events

package
v4.3.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 24, 2020 License: Apache-2.0 Imports: 31 Imported by: 347

Documentation

Overview

Package events implements the audit log interface events.IAuditLog using filesystem backend.

Audit logs ----------

Audit logs are events associated with user logins, server access and session log events like session.start.

Example audit log event:

{"addr.local":"172.10.1.20:3022",

 "addr.remote":"172.10.1.254:58866",
 "event":"session.start",
 "login":"root",
 "user":"klizhentas@gmail.com"
}

Session Logs ------------

Session logs are a series of events and recorded SSH interactive session playback.

Example session log event:

{
  "time":"2018-01-04T02:12:40.245Z",
  "event":"print",
  "bytes":936,
  "ms":40962,
  "offset":16842,
  "ei":31,
  "ci":29
}

Print event fields ------------------

Print event specifies session output - PTY io recorded by Teleport node or Proxy based on the configuration.

* "offset" is an offset in bytes from a start of a session * "ms" is a delay in milliseconds from the last event occurred * "ci" is a chunk index ordering only print events * "ei" is an event index ordering events from the first one

As in example of print event above, "ei" - is a session event index - 31, while "ci" is a chunk index - meaning that this event is 29th in a row of print events.

Client streaming session logs ------------------------------

Session related logs are delivered in order defined by clients. Every event is ordered and has a session-local index, every next event has index incremented.

Client delivers session events in batches, where every event in the batch is guaranteed to be in continuous order (e.g. no cases with events delivered in a single batch to have missing event or chunk index).

Disk File format ----------------

On disk file format is designed to be compatible with NFS filesystems and provides guarantee that only one auth server writes to the file at a time.

Main Audit Log Format =====================

The main log files are saved as:

/var/lib/teleport/log/<auth-server-id>/<date>.log

The log file is rotated every 24 hours. The old files must be cleaned up or archived by an external tool.

Log file format: utc_date,action,json_fields

Common JSON fields - user : teleport user - login : server OS login, the user logged in as - addr.local : server address:port - addr.remote: connected client's address:port - sid : session ID (GUID format)

Examples: 2016-04-25 22:37:29 +0000 UTC,session.start,{"addr.local":"127.0.0.1:3022","addr.remote":"127.0.0.1:35732","login":"root","sid":"4a9d97de-0b36-11e6-a0b3-d8cb8ae5080e","user":"vincent"} 2016-04-25 22:54:31 +0000 UTC,exec,{"addr.local":"127.0.0.1:3022","addr.remote":"127.0.0.1:35949","command":"-bash -c ls /","login":"root","user":"vincent"}

Session log file format =======================

Each session has its own session log stored as several files:

Index file contains a list of event files and chunks files associated with a session:

/var/lib/teleport/log/sessions/<auth-server-id>/<session-id>.index

The format of the index file contains of two or more lines with pointers to other files:

{"file_name":"<session-id>-<first-event-in-file-index>.events","type":"events","index":<first-event-in-file-index>} {"file_name":"<session-id>-<first-chunk-in-file-offset>.chunks","type":"chunks","offset":<first-chunk-in-file-offset>}

Files:

/var/lib/teleport/log/<auth-server-id>/<session-id>-<first-event-in-file-index>.events
/var/lib/teleport/log/<auth-server-id>/<session-id>-<first-chunk-in-file-offset>.chunks

Where:

  • .events (same events as in the main log, but related to the session)
  • .chunks (recorded session bytes: PTY IO)

Examples ~~~~~~~~

**Single auth server**

In the simplest case, single auth server a1 log for a single session id s1 will consist of three files:

/var/lib/teleport/a1/s1.index

With contents:

{"file_name":"s1-0.events","type":"events","index":0} {"file_name":"s1-0.chunks","type":"chunks","offset":0}

This means that all session events are located in s1-0.events file starting from the first event with index 0 and all chunks are located in file s1-0.chunks file with the byte offset from the start - 0.

File with session events /var/lib/teleport/a1/s1-0.events will contain:

{"ei":0,"event":"session.start", ...} {"ei":1,"event":"resize",...} {"ei":2,"ci":0, "event":"print","bytes":40,"offset":0} {"ei":3,"event":"session.end", ...}

File with recorded session /var/lib/teleport/a1/s1-0.chunks will contain 40 bytes emitted by print event with chunk index 0

**Multiple Auth Servers**

In high availability mode scenario, multiple auth servers will be

deployed behind a load balancer.

Any auth server can go down during session and clients will retry the delivery to the other auth server.

Both auth servers have mounted /var/lib/teleport/log as a shared NFS folder.

To make sure that only one auth server writes to a file at a time, each auth server writes to it's own file in a sub folder named with host UUID of the server.

Client sends the chunks of events related to the session s1 in order, but load balancer sends first batch of event to the first server a1, and the second batch of event to the second server a2.

Server a1 will produce the following file:

/var/lib/teleport/a1/s1.index

With contents:

{"file_name":"s1-0.events","type":"events","index":0} {"file_name":"s1-0.chunks","type":"chunks","offset":0}

Events file /var/lib/teleport/a1/s1-0.events will contain:

{"ei":0,"event":"session.start", ...} {"ei":1,"event":"resize",...} {"ei":2,"ci":0, "event":"print","bytes":40,"offset":0}

Events file /var/lib/teleport/a1/s1-0.chunks will contain 40 bytes emitted by print event with chunk index.

Server a2 will produce the following file:

/var/lib/teleport/a2/s1.index

With contents:

{"file_name":"s1-3.events","type":"events","index":3} {"file_name":"s1-40.chunks","type":"chunks","offset":40}

Events file /var/lib/teleport/a2/s1-4.events will contain:

{"ei":3,"ci":1, "event":"print","bytes":15,"ms":713,"offset":40} {"ei":4,"event":"session.end", ...}

Events file /var/lib/teleport/a2/s1-40.chunks will contain 15 bytes emitted by print event with chunk index 1 and comes after delay of 713 milliseconds.

Offset 40 indicates that the first chunk stored in the file s1-40.chunks comes at an offset of 40 bytes from the start of the session.

Log Search and Playback -----------------------

Log search and playback is aware of multiple auth servers, merges indexes, event streams stored on multiple auth servers.

Index

Constants

View Source
const (
	// EventType is event type/kind
	EventType = "event"
	// EventID is a unique event identifier
	EventID = "uid"
	// EventCode is a code that uniquely identifies a particular event type
	EventCode = "code"
	// EventTime is event time
	EventTime = "time"
	// EventLogin is OS login
	EventLogin = "login"
	// EventUser is teleport user name
	EventUser = "user"
	// EventProtocol specifies protocol that was captured
	EventProtocol = "proto"
	// EventProtocolsSSH specifies SSH as a type of captured protocol
	EventProtocolSSH = "ssh"
	// EventProtocolKube specifies kubernetes as a type of captured protocol
	EventProtocolKube = "kube"
	// LocalAddr is a target address on the host
	LocalAddr = "addr.local"
	// RemoteAddr is a client (user's) address
	RemoteAddr = "addr.remote"
	// EventCursor is an event ID (used as cursor value for enumeration, not stored)
	EventCursor = "id"

	// EventIndex is an event index as received from the logging server
	EventIndex = "ei"

	// EventNamespace is a namespace of the session event
	EventNamespace = "namespace"

	// SessionPrintEvent event happens every time a write occurs to
	// temirnal I/O during a session
	SessionPrintEvent = "print"

	// SessionPrintEventBytes says how many bytes have been written into the session
	// during "print" event
	SessionPrintEventBytes = "bytes"

	// SessionEventTimestamp is an offset (in milliseconds) since the beginning of the
	// session when the terminal IO event happened
	SessionEventTimestamp = "ms"

	// SessionEvent indicates that session has been initiated
	// or updated by a joining party on the server
	SessionStartEvent = "session.start"

	// SessionEndEvent indicates that a session has ended
	SessionEndEvent = "session.end"

	// SessionUploadEvent indicates that session has been uploaded to the external storage
	SessionUploadEvent = "session.upload"

	// URL is used for a session upload URL
	URL = "url"

	// SessionEventID is a unique UUID of the session.
	SessionEventID = "sid"

	// SessionServerID is the UUID of the server the session occurred on.
	SessionServerID = "server_id"

	// SessionServerHostname is the hostname of the server the session occurred on.
	SessionServerHostname = "server_hostname"

	// SessionServerAddr is the address of the server the session occurred on.
	SessionServerAddr = "server_addr"

	// SessionStartTime is the timestamp at which the session began.
	SessionStartTime = "session_start"

	// SessionEndTime is the timestamp at which the session ended.
	SessionEndTime = "session_stop"

	// SessionEnhancedRecording is used to indicate if the recording was an
	// enhanced recording or not.
	SessionEnhancedRecording = "enhanced_recording"

	// SessionInteractive is used to indicate if the session was interactive
	// (has PTY attached) or not (exec session).
	SessionInteractive = "interactive"

	// SessionParticipants is a list of participants in the session.
	SessionParticipants = "participants"

	// SessionServerLabels are the labels (static and dynamic) of the server the
	// session occurred on.
	SessionServerLabels = "server_labels"

	// SessionByteOffset is the number of bytes written to session stream since
	// the beginning
	SessionByteOffset = "offset"

	// SessionJoinEvent indicates that someone joined a session
	SessionJoinEvent = "session.join"
	// SessionLeaveEvent indicates that someone left a session
	SessionLeaveEvent = "session.leave"

	// Data transfer events.
	SessionDataEvent = "session.data"
	DataTransmitted  = "tx"
	DataReceived     = "rx"

	// ClientDisconnectEvent is emitted when client is disconnected
	// by the server due to inactivity or any other reason
	ClientDisconnectEvent = "client.disconnect"

	// Reason is a field that specifies reason for event, e.g. in disconnect
	// event it explains why server disconnected the client
	Reason = "reason"

	// UserLoginEvent indicates that a user logged into web UI or via tsh
	UserLoginEvent = "user.login"
	// LoginMethod is the event field indicating how the login was performed
	LoginMethod = "method"
	// LoginMethodLocal represents login with username/password
	LoginMethodLocal = "local"
	// LoginMethodClientCert represents login with client certificate
	LoginMethodClientCert = "client.cert"
	// LoginMethodOIDC represents login with OIDC
	LoginMethodOIDC = "oidc"
	// LoginMethodSAML represents login with SAML
	LoginMethodSAML = "saml"
	// LoginMethodGithub represents login with Github
	LoginMethodGithub = "github"

	// UserUpdatedEvent is emitted when the user is updated.
	UserUpdatedEvent = "user.update"

	// UserDeleteEvent is emitted when the user is deleted.
	UserDeleteEvent = "user.delete"

	// UserCreateEvent is emitted when the user is created.
	UserCreateEvent = "user.create"

	// UserPasswordChangeEvent is when the user changes their own password.
	UserPasswordChangeEvent = "user.password_change"

	// UserExpires is when the user will expire.
	UserExpires = "expires"

	// UserRoles is a list of roles for the user.
	UserRoles = "roles"

	// IdentityAttributes is a map of user attributes
	// received from identity provider
	IdentityAttributes = "attributes"

	// UserConnector is the connector used to create the user.
	UserConnector = "connector"

	// AccessRequestCreateEvent is emitted when a new access request is created.
	AccessRequestCreateEvent = "access_request.create"
	// AccessRequestUpdateEvent is emitted when a request's state is updated.
	AccessRequestUpdateEvent = "access_request.update"
	// AccessRequestDelegator is used by teleport plugins to indicate the identity
	// which caused them to update state.
	AccessRequestDelegator = "delegator"
	// AccessRequestState is the state of a request.
	AccessRequestState = "state"
	// AccessRequestID is the ID of an access request.
	AccessRequestID = "id"

	// UpdatedBy indicates the user who modified some resource:
	//  - updating a request state
	//  - updating a user record
	UpdatedBy = "updated_by"

	// ResetPasswordTokenCreateEvent is emitted when a new reset password token is created.
	ResetPasswordTokenCreateEvent = "reset_password_token.create"
	// ResetPasswordTokenTTL is TTL of reset password token.
	ResetPasswordTokenTTL = "ttl"

	// FieldName contains name, e.g. resource name, etc.
	FieldName = "name"

	// ExecEvent is an exec command executed by script or user on
	// the server side
	ExecEvent        = "exec"
	ExecEventCommand = "command"
	ExecEventCode    = "exitCode"
	ExecEventError   = "exitError"

	// SubsystemEvent is the result of the execution of a subsystem.
	SubsystemEvent = "subsystem"
	SubsystemName  = "name"
	SubsystemError = "exitError"

	// X11 forwarding event
	X11ForwardEvent   = "x11-forward"
	X11ForwardSuccess = "success"
	X11ForwardErr     = "error"

	// Port forwarding event
	PortForwardEvent   = "port"
	PortForwardAddr    = "addr"
	PortForwardSuccess = "success"
	PortForwardErr     = "error"

	// AuthAttemptEvent is authentication attempt that either
	// succeeded or failed based on event status
	AuthAttemptEvent   = "auth"
	AuthAttemptSuccess = "success"
	AuthAttemptErr     = "error"
	AuthAttemptMessage = "message"

	// SCPEvent means data transfer that occurred on the server
	SCPEvent          = "scp"
	SCPPath           = "path"
	SCPLengh          = "len"
	SCPAction         = "action"
	SCPActionUpload   = "upload"
	SCPActionDownload = "download"

	// ResizeEvent means that some user resized PTY on the client
	ResizeEvent  = "resize"
	TerminalSize = "size" // expressed as 'W:H'

	// SessionUploadIndex is a very large number of the event index
	// to indicate that this is the last event in the chain
	// used for the last event of the sesion - session upload
	SessionUploadIndex = math.MaxInt32
	// SessionDataIndex is a very large number of the event index
	// to indicate one of the last session events, used to report
	// data transfer
	SessionDataIndex = math.MaxInt32 - 1

	// SessionCommandEvent is emitted when an executable is run within a session.
	SessionCommandEvent = "session.command"

	// SessionDiskEvent is emitted when a file is opened within an session.
	SessionDiskEvent = "session.disk"

	// SessionNetworkEvent is emitted when a network connection is initated with a
	// session.
	SessionNetworkEvent = "session.network"

	// PID is the ID of the process.
	PID = "pid"

	// PPID is the PID of the parent process.
	PPID = "ppid"

	// CgroupID is the internal cgroupv2 ID of the event.
	CgroupID = "cgroup_id"

	// Program is name of the executable.
	Program = "program"

	// Path is the full path to the executable.
	Path = "path"

	// Argv is the list of arguments to the program. Note, the first element does
	// not contain the name of the process.
	Argv = "argv"

	// ReturnCode is the return code of execve.
	ReturnCode = "return_code"

	// Flags are the flags passed to open.
	Flags = "flags"

	// SrcAddr is the source IP address of the connection.
	SrcAddr = "src_addr"

	// DstAddr is the destination IP address of the connection.
	DstAddr = "dst_addr"

	// DstPort is the destination port of the connection.
	DstPort = "dst_port"

	// TCPVersion is the version of TCP (4 or 6).
	TCPVersion = "version"

	// RoleCreatedEvent fires when role is created/updated.
	RoleCreatedEvent = "role.created"
	// RoleDeletedEvent fires when role is deleted.
	RoleDeletedEvent = "role.deleted"

	// TrustedClusterCreateEvent is the event for creating a trusted cluster.
	TrustedClusterCreateEvent = "trusted_cluster.create"
	// TrustedClusterDeleteEvent is the event for removing a trusted cluster.
	TrustedClusterDeleteEvent = "trusted_cluster.delete"
	// TrustedClusterTokenCreateEvent is the event for
	// creating new join token for a trusted cluster.
	TrustedClusterTokenCreateEvent = "trusted_cluster_token.create"

	// GithubConnectorCreatedEvent fires when a Github connector is created/updated.
	GithubConnectorCreatedEvent = "github.created"
	// GithubConnectorDeletedEvent fires when a Github connector is deleted.
	GithubConnectorDeletedEvent = "github.deleted"
	// OIDCConnectorCreatedEvent fires when OIDC connector is created/updated.
	OIDCConnectorCreatedEvent = "oidc.created"
	// OIDCConnectorDeletedEvent fires when OIDC connector is deleted.
	OIDCConnectorDeletedEvent = "oidc.deleted"
	// SAMLConnectorCreatedEvent fires when SAML connector is created/updated.
	SAMLConnectorCreatedEvent = "saml.created"
	// SAMLConnectorDeletedEvent fires when SAML connector is deleted.
	SAMLConnectorDeletedEvent = "saml.deleted"
)
View Source
const (
	// V1 is the V1 version of slice chunks API,
	// it is 0 because it was not defined before
	V1 = 0
	// V2 is the V2 version of slice chunks  API
	V2 = 2
	// V3 is almost like V2, but it assumes
	// that session recordings are being uploaded
	// at the end of the session, so it skips writing session event index
	// on the fly
	V3 = 3
)
View Source
const (
	// SessionLogsDir is a subdirectory inside the eventlog data dir
	// where all session-specific logs and streams are stored, like
	// in /var/lib/teleport/logs/sessions
	SessionLogsDir = "sessions"

	// PlaybacksDir is a directory for playbacks
	PlaybackDir = "playbacks"

	// LogfileExt defines the ending of the daily event log file
	LogfileExt = ".log"

	// SymlinkFilename is a name of the symlink pointing to the last
	// current log file
	SymlinkFilename = "events.log"
)
View Source
const (
	// UserLocalLoginCode is the successful local user login event code.
	UserLocalLoginCode = "T1000I"
	// UserLocalLoginFailureCode is the unsuccessful local user login event code.
	UserLocalLoginFailureCode = "T1000W"
	// UserSSOLoginCode is the successful SSO user login event code.
	UserSSOLoginCode = "T1001I"
	// UserSSOLoginFailureCode is the unsuccessful SSO user login event code.
	UserSSOLoginFailureCode = "T1001W"
	// UserCreateCode is the user create event code.
	UserCreateCode = "T1002I"
	// UserUpdateCode is the user update event code.
	UserUpdateCode = "T1003I"
	// UserDeleteCode is the user delete event code.
	UserDeleteCode = "T1004I"
	// UserPasswordChangeCode is an event code for when user changes their own password.
	UserPasswordChangeCode = "T1005I"

	// SessionStartCode is the session start event code.
	SessionStartCode = "T2000I"
	// SessionJoinCode is the session join event code.
	SessionJoinCode = "T2001I"
	// TerminalResizeCode is the terminal resize event code.
	TerminalResizeCode = "T2002I"
	// SessionLeaveCode is the session leave event code.
	SessionLeaveCode = "T2003I"
	// SessionEndCode is the session end event code.
	SessionEndCode = "T2004I"
	// SessionUploadCode is the session upload event code.
	SessionUploadCode = "T2005I"
	// SessionDataCode is the session data event code.
	SessionDataCode = "T2006I"

	// SubsystemCode is the subsystem event code.
	SubsystemCode = "T3001I"
	// SubsystemFailureCode is the subsystem failure event code.
	SubsystemFailureCode = "T3001E"
	// ExecCode is the exec event code.
	ExecCode = "T3002I"
	// ExecFailureCode is the exec failure event code.
	ExecFailureCode = "T3002E"
	// PortForwardCode is the port forward event code.
	PortForwardCode = "T3003I"
	// PortForwardFailureCode is the port forward failure event code.
	PortForwardFailureCode = "T3003E"
	// SCPDownloadCode is the file download event code.
	SCPDownloadCode = "T3004I"
	// SCPDownloadFailureCode is the file download event failure code.
	SCPDownloadFailureCode = "T3004E"
	// SCPUploadCode is the file upload event code.
	SCPUploadCode = "T3005I"
	// SCPUploadFailureCode is the file upload failure event code.
	SCPUploadFailureCode = "T3005E"
	// ClientDisconnectCode is the client disconnect event code.
	ClientDisconnectCode = "T3006I"
	// AuthAttemptFailureCode is the auth attempt failure event code.
	AuthAttemptFailureCode = "T3007W"
	// X11ForwardCode is the x11 forward event code.
	X11ForwardCode = "T3008I"
	// X11ForwardFailureCode is the x11 forward failure event code.
	X11ForwardFailureCode = "T3008W"

	// SessionCommandCode is a session command code.
	SessionCommandCode = "T4000I"
	// SessionDiskCode is a session disk code.
	SessionDiskCode = "T4001I"
	// SessionNetworkCode is a session network code.
	SessionNetworkCode = "T4002I"

	// AccessRequestCreateCode is the the access request creation code.
	AccessRequestCreateCode = "T5000I"
	// AccessRequestUpdateCode is the access request state update code.
	AccessRequestUpdateCode = "T5001I"

	// ResetPasswordTokenCreateCode is the token create event code.
	ResetPasswordTokenCreateCode = "T6000I"

	// TrustedClusterCreateCode is the event code for creating a trusted cluster.
	TrustedClusterCreateCode = "T7000I"
	// TrustedClusterDeleteCode is the event code for removing a trusted cluster.
	TrustedClusterDeleteCode = "T7001I"
	// TrustedClusterTokenCreateCode is the event code for
	// creating new join token for a trusted cluster.
	TrustedClusterTokenCreateCode = "T7002I"

	// GithubConnectorCreatedCode is the Github connector created event code.
	GithubConnectorCreatedCode = "T8000I"
	// GithubConnectorDeletedCode is the Github connector deleted event code.
	GithubConnectorDeletedCode = "T8001I"

	// OIDCConnectorCreatedCode is the OIDC connector created event code.
	OIDCConnectorCreatedCode = "T8100I"
	// OIDCConnectorDeletedCode is the OIDC connector deleted event code.
	OIDCConnectorDeletedCode = "T8101I"

	// SAMLConnectorCreatedCode is the SAML connector created event code.
	SAMLConnectorCreatedCode = "T8200I"
	// SAMLConnectorDeletedCode is the SAML connector deleted event code.
	SAMLConnectorDeletedCode = "T8201I"

	// RoleCreatedCode is the role created event code.
	RoleCreatedCode = "T9000I"
	// RoleDeletedCode is the role deleted event code.
	RoleDeletedCode = "T9001I"
)

There is no strict algorithm for picking an event code, however existing event codes are currently loosely categorized as follows:

  • Teleport event codes start with "T" and belong in this const block.

  • Related events are grouped starting with the same number. eg: All user related events are grouped under 1xxx.

  • Suffix code with one of these letters: I (info), W (warn), E (error).

View Source
const (
	// MaxChunkBytes defines the maximum size of a session stream chunk that
	// can be requested via AuditLog.GetSessionChunk(). Set to 5MB
	MaxChunkBytes = 1024 * 1024 * 5
)

Variables

View Source
var (
	// UserLocalLogin is emitted when a local user successfully logs in.
	UserLocalLogin = Event{
		Name: UserLoginEvent,
		Code: UserLocalLoginCode,
	}
	// UserLocalLoginFailure is emitted when a local user login attempt fails.
	UserLocalLoginFailure = Event{
		Name: UserLoginEvent,
		Code: UserLocalLoginFailureCode,
	}
	// UserSSOLogin is emitted when an SSO user successfully logs in.
	UserSSOLogin = Event{
		Name: UserLoginEvent,
		Code: UserSSOLoginCode,
	}
	// UserSSOLoginFailure is emitted when an SSO user login attempt fails.
	UserSSOLoginFailure = Event{
		Name: UserLoginEvent,
		Code: UserSSOLoginFailureCode,
	}
	// UserUpdate is emitted when a user is updated.
	UserUpdate = Event{
		Name: UserUpdatedEvent,
		Code: UserUpdateCode,
	}
	// UserDelete is emitted when a user is deleted.
	UserDelete = Event{
		Name: UserDeleteEvent,
		Code: UserDeleteCode,
	}
	// UserCreate is emitted when a user is created.
	UserCreate = Event{
		Name: UserCreateEvent,
		Code: UserCreateCode,
	}
	// UserPasswordChange is emitted when a user changes their own password.
	UserPasswordChange = Event{
		Name: UserPasswordChangeEvent,
		Code: UserPasswordChangeCode,
	}
	// SessionStart is emitted when a user starts a new session.
	SessionStart = Event{
		Name: SessionStartEvent,
		Code: SessionStartCode,
	}
	// SessionJoin is emitted when a user joins the session.
	SessionJoin = Event{
		Name: SessionJoinEvent,
		Code: SessionJoinCode,
	}
	// TerminalResize is emitted when a user resizes the terminal.
	TerminalResize = Event{
		Name: ResizeEvent,
		Code: TerminalResizeCode,
	}
	// SessionLeave is emitted when a user leaves the session.
	SessionLeave = Event{
		Name: SessionLeaveEvent,
		Code: SessionLeaveCode,
	}
	// SessionEnd is emitted when a user ends the session.
	SessionEnd = Event{
		Name: SessionEndEvent,
		Code: SessionEndCode,
	}
	// SessionUpload is emitted after a session recording has been uploaded.
	SessionUpload = Event{
		Name: SessionUploadEvent,
		Code: SessionUploadCode,
	}
	// SessionData is emitted to report session data usage.
	SessionData = Event{
		Name: SessionDataEvent,
		Code: SessionDataCode,
	}
	// Subsystem is emitted when a user requests a new subsystem.
	Subsystem = Event{
		Name: SubsystemEvent,
		Code: SubsystemCode,
	}
	// SubsystemFailure is emitted when a user subsystem request fails.
	SubsystemFailure = Event{
		Name: SubsystemEvent,
		Code: SubsystemFailureCode,
	}
	// Exec is emitted when a user executes a command on a node.
	Exec = Event{
		Name: ExecEvent,
		Code: ExecCode,
	}
	// ExecFailure is emitted when a user command execution fails.
	ExecFailure = Event{
		Name: ExecEvent,
		Code: ExecFailureCode,
	}
	// X11Forward is emitted when a user requests X11 forwarding.
	X11Forward = Event{
		Name: X11ForwardEvent,
		Code: X11ForwardCode,
	}
	// X11ForwardFailure is emitted when an X11 forwarding request fails.
	X11ForwardFailure = Event{
		Name: X11ForwardEvent,
		Code: X11ForwardFailureCode,
	}
	// PortForward is emitted when a user requests port forwarding.
	PortForward = Event{
		Name: PortForwardEvent,
		Code: PortForwardCode,
	}
	// PortForwardFailure is emitted when a port forward request fails.
	PortForwardFailure = Event{
		Name: PortForwardEvent,
		Code: PortForwardFailureCode,
	}
	// SCPDownload is emitted when a user downloads a file.
	SCPDownload = Event{
		Name: SCPEvent,
		Code: SCPDownloadCode,
	}
	// SCPDownloadFailure is emitted when a file download fails.
	SCPDownloadFailure = Event{
		Name: SCPEvent,
		Code: SCPDownloadFailureCode,
	}
	// SCPUpload is emitted when a user uploads a file.
	SCPUpload = Event{
		Name: SCPEvent,
		Code: SCPUploadCode,
	}
	// SCPUploadFailure is emitted when a file upload fails.
	SCPUploadFailure = Event{
		Name: SCPEvent,
		Code: SCPUploadFailureCode,
	}
	// ClientDisconnect is emitted when a user session is disconnected.
	ClientDisconnect = Event{
		Name: ClientDisconnectEvent,
		Code: ClientDisconnectCode,
	}
	// AuthAttemptFailure is emitted upon a failed authentication attempt.
	AuthAttemptFailure = Event{
		Name: AuthAttemptEvent,
		Code: AuthAttemptFailureCode,
	}
	// AccessRequestCreated is emitted when an access request is created.
	AccessRequestCreated = Event{
		Name: AccessRequestCreateEvent,
		Code: AccessRequestCreateCode,
	}
	AccessRequestUpdated = Event{
		Name: AccessRequestUpdateEvent,
		Code: AccessRequestUpdateCode,
	}
	// SessionCommand is emitted upon execution of a command when using enhanced
	// session recording.
	SessionCommand = Event{
		Name: SessionCommandEvent,
		Code: SessionCommandCode,
	}
	// SessionDisk is emitted upon open of a file when using enhanced session recording.
	SessionDisk = Event{
		Name: SessionDiskEvent,
		Code: SessionDiskCode,
	}
	// SessionNetwork is emitted when a network requests is is issued when
	// using enhanced session recording.
	SessionNetwork = Event{
		Name: SessionNetworkEvent,
		Code: SessionNetworkCode,
	}
	// ResetPasswordTokenCreated is emitted when token is created.
	ResetPasswordTokenCreated = Event{
		Name: ResetPasswordTokenCreateEvent,
		Code: ResetPasswordTokenCreateCode,
	}
	// RoleCreated is emitted when a role is created/updated.
	RoleCreated = Event{
		Name: RoleCreatedEvent,
		Code: RoleCreatedCode,
	}
	// RoleDeleted is emitted when a role is deleted.
	RoleDeleted = Event{
		Name: RoleDeletedEvent,
		Code: RoleDeletedCode,
	}
	// TrustedClusterCreate is emitted when a trusted cluster relationship is created.
	TrustedClusterCreate = Event{
		Name: TrustedClusterCreateEvent,
		Code: TrustedClusterCreateCode,
	}
	// TrustedClusterDelete is emitted when a trusted cluster is removed from the root cluster.
	TrustedClusterDelete = Event{
		Name: TrustedClusterDeleteEvent,
		Code: TrustedClusterDeleteCode,
	}
	// TrustedClusterTokenCreate is emitted when a new join
	// token for trusted cluster is created.
	TrustedClusterTokenCreate = Event{
		Name: TrustedClusterTokenCreateEvent,
		Code: TrustedClusterTokenCreateCode,
	}
	// GithubConnectorCreated is emitted when a Github connector is created/updated.
	GithubConnectorCreated = Event{
		Name: GithubConnectorCreatedEvent,
		Code: GithubConnectorCreatedCode,
	}
	// GithubConnectorDeleted is emitted when a Github connector is deleted.
	GithubConnectorDeleted = Event{
		Name: GithubConnectorDeletedEvent,
		Code: GithubConnectorDeletedCode,
	}
	// OIDCConnectorCreated is emitted when an OIDC connector is created/updated.
	OIDCConnectorCreated = Event{
		Name: OIDCConnectorCreatedEvent,
		Code: OIDCConnectorCreatedCode,
	}
	// OIDCConnectorDeleted is emitted when an OIDC connector is deleted.
	OIDCConnectorDeleted = Event{
		Name: OIDCConnectorDeletedEvent,
		Code: OIDCConnectorDeletedCode,
	}
	// SAMLConnectorCreated is emitted when a SAML connector is created/updated.
	SAMLConnectorCreated = Event{
		Name: SAMLConnectorCreatedEvent,
		Code: SAMLConnectorCreatedCode,
	}
	// SAMLConnectorDeleted is emitted when a SAML connector is deleted.
	SAMLConnectorDeleted = Event{
		Name: SAMLConnectorDeletedEvent,
		Code: SAMLConnectorDeletedCode,
	}
)
View Source
var (
	ErrInvalidLengthSlice = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowSlice   = fmt.Errorf("proto: integer overflow")
)

Functions

func NewSessionArchive

func NewSessionArchive(dataDir, serverID, namespace string, sessionID session.ID) (io.ReadCloser, error)

NewSessionArchive returns generated tar archive with all components

func PrintEventFromChunk

func PrintEventFromChunk(chunk *SessionChunk) printEvent

PrintEventFromChunk returns a print event converted from session chunk.

func RegisterAuditLogServer

func RegisterAuditLogServer(s *grpc.Server, srv AuditLogServer)

func UpdateEventFields

func UpdateEventFields(event Event, fields EventFields, clock clockwork.Clock, uid utils.UID) (err error)

UpdateEventFields updates passed event fields with additional information common for all event types such as unique IDs, timestamps, codes, etc.

This method is a "final stop" for various audit log implementations for updating event fields before it gets persisted in the backend.

func ValidateArchive

func ValidateArchive(reader io.Reader, serverID string) error

ValidateArchive validates namespace and serverID fields within all events in the archive.

func ValidateEvent

func ValidateEvent(f EventFields, serverID string) error

ValidateEvent checks the the fields within an event match the passed in expected values.

Types

type AuditLog added in v1.0.0

type AuditLog struct {
	sync.Mutex
	*log.Entry
	AuditLogConfig
	// contains filtered or unexported fields
}

AuditLog is a new combined facility to record Teleport events and sessions. It implements IAuditLog

func NewAuditLog added in v1.0.0

func NewAuditLog(cfg AuditLogConfig) (*AuditLog, error)

Creates and returns a new Audit Log object whish will store its logfiles in a given directory. Session recording can be disabled by setting recordSessions to false.

func (*AuditLog) Close added in v1.0.0

func (l *AuditLog) Close() error

Closes the audit log, which inluces closing all file handles and releasing all session loggers

func (*AuditLog) EmitAuditEvent added in v1.0.0

func (l *AuditLog) EmitAuditEvent(event Event, fields EventFields) error

EmitAuditEvent adds a new event to the log. If emitting fails, a Prometheus counter is incremented.

func (*AuditLog) GetSessionChunk added in v1.0.0

func (l *AuditLog) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk returns a reader which console and web clients request to receive a live stream of a given session. The reader allows access to a session stream range from offsetBytes to offsetBytes+maxBytes

func (*AuditLog) GetSessionEvents added in v1.0.0

func (l *AuditLog) GetSessionEvents(namespace string, sid session.ID, afterN int, includePrintEvents bool) ([]EventFields, error)

Returns all events that happen during a session sorted by time (oldest first).

