schema: Gravitational.TeleportAudit
description: Teleport logs events like successful user logins along with the metadata like remote IP address, time and the session ID.
referenceURL: https://goteleport.com/docs/admin-guide/#audit-log
fields:
  - name: event
    required: true
    description: Event type
    type: string
  - name: code
    required: true
    description: Event code
    type: string
  - name: time
    required: true
    description: Event timestamp
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: uid
    description: Event unique id
    type: string
  - name: user
    description: Teleport user name (event type is 'user.login')
    type: string
  - name: user_kind
    description: Teleport user kind
    type: bigint
  - name: namespace
    description: Server namespace. This field is reserved for future use.
    type: string
  - name: server_id
    description: Unique server ID.
    type: string
  - name: sid
    description: Session ID. Can be used to replay the session.
    type: string
    indicators:
      - trace_id
  - name: ei
    description: Event numeric id
    type: string
  - name: login
    description: OS login
    type: string
  - name: addr_local
    description: Address of the SSH node
    rename:
      from: addr.local
    type: string
    indicators:
      - net_addr
  - name: addr_remote
    description: Address of the connecting client (user)
    rename:
      from: addr.remote
    type: string
    indicators:
      - net_addr
  - name: size
    description: Size of terminal
    type: string
  - name: success
    description: Authentication success (if event type is 'auth')
    type: boolean
  - name: error
    description: Authentication error (event type is 'auth')
    type: string
  - name: command
    description: Command that was executed (event type is 'exec')
    type: string
  - name: exitCode
    description: Exit code of the command (event type is 'exec')
    type: int
  - name: exitError
    description: Exit error of the command (event type is 'exec')
    type: string
  - name: pid
    description: Process id of command
    type: bigint
  - name: ppid
    description: Process id of the parent process
    type: bigint
  - name: cgroup_id
    description: Control group id
    type: bigint
  - name: return_code
    description: Return code of the command
    type: int
  - name: program
    description: Name of the command
    type: string
  - name: argv
    description: Arguments passed to command
    type: array
    element:
      type: string
  - name: path
    description: Executable path or SCP action target file path (scp, session.command)
    type: string
  - name: len
    description: SCP target file size (scp)
    type: bigint
  - name: action
    description: SCP action (scp)
    type: string
  - name: method
    description: Login method used (user.login)
    type: string
  - name: attributes
    description: User login attributes (user.login)
    type: json
  - name: roles
    description: Roles for the new user (user.create)
    type: array
    element:
      type: string
  - name: connector
    description: Connector that created the user (user.create)
    type: json
  - name: expires
    description: Expiration date
    type: timestamp
    timeFormats:
      - rfc3339
  - name: name
    description: Name of user or service (github.created, user.create, user.update)
    type: string
  - name: tx
    description: Number of bytes sent
    type: bigint
  - name: rx
    description: Number of bytes received
    type: bigint
  - name: server_labels
    description: Server labels
    type: json
  - name: server_hostname
    description: Server hostname
    type: string
    indicators:
      - hostname
  - name: server_addr
    description: Server hostname
    type: string
    indicators:
      - net_addr
  - name: session_start
    description: Timestamp of session start
    type: timestamp
    timeFormats:
      - rfc3339
  - name: session_stop
    description: Timestamp of session end
    type: timestamp
    timeFormats:
      - rfc3339
  - name: interactive
    description: Whether the session was interactive
    type: boolean
  - name: enhanced_recording
    description: Whether enhanced recording is enabled
    type: boolean
  - name: participants
    description: Users that participated in the session
    type: array
    element:
      type: string
  - name: dst_addr
    description: Destination IP address
    type: string
    indicators:
      - ip
  - name: src_addr
    description: Source IP address
    type: string
    indicators:
      - ip
  - name: dst_port
    description: Destination port
    type: int
  - name: version
    description: Event version
    type: int
  - name: cluster_name
    description: Teleport cluster name
    type: string
  - name: db_name
    description: Database/schema name
    type: string
  - name: db_protocol
    description: Database protocol
    type: string
  - name: db_query
    description: Text of the query
    type: string
  - name: db_query_parameters
    description: Query parameters (for prepared statements)
    type: json
  - name: db_service
    description: Database service name
    type: string
  - name: db_uri
    description: Database server endpoint
    type: string
    indicators:
      - url
  - name: db_user
    description: Database account name
    type: string
    indicators:
      - username
  - name: desktop_addr
    description: Address of desktop
    type: string
  - name: desktop_name
    description: Name of desktop
    type: string
  - name: desktop_labels
    description: Key/Value pairs related to the desktop of this event
    type: json
  - name: file_path
    description: Relative path from the root of the shared directory
    type: string
  - name: directory_name
    description: Name of directory accessed
    type: string
  - name: directory_id
    description: Id of directory accessed
    type: string
  - name: lock
    description: Lock object
    type: json
  - name: bot_instance_id
    description: Bot instance id
    type: string
  - name: bot_name
    description: Bot name
    type: string
  - name: reviewer
    description: Reviewer of the request
    type: string
  - name: proposed_state
    description: Desired state of the request
    type: string
  - name: state
    description: Actual state of the request
    type: string
  - name: trusted_device
    description: Information about the users' trusted device. Requires a registered and enrolled device to be used during authentication.
