Teleport Logs
Connecting Teleport logs to your Panther Console

Overview

Panther supports ingesting Teleport logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Teleport logs to Panther

To pull these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  2. 2.
    Configure your Data Transport source to pull in logs from Teleport.
    • See the Data Transport service provider's documentation for instructions on pulling in logs.

Supported log types

Gravitational.TeleportAudit

Required fields are in bold.
Teleport logs events like successful user logins along with the metadata like remote IP address, time and the session ID. Please see Teleport's Cluster Administration Guide for more information.
Column
Type
Description
event
string
Event type
code
string
Event code
time
timestamp
Event timestamp
uid
string
Event unique id
user
string
Teleport user name (event type is 'user.login')
namespace
string
Server namespace. This field is reserved for future use.
server_id
string
Unique server ID.
sid
string
Session ID. Can be used to replay the session.
ei
int
Event numeric id
login
string
OS login
addr_local
string
Address of the SSH node
addr_remote
string
Address of the connecting client (user)
size
string
Size of terminal
success
boolean
Authentication success (if event type is 'auth')
error
string
Authentication error (event type is 'auth')
command
string
Command that was executed (event type is 'exec')
exitCode
int
Exit code of the command (event type is 'exec')
exitError
string
Exit error of the command (event type is 'exec')
pid
bigint
Process id of command