Teleport supports multiple storage backends for storing audit events. The dir backend uses the local filesystem of an Auth Service host. When this backend is used, events are written to the filesystem in JSON format. The dir backend rotates the event file approximately once every 24 hours, but never deletes captured events.

For High Availability configurations, users can refer to our Athena, DynamoDB or Firestore chapters for information on how to configure the SSH events and recorded sessions to be stored on network storage. When these backends are in use, audit events will eventually expire and be removed from the log. The default retention period is 1 year, but this can be overridden using the retention_period configuration parameter.

It is even possible to store audit logs in multiple places at the same time. For more information on how to configure the audit log, refer to the storage section of the example configuration file in the Teleport Configuration Reference.

Let's examine the Teleport audit log using the dir backend. Teleport Auth Service instances write their logs to a subdirectory of Teleport's configured data directory that is named based on the service's UUID.

Each day is represented as a file: