Database Access Audit Events Reference
You can view database session activity in the audit log.
After a session is uploaded, you can play back the audit data
with the tsh play
command.
Database session ID will be in a UUID format (ex: 307b49d6-56c7-4d20-8cf0-5bc5348a7101
)
See the audit log to get a database session ID with a key of sid
.
Example:
$ tsh play --format json database.session
{
"cluster_name": "teleport.example.com",
"code": "TDB02I",
"db_name": "example",
"db_origin": "dynamic",
"db_protocol": "postgres",
"db_query": "select * from sample;",
"db_roles": [
"access"
],
"db_service": "example",
"db_type": "rds",
"db_uri": "databases-1.us-east-1.rds.amazonaws.com:5432",
"db_user": "alice",
"ei": 2,
"event": "db.session.query",
"sid": "307b49d6-56c7-4d20-8cf0-5bc5348a7101",
"success": true,
"time": "2023-10-06T10:58:32.88Z",
"uid": "a649d925-9dac-44cc-bd04-4387c295580f",
"user": "alice"
}
The audit log is viewable in Activity under Management in the Web UI for users
with permission to the event
resources. Database sessions do not appear
in the session recordings page.
db.session.start (TDB00I/W)
Emitted when a client successfully connects to a database, or when a connection attempt fails due to access denied.
Successful connection event:
{
"cluster_name": "root", // Teleport cluster name.
"code": "TDB00I", // Event code.
"db_name": "test", // Database/schema name.
"db_protocol": "postgres", // Database protocol.
"db_service": "local", // Database service name.
"db_uri": "localhost:5432", // Database server endpoint.
"db_user": "postgres", // Database account name.
"ei": 0, // Event index within the session.
"event": "db.session.start", // Event name.
"namespace": "default", // Event namespace, always "default".
"server_id": "05ff66c9-a948-42f4-af0e-a1b6ba62561e", // Database Service host ID.
"sid": "63b6fa11-cd44-477b-911a-602b75ab13b5", // Unique database session ID.
"success": true, // Indicates successful connection.
"time": "2021-04-27T23:00:26.014Z", // Event timestamp.
"uid": "eac5b6c8-384a-4471-9559-e135834b1ab0", // Unique event ID.
"user": "alice" // Teleport user name.
}
Access denied event:
{
"cluster_name": "root", // Teleport cluster name.
"code": "TDB00W", // Event code.
"db_name": "test", // Database/schema name user attempted to connect to.
"db_protocol": "postgres", // Database protocol.
"db_service": "local", // Database service name.
"db_uri": "localhost:5432", // Database server endpoint.
"db_user": "superuser", // Database account name user attempted to log in as.
"ei": 0, // Event index within the session.
"error": "access to database denied", // Connection error.
"event": "db.session.start", // Event name.
"message": "access to database denied", // Detailed error message.
"namespace": "default", // Event namespace, always "default".
"server_id": "05ff66c9-a948-42f4-af0e-a1b6ba62561e", // Database Service host ID.
"sid": "d18388e5-cc7c-4624-b22b-d36db60d0c50", // Unique database session ID.
"success": false, // Indicates unsuccessful connection.
"time": "2021-04-27T23:03:05.226Z", // Event timestamp.
"uid": "507fe008-99a4-4247-8603-6ba03408d047", // Unique event ID.
"user": "alice" // Teleport user name.
}
db.session.end (TDB01I)
Emitted when a client disconnects from the database.
{
"cluster_name": "root", // Teleport cluster name.
"code": "TDB01I", // Event code.
"db_name": "test", // Database/schema name.
"db_protocol": "postgres", // Database protocol.
"db_service": "local", // Database service name.
"db_uri": "localhost:5432", // Database server endpoint.
"db_user": "postgres", // Database account name.
"ei": 3, // Event index within the session.
"event": "db.session.end", // Event name.
"sid": "63b6fa11-cd44-477b-911a-602b75ab13b5", // Unique database session ID.
"time": "2021-04-27T23:00:30.046Z", // Event timestamp.
"uid": "a626b22d-bbd0-40ef-9896-b7ff365664b0", // Unique event ID.
"user": "alice" // Teleport user name.
}
db.session.query (TDB02I)
Emitted when a client executes a SQL query.
{
"cluster_name": "root", // Teleport cluster name.
"code": "TDB02I", // Event code.
"db_name": "test", // Database/schema name.
"db_protocol": "postgres", // Database protocol.
"db_query": "INSERT INTO public.test (id,\"timestamp\",json)\n\tVALUES ($1,$2,$3)", // Query text.
"db_query_parameters": [ // Query parameters (for prepared statements).
"test-id",
"2022-04-02 17:50:20-07",
"{\"k\": \"v\"}"
],
"db_service": "local", // Database service name.
"db_uri": "localhost:5432", // Database server endpoint.
"db_user": "postgres", // Database account name.
"ei": 29, // Event index within the session.
"event": "db.session.query", // Event name.
"sid": "691e6f70-3c31-4412-90aa-fe0558abb212", // Unique database session ID.
"time": "2021-04-27T23:04:57.395Z", // Event timestamp.
"uid": "9f7b4179-b9cf-4302-bb7c-1408e404823f", // Unique event ID.
"user": "alice" // Teleport user name.
}