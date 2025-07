Version: 19.x (unreleased)

Database Access Audit Events Reference

You can view database session activity in the audit log. After a session is uploaded, you can play back the audit data with the tsh play command.

Database session ID will be in a UUID format (ex: 307b49d6-56c7-4d20-8cf0-5bc5348a7101 ) See the audit log to get a database session ID with a key of sid .

Example:

tsh play --format json 307b49d6-56c7-4d20-8cf0-5bc5348a7101

{ "cluster_name" : "teleport.example.com" , "code" : "TDB02I" , "db_name" : "example" , "db_origin" : "dynamic" , "db_protocol" : "postgres" , "db_query" : "select * from sample;" , "db_roles" : [ "access" ] , "db_service" : "example" , "db_type" : "rds" , "db_uri" : "databases-1.us-east-1.rds.amazonaws.com:5432" , "db_user" : "alice" , "ei" : 2 , "event" : "db.session.query" , "sid" : "307b49d6-56c7-4d20-8cf0-5bc5348a7101" , "success" : true , "time" : "2023-10-06T10:58:32.88Z" , "uid" : "a649d925-9dac-44cc-bd04-4387c295580f" , "user" : "alice" }

The audit log is viewable under Audit in the left-hand pane via the Web UI for users with permission to the event resources. Database sessions do not appear in the session recordings page.

Emitted when a client successfully connects to a database, or when a connection attempt fails due to access denied.

Successful connection event:

{ "cluster_name" : "root" , "code" : "TDB00I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 0 , "event" : "db.session.start" , "namespace" : "default" , "server_id" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e" , "sid" : "63b6fa11-cd44-477b-911a-602b75ab13b5" , "success" : true , "time" : "2021-04-27T23:00:26.014Z" , "uid" : "eac5b6c8-384a-4471-9559-e135834b1ab0" , "user" : "alice" }

Access denied event:

{ "cluster_name" : "root" , "code" : "TDB00W" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "superuser" , "ei" : 0 , "error" : "access to database denied" , "event" : "db.session.start" , "message" : "access to database denied" , "namespace" : "default" , "server_id" : "05ff66c9-a948-42f4-af0e-a1b6ba62561e" , "sid" : "d18388e5-cc7c-4624-b22b-d36db60d0c50" , "success" : false , "time" : "2021-04-27T23:03:05.226Z" , "uid" : "507fe008-99a4-4247-8603-6ba03408d047" , "user" : "alice" }

Emitted when a client disconnects from the database.

{ "cluster_name" : "root" , "code" : "TDB01I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 3 , "event" : "db.session.end" , "sid" : "63b6fa11-cd44-477b-911a-602b75ab13b5" , "time" : "2021-04-27T23:00:30.046Z" , "uid" : "a626b22d-bbd0-40ef-9896-b7ff365664b0" , "user" : "alice" }

Emitted when a client executes a SQL query.

{ "cluster_name" : "root" , "code" : "TDB02I" , "db_name" : "test" , "db_protocol" : "postgres" , "db_query" : "INSERT INTO public.test (id,\"timestamp\",json)

\tVALUES ($1,$2,$3)" , "db_query_parameters" : [ "test-id" , "2022-04-02 17:50:20-07" , "{\"k\": \"v\"}" ] , "db_service" : "local" , "db_uri" : "localhost:5432" , "db_user" : "postgres" , "ei" : 29 , "event" : "db.session.query" , "sid" : "691e6f70-3c31-4412-90aa-fe0558abb212" , "time" : "2021-04-27T23:04:57.395Z" , "uid" : "9f7b4179-b9cf-4302-bb7c-1408e404823f" , "user" : "alice" }

Emitted when a client executes a remote procedure call (RPC), or when an RPC execution attempt fails due to access denied.