Can be filtered by 'after' (cursor value to return events newer than)

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*AuditLog) PostSessionSlice

func (l *AuditLog) PostSessionSlice(slice SessionSlice) error

PostSessionSlice submits slice of session chunks to the audit log server.

func (*AuditLog) SearchEvents added in v1.0.0

func (l *AuditLog) SearchEvents(fromUTC, toUTC time.Time, query string, limit int) ([]EventFields, error)

SearchEvents finds events. Results show up sorted by date (newest first), limit is used when set to value > 0

func (*AuditLog) SearchSessionEvents

func (l *AuditLog) SearchSessionEvents(fromUTC, toUTC time.Time, limit int) ([]EventFields, error)

SearchSessionEvents searches for session related events. Used to find completed sessions.

func (*AuditLog) UploadSessionRecording

func (l *AuditLog) UploadSessionRecording(r SessionRecording) error

UploadSessionRecording persists the session recording locally or to third party storage.

func (*AuditLog) WaitForDelivery

func (l *AuditLog) WaitForDelivery(context.Context) error

type AuditLogClient

type AuditLogClient interface {
	SubmitSessionSlice(ctx context.Context, opts ...grpc.CallOption) (AuditLog_SubmitSessionSliceClient, error)
}

func NewAuditLogClient

func NewAuditLogClient(cc *grpc.ClientConn) AuditLogClient

type AuditLogConfig

type AuditLogConfig struct {
	// DataDir is the directory where audit log stores the data
	DataDir string

	// ServerID is the id of the audit log server
	ServerID string

	// RecordSessions controls if sessions are recorded along with audit events.
	RecordSessions bool

	// RotationPeriod defines how frequently to rotate the log file
	RotationPeriod time.Duration

	// SessionIdlePeriod defines the period after which sessions will be considered
	// idle (and audit log will free up some resources)
	SessionIdlePeriod time.Duration

	// Clock is a clock either real one or used in tests
	Clock clockwork.Clock

	// UIDGenerator is used to generate unique IDs for events
	UIDGenerator utils.UID

	// GID if provided will be used to set group ownership of the directory
	// to GID
	GID *int

	// UID if provided will be used to set userownership of the directory
	// to UID
	UID *int

	// DirMask if provided will be used to set directory mask access
	// otherwise set to default value
	DirMask *os.FileMode

	// PlaybackRecycleTTL is a time after uncompressed playback files will be
	// deleted
	PlaybackRecycleTTL time.Duration

	// UploadHandler is a pluggable external upload handler,
	// used to fetch sessions from external sources
	UploadHandler UploadHandler

	// ExternalLog is a pluggable external log service
	ExternalLog IAuditLog

	// EventC is evnets channel for testing purposes, not used if empty
	EventsC chan *AuditLogEvent

	// Context is audit log context
	Context context.Context
}

AuditLogConfig specifies configuration for AuditLog server

func (*AuditLogConfig) CheckAndSetDefaults

func (a *AuditLogConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type AuditLogEvent

type AuditLogEvent struct {
	// Type is an event type
	Type string
	// Error is an event error
	Error error
}

AuditLogEvent is an internal audit log event

type AuditLogServer

type AuditLogServer interface {
	SubmitSessionSlice(AuditLog_SubmitSessionSliceServer) error
}

type AuditLog_SubmitSessionSliceClient

type AuditLog_SubmitSessionSliceClient interface {
	Send(*SessionSlice) error
	CloseAndRecv() (*empty.Empty, error)
	grpc.ClientStream
}

type AuditLog_SubmitSessionSliceServer

type AuditLog_SubmitSessionSliceServer interface {
	SendAndClose(*empty.Empty) error
	Recv() (*SessionSlice, error)
	grpc.ServerStream
}

type ByTimeAndIndex

type ByTimeAndIndex []EventFields

ByTimeAndIndex sorts events by time extracting timestamp from JSON field and if there are several session events with the same session by event index, regardless of the time

func (ByTimeAndIndex) Len

func (f ByTimeAndIndex) Len() int

func (ByTimeAndIndex) Less

func (f ByTimeAndIndex) Less(i, j int) bool

func (ByTimeAndIndex) Swap

func (f ByTimeAndIndex) Swap(i, j int)

type DiscardAuditLog added in v1.1.0

type DiscardAuditLog struct{}

DiscardAuditLog is do-nothing, discard-everything implementation of IAuditLog interface used for cases when audit is turned off

func NewDiscardAuditLog

func NewDiscardAuditLog() *DiscardAuditLog

NewDiscardAuditLog returns a no-op audit log instance

func (*DiscardAuditLog) Close

func (d *DiscardAuditLog) Close() error

func (*DiscardAuditLog) EmitAuditEvent added in v1.1.0

func (d *DiscardAuditLog) EmitAuditEvent(event Event, fields EventFields) error

func (*DiscardAuditLog) GetSessionChunk added in v1.1.0

func (d *DiscardAuditLog) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*DiscardAuditLog) GetSessionEvents added in v1.1.0

func (d *DiscardAuditLog) GetSessionEvents(namespace string, sid session.ID, after int, includePrintEvents bool) ([]EventFields, error)

func (*DiscardAuditLog) PostSessionSlice

func (d *DiscardAuditLog) PostSessionSlice(SessionSlice) error

func (*DiscardAuditLog) SearchEvents added in v1.1.0

func (d *DiscardAuditLog) SearchEvents(fromUTC, toUTC time.Time, query string, limit int) ([]EventFields, error)

func (*DiscardAuditLog) SearchSessionEvents

func (d *DiscardAuditLog) SearchSessionEvents(fromUTC time.Time, toUTC time.Time, limit int) ([]EventFields, error)

func (*DiscardAuditLog) UploadSessionRecording

func (d *DiscardAuditLog) UploadSessionRecording(SessionRecording) error

func (*DiscardAuditLog) WaitForDelivery

func (d *DiscardAuditLog) WaitForDelivery(context.Context) error

type DiscardRecorder

type DiscardRecorder struct {
	DiscardAuditLog
}

DiscardRecorder discards all writes

func (*DiscardRecorder) Close

func (*DiscardRecorder) Close() error

Close does nothing and always succeeds

func (*DiscardRecorder) GetAuditLog

func (d *DiscardRecorder) GetAuditLog() IAuditLog

GetAuditLog returns audit log associated with this recorder

func (*DiscardRecorder) Write

func (*DiscardRecorder) Write(b []byte) (int, error)

Write acks all writes but discards them

type DiskSessionLogger

type DiskSessionLogger struct {
	DiskSessionLoggerConfig

	*log.Entry

	sync.Mutex
	// contains filtered or unexported fields
}

DiskSessionLogger implements a disk based session logger. The imporant property of the disk based logger is that it never fails and can be used as a fallback implementation behind more sophisticated loggers.

func NewDiskSessionLogger

func NewDiskSessionLogger(cfg DiskSessionLoggerConfig) (*DiskSessionLogger, error)

NewDiskSessionLogger creates new disk based session logger

func (*DiskSessionLogger) Close

func (sl *DiskSessionLogger) Close() error

Close is called when clients close on the requested "session writer". We ignore their requests because this writer (file) should be closed only when the session logger is closed

func (*DiskSessionLogger) Finalize

func (sl *DiskSessionLogger) Finalize() error

Finalize is called by the session when it's closing. This is where we're releasing audit resources associated with the session

func (*DiskSessionLogger) LogEvent

func (sl *DiskSessionLogger) LogEvent(fields EventFields) error

LogEvent logs an event associated with this session

func (*DiskSessionLogger) PostSessionSlice

func (sl *DiskSessionLogger) PostSessionSlice(slice SessionSlice) error

PostSessionSlice takes series of events associated with the session and writes them to events files and data file for future replays

type DiskSessionLoggerConfig

type DiskSessionLoggerConfig struct {
	// SessionID is the session id of the logger
	SessionID session.ID
	// DataDir is data directory for session events files
	DataDir string
	// Clock is the clock replacement
	Clock clockwork.Clock
	// RecordSessions controls if sessions are recorded along with audit events.
	RecordSessions bool
	// Namespace is logger namespace
	Namespace string
	// ServerID is a server ID
	ServerID string
}

DiskSessionLoggerConfig sets up parameters for disk session logger associated with the session ID

func (*DiskSessionLoggerConfig) CheckAndSetDefaults

func (cfg *DiskSessionLoggerConfig) CheckAndSetDefaults() error

type EmittedEvent

type EmittedEvent struct {
	EventType Event
	Fields    EventFields
}

EmittedEvent holds the event type and event fields.

type Event

type Event struct {
	// Name is the event name.
	Name string
	// Code is the unique event code.
	Code string
}

Event describes an audit log event.

type EventFields added in v1.0.0

type EventFields map[string]interface{}

EventFields instance is attached to every logged event

func EventFromChunk

func EventFromChunk(sessionID string, chunk *SessionChunk) (EventFields, error)

EventFromChunk returns event converted from session chunk

func (EventFields) AsString added in v1.0.0

func (f EventFields) AsString() string

String returns a string representation of an event structure

func (EventFields) GetCode

func (f EventFields) GetCode() string

GetCode returns the event code

func (EventFields) GetID

func (f EventFields) GetID() string

GetID returns the unique event ID

func (EventFields) GetInt added in v1.0.0

func (f EventFields) GetInt(key string) int

GetString returns an int representation of a logged field

func (EventFields) GetString added in v1.0.0

func (f EventFields) GetString(key string) string

GetString returns a string representation of a logged field

func (EventFields) GetTime added in v1.0.0

func (f EventFields) GetTime(key string) time.Time

GetString returns an int representation of a logged field

func (EventFields) GetTimestamp

func (f EventFields) GetTimestamp() time.Time

GetTimestamp returns the event timestamp (when it was emitted)

func (EventFields) GetType added in v1.0.0

func (f EventFields) GetType() string

GetType returns the type (string) of the event

func (EventFields) HasField

func (f EventFields) HasField(key string) bool

HasField returns true if the field exists in the event.