    type: json
  - name: with_mfa
    description: WithMFA is a UUID of an MFA device used to start this session.
    type: string
  - name: impersonator
    description: Impersonator is a username of a user impersonating this user
    type: string
  - name: aws_role_arn
    description: AWS Role ARN
    type: string
    indicators:
      - aws_arn
  - name: access_requests
    description: IDs of Access Requests
    type: json
  - name: forwarded_by
    description: ForwardedBy tells us if the metadata was sent by the node itself or by another node in it's place
    type: string
  - name: proto
    description: Protocol specifies protocol that was captured
    type: string
  - name: user_agent
    description: UserAgent identifies the type of client that attempted the event.
    type: string
  - name: kubernetes_cluster
    description: kubernetes cluster name
    type: string
  - name: kubernetes_users
    description: list of kubernetes usernames
    type: json
  - name: kubernetes_groups
    description: list of kubernetes groups
    type: json
  - name: kubernetes_labels
    description: the labels (static and dynamic) of the kubernetes cluster the session occurred on.
    type: json
  - name: kubernetes_pod_name
    description: Name of the kubernetes pod
    type: string
  - name: kubernetes_pod_namespace
    description: Namespace of the kubernetes pod
    type: string
  - name: kubernetes_container_name
    description: Name of container within the kubernetes pod
    type: string
  - name: kubernetes_container_image
    description: The image of the container within the kubernetes pod
    type: string
  - name: kubernetes_node_name
    description: Name of the node that runs the kubernetes pod
    type: string
  - name: initial_command
    description: The command used to start this session
    type: json
  - name: session_recording
    description: The type of session recording
    type: string
  - name: ci
    description: Chunk index
    type: string
  - name: bytes
    description: How many bytes have been written to the session
    type: string
  - name: ms
    description: Delay in milliseconds from start of session
    type: string
  - name: offset
    description: Offset in bytes from start of session file
    type: string
  - name: length
    description: Number of bytes sent/received
    type: string
  - name: reason
    description: Reason for the event
    type: string
  - name: max
    description: Maximum value
    type: string
  - name: flags
    description: Flags that were passed relevant to this event
    type: json
  - name: operation
    description: Denotes what network operation was performed
    type: json
  - name: mfa_device
    description: The MFA device used during login
    type: json
  - name: updated_by
    description: Indicates the user who modified the resource
    type: string
    indicators:
      - username
  - name: ttl
    description: Time to live
    type: string
  - name: id
    description: Access request ID
    type: string
  - name: delegator
    description: Used by teleport plugins to indicate the identity
    type: string
  - name: annotations
    description: Annotations is an optional set of attributes supplied by a plugin during approval/rejection
    type: json
  - name: resource_ids
    description: The set of resources to which access is being requested
    type: json
  - name: cluster
    description: Name of cluster
    type: string
  - name: kind
    description: Resource kind
    type: string
  - name: addr
    description: Target port forwarding address
    type: string
  - name: working_directory
    description: The current directory of the event
    type: string
  - name: target_path
    description: The path of the file
    type: string
  - name: request_path
    description: Raw request URL path
    type: string
  - name: verb
    description: HTTP Verb
    type: string
  - name: resource_api_group
    description: Resource API Group
    type: string
  - name: resource_namespace
    description: Resource namespace
    type: string
  - name: resource_kind
    description: Resource API kind
    type: string
  - name: resource_name
    description: Resource API name
    type: string
  - name: response_code
    description: HTTP Response code
    type: string
  - name: app_uri
    description: Application endpoint
    type: string
    indicators:
      - url
  - name: app_public_addr
    description: The configured application public address.
