants" : [ "alice" ] , "recorded" : true , "session_start" : "2022-02-16T16:43:30.459Z" , "session_stop" : "2022-02-16T16:46:50.894Z" , "sid" : "4a0ed655-1e0b-412b-b14a-348e840e7fa2" , "time" : "2022-02-16T16:46:50.895Z" , "uid" : "c7956a81-597f-4452-90d7-800506f7a05b" , "user" : "alice" , "windows_desktop_service" : "316a3ffa-23e6-4d85-92a1-5e44754f8189" , "windows_domain" : "teleport.example.com" , "windows_user" : "administrator" }

Emitted when clipboard data is sent from a user's workstation to Teleport. In order to avoid capturing sensitive data, the event only records the number of bytes that were sent.

{ "addr.remote" : "192.168.1.206:3389" , "cluster_name" : "root" , "code" : "TDP02I" , "desktop_addr" : "192.168.1.206:3389" , "ei" : 0 , "event" : "desktop.clipboard.send" , "length" : 4 , "proto" : "tdp" , "sid" : "4a0ed655-1e0b-412b-b14a-348e840e7fa2" , "time" : "2022-02-16T16:43:40.010217Z" , "uid" : "e45d9890-38a9-4580-8572-35fa0192b123" , "user" : "alice" }

Emitted when Teleport receives clipboard data from a remote desktop. In order to avoid capturing sensitive data, the event only records the number of bytes that were received.

{ "addr.remote" : "192.168.1.206:3389" , "cluster_name" : "root" , "code" : "TDP03I" , "desktop_addr" : "192.168.1.206:3389" , "ei" : 0 , "event" : "desktop.clipboard.receive" , "length" : 4 , "proto" : "tdp" , "sid" : "4a0ed655-1e0b-412b-b14a-348e840e7fa2" , "time" : "2022-02-16T16:43:40.010217Z" , "uid" : "e45d9890-38a9-4580-8572-35fa0192b123" , "user" : "alice" }

Emitted when Teleport starts sharing a directory on a local machine to the remote desktop.

{ "addr.remote" : "192.168.1.206:3389" , "cluster_name" : "root" , "code" : "TDP04I" , "desktop_addr" : "192.168.1.206:3389" , "directory_id" : 2 , "directory_name" : "local-files" , "ei" : 0 , "event" : "desktop.directory.share" , "proto" : "tdp" , "sid" : "4a0ed655-1e0b-412b-b14a-348e840e7fa2" , "success" : true , "time" : "2022-10-21T22:36:27.314409Z" , "uid" : "e45d9890-38a9-4580-8572-35fa0192b123" , "user" : "alice" }

This event is part of the directory sharing feature, and is emitted when Teleport reads data from a file on the user's local machine and sends it to the remote Windows desktop.

In order to avoid capturing sensitive data, the event only records the offset from the start of the file from which the read began and the number of bytes that were sent.

{ "addr.remote" : "192.168.1.206:3389" , "cluster_name" : "root" , "code" : "TDP05I" , "desktop_addr" : "192.168.1.206:3389" , "directory_id" : 2 , "directory_name" : "local-files" , "ei" : 0 , "event" : "desktop.directory.read" , "file_path" : "powershell-scripts/a-script.ps1" , "length" : 734 , "offset" : 0 , "proto" : "tdp" , "sid" : "4a0ed655-1e0b-412b-b14a-348e840e7fa2" , "success" : true , "time" : "2022-10-21T22:36:27.314409Z" , "uid" : "e45d9890-38a9-4580-8572-35fa0192b123" , "user" : "alice" }

This event is part of the directory sharing feature, and is emitted when Teleport reads writes from the remote desktop to a file on the user's local machine.

In order to avoid capturing sensitive data, the event only records the offset from the start of the file from which the write began and the number of bytes that were written.