type FileLog

type FileLog struct {
	*log.Entry
	FileLogConfig
	sync.Mutex
	// contains filtered or unexported fields
}

FileLog is a file local audit events log, logs all events to the local file in json encoded form

func NewFileLog

func NewFileLog(cfg FileLogConfig) (*FileLog, error)

NewFileLog returns a new instance of a file log

func (*FileLog) Close

func (l *FileLog) Close() error

Close closes the audit log, which inluces closing all file handles and releasing all session loggers

func (*FileLog) EmitAuditEvent

func (l *FileLog) EmitAuditEvent(event Event, fields EventFields) error

EmitAuditEvent adds a new event to the log. Part of auth.IFileLog interface.

func (*FileLog) GetSessionChunk

func (l *FileLog) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*FileLog) GetSessionEvents

func (l *FileLog) GetSessionEvents(namespace string, sid session.ID, after int, fetchPrintEvents bool) ([]EventFields, error)

func (*FileLog) PostSessionSlice

func (l *FileLog) PostSessionSlice(slice SessionSlice) error

func (*FileLog) SearchEvents

func (l *FileLog) SearchEvents(fromUTC, toUTC time.Time, query string, limit int) ([]EventFields, error)

SearchEvents finds events. Results show up sorted by date (newest first), limit is used when set to value > 0

func (*FileLog) SearchSessionEvents

func (l *FileLog) SearchSessionEvents(fromUTC, toUTC time.Time, limit int) ([]EventFields, error)

SearchSessionEvents searches for session related events. Used to find completed sessions.

func (*FileLog) UploadSessionRecording

func (l *FileLog) UploadSessionRecording(SessionRecording) error

func (*FileLog) WaitForDelivery

func (l *FileLog) WaitForDelivery(context.Context) error

type FileLogConfig

type FileLogConfig struct {
	// RotationPeriod defines how frequently to rotate the log file
	RotationPeriod time.Duration
	// Dir is a directory where logger puts the files
	Dir string
	// SymlinkDir is a directory for symlink pointer to the current log
	SymlinkDir string
	// Clock is a clock interface, used in tests
	Clock clockwork.Clock
	// UIDGenerator is used to generate unique IDs for events
	UIDGenerator utils.UID
	// SearchDirs is a function that returns
	// search directories, if not set, only Dir is used
	SearchDirs func() ([]string, error)
}

FileLogConfig is a configuration for file log

func (*FileLogConfig) CheckAndSetDefaults

func (cfg *FileLogConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets config defaults

type ForwardRecorder

type ForwardRecorder struct {
	// ForwardRecorderConfig specifies session recorder configuration
	ForwardRecorderConfig

	// Entry holds the structured logger
	*logrus.Entry

	// AuditLog is the audit log to store session chunks
	AuditLog IAuditLog
}

ForwardRecorder implements io.Writer to be plugged into the multi-writer associated with every session. It forwards session stream to the audit log

func NewForwardRecorder

func NewForwardRecorder(cfg ForwardRecorderConfig) (*ForwardRecorder, error)

NewForwardRecorder returns a new instance of session recorder

func (*ForwardRecorder) Close

func (r *ForwardRecorder) Close() error

Close closes audit log session recorder

func (*ForwardRecorder) GetAuditLog

func (r *ForwardRecorder) GetAuditLog() IAuditLog

GetAuditLog returns audit log associated with this recorder

func (*ForwardRecorder) Write

func (r *ForwardRecorder) Write(data []byte) (int, error)

Write takes a chunk and writes it into the audit log

type ForwardRecorderConfig

type ForwardRecorderConfig struct {
	// DataDir is a data directory to record
	DataDir string

	// SessionID defines the session to record.
	SessionID session.ID

	// Namespace is the session namespace.
	Namespace string

	// RecordSessions stores info on whether to record sessions
	RecordSessions bool

	// Component is a component used for logging
	Component string

	// ForwardTo is external audit log where events will be forwarded
	ForwardTo IAuditLog
}

ForwardRecorderConfig specifies config for session recording

func (*ForwardRecorderConfig) CheckAndSetDefaults

func (cfg *ForwardRecorderConfig) CheckAndSetDefaults() error

type Forwarder

type Forwarder struct {
	ForwarderConfig

	sync.Mutex
	// contains filtered or unexported fields
}

ForwarderConfig forwards session log events to the auth server, and writes the session playback to disk

func NewForwarder

func NewForwarder(cfg ForwarderConfig) (*Forwarder, error)

NewForwarder returns a new instance of session forwarder

func (*Forwarder) Close

func (l *Forwarder) Close() error

Closer releases connection and resources associated with log if any

func (*Forwarder) EmitAuditEvent

func (l *Forwarder) EmitAuditEvent(event Event, fields EventFields) error

EmitAuditEvent emits audit event

func (*Forwarder) GetSessionChunk

func (l *Forwarder) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk returns a reader which can be used to read a byte stream of a recorded session starting from 'offsetBytes' (pass 0 to start from the beginning) up to maxBytes bytes.

If maxBytes > MaxChunkBytes, it gets rounded down to MaxChunkBytes

func (*Forwarder) GetSessionEvents

func (l *Forwarder) GetSessionEvents(namespace string, sid session.ID, after int, includePrintEvents bool) ([]EventFields, error)

Returns all events that happen during a session sorted by time (oldest first).

after tells to use only return events after a specified cursor Id

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*Forwarder) PostSessionSlice

func (l *Forwarder) PostSessionSlice(slice SessionSlice) error

PostSessionSlice sends chunks of recorded session to the event log

func (*Forwarder) SearchEvents

func (l *Forwarder) SearchEvents(fromUTC, toUTC time.Time, query string, limit int) ([]EventFields, error)

SearchEvents is a flexible way to find The format of a query string depends on the implementing backend. A recommended format is urlencoded (good enough for Lucene/Solr)

Pagination is also defined via backend-specific query format.

The only mandatory requirement is a date range (UTC). Results must always show up sorted by date (newest first)

func (*Forwarder) SearchSessionEvents

func (l *Forwarder) SearchSessionEvents(fromUTC time.Time, toUTC time.Time, limit int) ([]EventFields, error)

SearchSessionEvents returns session related events only. This is used to find completed session.

func (*Forwarder) UploadSessionRecording

func (l *Forwarder) UploadSessionRecording(r SessionRecording) error

UploadSessionRecording uploads session recording to the audit server

func (*Forwarder) WaitForDelivery

func (l *Forwarder) WaitForDelivery(ctx context.Context) error

WaitForDelivery waits for resources to be released and outstanding requests to complete after calling Close method

type ForwarderConfig

type ForwarderConfig struct {
	// SessionID is a session id to write
	SessionID session.ID
	// ServerID is a serverID data directory
	ServerID string
	// DataDir is a data directory
	DataDir string
	// RecordSessions is a sessions recording setting
	RecordSessions bool
	// Namespace is a namespace of the session
	Namespace string
	// ForwardTo is the audit log to forward non-print events to
	ForwardTo IAuditLog
	// Clock is a clock to set for tests
	Clock clockwork.Clock
	// UID is UID generator
	UID utils.UID
}

ForwarderConfig forwards session log events to the auth server, and writes the session playback to disk

func (*ForwarderConfig) CheckAndSetDefaults

func (s *ForwarderConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type IAuditLog added in v1.0.0

type IAuditLog interface {
	// Closer releases connection and resources associated with log if any
	io.Closer

	// EmitAuditEvent emits audit event
	EmitAuditEvent(Event, EventFields) error

	// DELETE IN: 2.7.0
	// This method is no longer necessary as nodes and proxies >= 2.7.0
	// use UploadSessionRecording method.
	// PostSessionSlice sends chunks of recorded session to the event log
	PostSessionSlice(SessionSlice) error

	// UploadSessionRecording uploads session recording to the audit server
	UploadSessionRecording(r SessionRecording) error

	// GetSessionChunk returns a reader which can be used to read a byte stream
	// of a recorded session starting from 'offsetBytes' (pass 0 to start from the
	// beginning) up to maxBytes bytes.
	//
	// If maxBytes > MaxChunkBytes, it gets rounded down to MaxChunkBytes
	GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