    type: string
    indicators:
      - url
  - name: app_labels
    description: The configured application labels.
    type: json
  - name: app_name
    description: The configured application name
    type: string
  - name: public_addr
    description: Public address
    type: string
    indicators:
      - url
  - name: session_chunk_id
    description: The ID of the session that was created
    type: string
  - name: status_code
    description: HTTP Response code
    type: string
  - name: raw_query
    description: Encoded query values
    type: string
  - name: aws_region
    description: Requested AWS region
    type: string
  - name: aws_service
    description: Requested AWS service
    type: string
  - name: aws_host
    description: Requested AWS host
    type: string
  - name: db_labels
    description: Database resource labels
    type: json
  - name: db_aws_region
    description: AWS region for AWS hosted databases
    type: string
  - name: db_aws_redshift_cluster_id
    description: Cluster ID for Redshift databases
    type: string
  - name: db_gcp_project_id
    description: Project ID for GCP hosted databases
    type: string
  - name: db_gcp_instance_id
    description: Instance ID for GCP hosted databases
    type: string
  - name: statement_name
    description: Name of the prepared statement
    type: string
  - name: query
    description: Prepared statement query
    type: string
  - name: portal_name
    description: Name of destination portal
    type: string
  - name: parameters
    description: Parameters
    type: json
  - name: function_oid
    description: Object ID of called function
    type: string
  - name: function_args
    description: Formatted function args
    type: json
  - name: windows_desktop_service
    description: Name of service
    type: string
  - name: windows_domain
    description: Active directory domain
    type: string
  - name: windows_user
    description: Windows username
    type: string
  - name: mfa_device_name
    description: User-specified name of the MFA device
    type: string
  - name: mfa_device_uuid
    description: UUID of MFA Device
    type: string
  - name: mfa_device_type
    description: Type of MFA Device
    type: string
  - name: target
    description: Target
    type: json
  - name: recorded
    description: Whether the session was recorded
    type: boolean
  - name: cert_type
    description: Type of certificate used
    type: string
  - name: identity
    description: Identity associated with the request
    type: json
  - name: unknown_event
    description: Unknown event
    type: string
  - name: unknown_code
    description: Unknown code
    type: string
  - name: data
    description: Serialized JSON of unknown event
    type: string
  - name: url
    description: URL of session where event data was uploaded
    type: string
  - name: search_as_roles
    description: List of roles the search was performed as
    type: json
  - name: resource_type
    description: Type of resource being searched for
    type: string
  - name: labels
    description: Label-based matcher used for the search
    type: json
  - name: predicate_expression
    description: List of conditions used for the search
    type: json
  - name: search_keywords
    description: List of search keywords used to match against resource field values
    type: json
  - name: statement_id
    description: Id of the prepared statement
    type: string
  - name: parameter_id
    description: Id of the parameter
    type: string
  - name: data_size
    description: Size of the data
    type: string
  - name: rows_count
    description: Number of rows to fetch
    type: string
  - name: schema_name
    description: Name of schema
    type: string
  - name: process_id
    description: Process Id of a connection
    type: string
  - name: subcommand
    description: String representation of the subcommand
    type: string
  - name: proc_name
    description: The RPC SQL Server procedure name
    type: string
  - name: category
    description: Represents the category if API being accessed in a given request
    type: json
  - name: upgrade_window_start
    description: Upgrade window time
    type: string
  - name: kube_labels
    description: Configured kubernetes cluster labels
    type: json
  - name: command_id
    description: Id of the SSH command that was ran
    type: string
  - name: instance_id
    description: Id of the EC2 instance that was ran
    type: string
  - name: exit_code
    description: Exit code resulting from the command
    type: string
  - name: status
    description: Status of the command
    type: string
  - name: account_id
    description: Id of the AWS account that ran the command
    type: string
    indicators:
      - aws_account_id
  - name: region
    description: AWS region the command was ran in
    type: string