	// Returns all events that happen during a session sorted by time
	// (oldest first).
	//
	// after tells to use only return events after a specified cursor Id
	//
	// This function is usually used in conjunction with GetSessionReader to
	// replay recorded session streams.
	GetSessionEvents(namespace string, sid session.ID, after int, includePrintEvents bool) ([]EventFields, error)

	// SearchEvents is a flexible way to find events. The format of a query string
	// depends on the implementing backend. A recommended format is urlencoded
	// (good enough for Lucene/Solr)
	//
	// Pagination is also defined via backend-specific query format.
	//
	// The only mandatory requirement is a date range (UTC). Results must always
	// show up sorted by date (newest first)
	SearchEvents(fromUTC, toUTC time.Time, query string, limit int) ([]EventFields, error)

	// SearchSessionEvents returns session related events only. This is used to
	// find completed session.
	SearchSessionEvents(fromUTC time.Time, toUTC time.Time, limit int) ([]EventFields, error)

	// WaitForDelivery waits for resources to be released and outstanding requests to
	// complete after calling Close method
	WaitForDelivery(context.Context) error
}

IAuditLog is the primary (and the only external-facing) interface for AuditLogger. If you wish to implement a different kind of logger (not filesystem-based), you have to implement this interface

type MockAuditLog

type MockAuditLog struct {
	sync.Mutex

	FailedAttemptsC chan *SessionSlice
	SlicesC         chan *SessionSlice
	EmittedEvent    *EmittedEvent
	// contains filtered or unexported fields
}

MockAuditLog is audit log used for tests.

func NewMockAuditLog

func NewMockAuditLog(capacity int) *MockAuditLog

NewMockAuditLog returns an instance of MockAuditLog.

func (*MockAuditLog) Close

func (d *MockAuditLog) Close() error

func (*MockAuditLog) EmitAuditEvent

func (d *MockAuditLog) EmitAuditEvent(ev Event, fields EventFields) error

EmitAuditEvent is a mock that records even and fields inside a struct.

func (*MockAuditLog) GetError

func (d *MockAuditLog) GetError() error

func (*MockAuditLog) GetSessionChunk

func (d *MockAuditLog) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

func (*MockAuditLog) GetSessionEvents

func (d *MockAuditLog) GetSessionEvents(namespace string, sid session.ID, after int, fetchPrintEvents bool) ([]EventFields, error)

func (*MockAuditLog) PostSessionSlice

func (d *MockAuditLog) PostSessionSlice(slice SessionSlice) error

func (*MockAuditLog) Reset

func (d *MockAuditLog) Reset()

Reset resets state to zero values.

func (*MockAuditLog) SearchEvents

func (d *MockAuditLog) SearchEvents(fromUTC, toUTC time.Time, query string, limit int) ([]EventFields, error)

func (*MockAuditLog) SearchSessionEvents

func (d *MockAuditLog) SearchSessionEvents(fromUTC, toUTC time.Time, limit int) ([]EventFields, error)

func (*MockAuditLog) SetError

func (d *MockAuditLog) SetError(e error)

func (*MockAuditLog) UploadSessionRecording

func (d *MockAuditLog) UploadSessionRecording(SessionRecording) error

func (*MockAuditLog) WaitForDelivery

func (d *MockAuditLog) WaitForDelivery(context.Context) error

type MultiLog

type MultiLog struct {
	// contains filtered or unexported fields
}

MultiLog is a logger that fan outs write operations to all loggers, and performs all read and search operations on the first logger that implements the operation

func NewMultiLog

func NewMultiLog(loggers ...IAuditLog) *MultiLog

NewMultiLog returns a new instance of a multi logger

func (*MultiLog) Close

func (m *MultiLog) Close() error

Closer releases connections and resources associated with logs if any

func (*MultiLog) EmitAuditEvent

func (m *MultiLog) EmitAuditEvent(event Event, fields EventFields) error

EmitAuditEvent emits audit event

func (*MultiLog) GetSessionChunk

func (m *MultiLog) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) (data []byte, err error)

GetSessionChunk returns a reader which can be used to read a byte stream of a recorded session starting from 'offsetBytes' (pass 0 to start from the beginning) up to maxBytes bytes.

If maxBytes > MaxChunkBytes, it gets rounded down to MaxChunkBytes

func (*MultiLog) GetSessionEvents

func (m *MultiLog) GetSessionEvents(namespace string, sid session.ID, after int, fetchPrintEvents bool) (events []EventFields, err error)

Returns all events that happen during a session sorted by time (oldest first).

after tells to use only return events after a specified cursor Id

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*MultiLog) PostSessionSlice

func (m *MultiLog) PostSessionSlice(slice SessionSlice) error

DELETE IN: 2.7.0 This method is no longer necessary as nodes and proxies >= 2.7.0 use UploadSessionRecording method. PostSessionSlice sends chunks of recorded session to the event log

func (*MultiLog) SearchEvents

func (m *MultiLog) SearchEvents(fromUTC, toUTC time.Time, query string, limit int) (events []EventFields, err error)

SearchEvents is a flexible way to find events. The format of a query string depends on the implementing backend. A recommended format is urlencoded (good enough for Lucene/Solr)

Pagination is also defined via backend-specific query format.

The only mandatory requirement is a date range (UTC). Results must always show up sorted by date (newest first)

func (*MultiLog) SearchSessionEvents

func (m *MultiLog) SearchSessionEvents(fromUTC, toUTC time.Time, limit int) (events []EventFields, err error)

SearchSessionEvents returns session related events only. This is used to find completed session.

func (*MultiLog) UploadSessionRecording

func (m *MultiLog) UploadSessionRecording(rec SessionRecording) error

UploadSessionRecording uploads session recording to the audit server

func (*MultiLog) WaitForDelivery

func (m *MultiLog) WaitForDelivery(ctx context.Context) error

WaitForDelivery waits for resources to be released and outstanding requests to complete after calling Close method

type SessionChunk

type SessionChunk struct {
	// Time is the occurence of this event
	Time int64 `protobuf:"varint,2,opt,name=Time,proto3" json:"Time,omitempty"`
	// Data is captured data, contains event fields in case of event, session data
	// otherwise
	Data []byte `protobuf:"bytes,3,opt,name=Data,proto3" json:"Data,omitempty"`
	// EventType is event type
	EventType string `protobuf:"bytes,4,opt,name=EventType,proto3" json:"EventType,omitempty"`
	// EventIndex is the event global index
	EventIndex int64 `protobuf:"varint,5,opt,name=EventIndex,proto3" json:"EventIndex,omitempty"`
	// Index is the autoincremented chunk index
	ChunkIndex int64 `protobuf:"varint,6,opt,name=ChunkIndex,proto3" json:"ChunkIndex,omitempty"`
	// Offset is an offset from the previous chunk in bytes
	Offset int64 `protobuf:"varint,7,opt,name=Offset,proto3" json:"Offset,omitempty"`
	// Delay is a delay from the previous event in milliseconds
	Delay                int64    `protobuf:"varint,8,opt,name=Delay,proto3" json:"Delay,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

SessionChunk is a chunk to be posted in the context of the session

func (*SessionChunk) Descriptor

func (*SessionChunk) Descriptor() ([]byte, []int)

func (*SessionChunk) GetChunkIndex

func (m *SessionChunk) GetChunkIndex() int64

func (*SessionChunk) GetData

func (m *SessionChunk) GetData() []byte

func (*SessionChunk) GetDelay

func (m *SessionChunk) GetDelay() int64

func (*SessionChunk) GetEventIndex

func (m *SessionChunk) GetEventIndex() int64

func (*SessionChunk) GetEventType

func (m *SessionChunk) GetEventType() string

func (*SessionChunk) GetOffset

func (m *SessionChunk) GetOffset() int64

func (*SessionChunk) GetTime

func (m *SessionChunk) GetTime() int64

func (*SessionChunk) Marshal

func (m *SessionChunk) Marshal() (dAtA []byte, err error)

func (*SessionChunk) MarshalTo

func (m *SessionChunk) MarshalTo(dAtA []byte) (int, error)

func (*SessionChunk) ProtoMessage

func (*SessionChunk) ProtoMessage()

func (*SessionChunk) Reset

func (m *SessionChunk) Reset()

func (*SessionChunk) Size

func (m *SessionChunk) Size() (n int)

func (*SessionChunk) String

func (m *SessionChunk) String() string

func (*SessionChunk) Unmarshal

func (m *SessionChunk) Unmarshal(dAtA []byte) error

func (*SessionChunk) XXX_DiscardUnknown

func (m *SessionChunk) XXX_DiscardUnknown()

func (*SessionChunk) XXX_Marshal

func (m *SessionChunk) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*SessionChunk) XXX_Merge

func (dst *SessionChunk) XXX_Merge(src proto.Message)

func (*SessionChunk) XXX_Size

func (m *SessionChunk) XXX_Size() int

func (*SessionChunk) XXX_Unmarshal

func (m *SessionChunk) XXX_Unmarshal(b []byte) error

type SessionLogger added in v1.0.0

type SessionLogger interface {
	// LogEvent logs events associated with this session.
	LogEvent(fields EventFields) error

	// Close is called when clients close on the requested "session writer".
	// We ignore their requests because this writer (file) should be closed only
	// when the session logger is closed.
	Close() error

	// Finalize is called by the session when it's closing. This is where we're
	// releasing audit resources associated with the session
	Finalize() error

	// PostSessionSlice posts session slice
	PostSessionSlice(slice SessionSlice) error
}

sessionLogger is an interface that all session loggers must implement.

type SessionRecorder

type SessionRecorder interface {
	io.Writer
	io.Closer
	// GetAuditLog returns audit log associated with this log
	GetAuditLog() IAuditLog
}

SessionRecorder implements io.Writer to be plugged into the multi-writer associated with every session. It forwards session stream to the audit log

type SessionRecording

type SessionRecording struct {
	// Namespace is a session namespace
	Namespace string
	// SessionID is a session ID
	SessionID session.ID
	// Recording is a packaged tarball recording
	Recording io.Reader
}

SessionRecording is a recording of a live session

func (*SessionRecording) CheckAndSetDefaults

func (l *SessionRecording) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default parameters

type SessionSlice

type SessionSlice struct {
	// Namespace is a session namespace
	Namespace string `protobuf:"bytes,1,opt,name=Namespace,proto3" json:"Namespace,omitempty"`
	// SessionID is a session ID associated with this chunk
	SessionID string `protobuf:"bytes,2,opt,name=SessionID,proto3" json:"SessionID,omitempty"`
	// Chunks is a list of submitted session chunks
	Chunks []*SessionChunk `protobuf:"bytes,3,rep,name=Chunks" json:"Chunks,omitempty"`
	// Version specifies session slice version
	Version              int64    `protobuf:"varint,4,opt,name=Version,proto3" json:"Version,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

SessionSlice is a slice of submitted chunks

func (*SessionSlice) Descriptor

func (*SessionSlice) Descriptor() ([]byte, []int)

func (*SessionSlice) GetChunks

func (m *SessionSlice) GetChunks() []*SessionChunk

func (*SessionSlice) GetNamespace

func (m *SessionSlice) GetNamespace() string

func (*SessionSlice) GetSessionID

func (m *SessionSlice) GetSessionID() string

func (*SessionSlice) GetVersion

func (m *SessionSlice) GetVersion() int64

func (*SessionSlice) Marshal

func (m *SessionSlice) Marshal() (dAtA []byte, err error)

func (*SessionSlice) MarshalTo

func (m *SessionSlice) MarshalTo(dAtA []byte) (int, error)

func (*SessionSlice) ProtoMessage

func (*SessionSlice) ProtoMessage()

func (*SessionSlice) Reset

func (m *SessionSlice) Reset()

func (*SessionSlice) Size

func (m *SessionSlice) Size() (n int)

func (*SessionSlice) String

func (m *SessionSlice) String() string

func (*SessionSlice) Unmarshal

func (m *SessionSlice) Unmarshal(dAtA []byte) error

func (*SessionSlice) XXX_DiscardUnknown

func (m *SessionSlice) XXX_DiscardUnknown()

func (*SessionSlice) XXX_Marshal

func (m *SessionSlice) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*SessionSlice) XXX_Merge

func (dst *SessionSlice) XXX_Merge(src proto.Message)

func (*SessionSlice) XXX_Size

func (m *SessionSlice) XXX_Size() int

func (*SessionSlice) XXX_Unmarshal

func (m *SessionSlice) XXX_Unmarshal(b []byte) error

type UploadEvent

type UploadEvent struct {
	// SessionID is a session ID
	SessionID string
	// Error is set in case if event resulted in error
	Error error
}

UploadEvent is emitted by uploader and is used in tests

type UploadHandler

type UploadHandler interface {
	// Upload uploads session tarball and returns URL with uploaded file
	// in case of success.
	Upload(ctx context.Context, sessionID session.ID, readCloser io.Reader) (string, error)
	// Download downloads session tarball and writes it to writer
	Download(ctx context.Context, sessionID session.ID, writer io.WriterAt) error
}

UploadHandler is a function supplied by the user, it will upload the file

type Uploader

type Uploader struct {
	UploaderConfig

	*log.Entry
	// contains filtered or unexported fields
}

Uploader implements a disk based session logger. The imporant property of the disk based logger is that it never fails and can be used as a fallback implementation behind more sophisticated loggers.

func NewUploader

func NewUploader(cfg UploaderConfig) (*Uploader, error)

NewUploader creates new disk based session logger

func (*Uploader) Scan

func (u *Uploader) Scan() error

Scan scans the directory and uploads recordings

func (*Uploader) Serve

func (u *Uploader) Serve() error

func (*Uploader) Stop

func (u *Uploader) Stop() error

type UploaderConfig

type UploaderConfig struct {
	// DataDir is data directory for session events files
	DataDir string
	// Clock is the clock replacement
	Clock clockwork.Clock
	// Namespace is logger namespace
	Namespace string
	// ServerID is a server ID
	ServerID string
	// Context is an optional context
	Context context.Context
	// ScanPeriod is a uploader dir scan period
	ScanPeriod time.Duration
	// ConcurrentUploads sets up how many parallel uploads to schedule
	ConcurrentUploads int
	// AuditLog is audit log client
	AuditLog IAuditLog
	// EventsC is an event channel used to signal events
	// used in tests
	EventsC chan *UploadEvent
}

UploaderConfig sets up configuration for uploader service

func (*UploaderConfig) CheckAndSetDefaults

func (cfg *UploaderConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values of UploaderConfig

type WriterLog

type WriterLog struct {
	// contains filtered or unexported fields
}

WriterLog is an audit log that emits all events to the external writer

func NewWriterLog

func NewWriterLog(w io.WriteCloser) *WriterLog

NewWriterLog returns a new instance of writer log

func (*WriterLog) Close

func (w *WriterLog) Close() error

Close releases connection and resources associated with log if any

func (*WriterLog) EmitAuditEvent

func (w *WriterLog) EmitAuditEvent(event Event, fields EventFields) error

EmitAuditEvent emits audit event

func (*WriterLog) GetSessionChunk

func (w *WriterLog) GetSessionChunk(namespace string, sid session.ID, offsetBytes, maxBytes int) ([]byte, error)

GetSessionChunk returns a reader which can be used to read a byte stream of a recorded session starting from 'offsetBytes' (pass 0 to start from the beginning) up to maxBytes bytes.

If maxBytes > MaxChunkBytes, it gets rounded down to MaxChunkBytes

func (*WriterLog) GetSessionEvents

func (w *WriterLog) GetSessionEvents(namespace string, sid session.ID, after int, includePrintEvents bool) ([]EventFields, error)

Returns all events that happen during a session sorted by time (oldest first).

after tells to use only return events after a specified cursor Id

This function is usually used in conjunction with GetSessionReader to replay recorded session streams.

func (*WriterLog) PostSessionSlice

func (w *WriterLog) PostSessionSlice(SessionSlice) error

DELETE IN: 2.7.0 This method is no longer necessary as nodes and proxies >= 2.7.0 use UploadSessionRecording method. PostSessionSlice sends chunks of recorded session to the event log

func (*WriterLog) SearchEvents

func (w *WriterLog) SearchEvents(fromUTC, toUTC time.Time, query string, limit int) ([]EventFields, error)

SearchEvents is a flexible way to find events. The format of a query string depends on the implementing backend. A recommended format is urlencoded (good enough for Lucene/Solr)

Pagination is also defined via backend-specific query format.

The only mandatory requirement is a date range (UTC). Results must always show up sorted by date (newest first)

func (*WriterLog) SearchSessionEvents

func (w *WriterLog) SearchSessionEvents(fromUTC time.Time, toUTC time.Time, limit int) ([]EventFields, error)

SearchSessionEvents returns session related events only. This is used to find completed session.

func (*WriterLog) UploadSessionRecording

func (w *WriterLog) UploadSessionRecording(r SessionRecording) error

UploadSessionRecording uploads session recording to the audit server

func (*WriterLog) WaitForDelivery

func (w *WriterLog) WaitForDelivery(context.Context) error

WaitForDelivery waits for resources to be released and outstanding requests to complete after calling Close method

Directories

Path Synopsis
Package firestoreeventsLog implements Firestore storage backend for Teleport event storage.
Package firestoreeventsLog implements Firestore storage backend for Teleport event storage.
Package gcssessionsHandler implements GCS storage for Teleport session recording persistence.
Package gcssessionsHandler implements GCS storage for Teleport session recording persistence.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL