gravitationallogs

package
v1.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 20, 2020 License: AGPL-3.0 Imports: 4 Imported by: 0

Documentation

Index

Constants

View Source
const LogTypePrefix = "Gravitational"

Variables

View Source
var TypeTeleportAudit = logtypes.MustRegisterJSON(logtypes.Desc{
	Name:         LogTypePrefix + ".TeleportAudit",
	Description:  `Teleport logs events like successful user logins along with the metadata like remote IP address, time and the session ID.`,
	ReferenceURL: `https://gravitational.com/teleport/docs/admin-guide/#audit-log`,
}, func() interface{} {
	return &TeleportAudit{}
})

TypeTeleportAudit registers and exports the logtype entry for Gravitational.TeleportAudit logs

Functions

This section is empty.

Types

type TeleportAudit

type TeleportAudit struct {
	// A (non-exhaustive) list of event types is:
	//
	//   * auth - Authentication attempt.
	//   * session.start - Started an interactive shell session.
	//   * session.end - An interactive shell session has ended.
	//   * session.join - A new user has joined the existing interactive shell session.
	//   * session.leave - A user has left the session.
	//   * session.disk - A list of files opened during the session. Requires Enhanced Session Recording.
	//   * session.network - A list of network connections made during the session. Requires Enhanced Session Recording.
	//   * session.data - A list of data transferred in a session
	//   * session.command - A list of commands ran during the session. Requires Enhanced Session Recording.
	//   * resize - Terminal has been resized.
	//   * user.create - A new user was created
	//   * user.login - A user logged into web UI or via tsh.
	//   * user.update - A user was updated
	//   * github.create - A user was created via github
	Event null.String `json:"event" validate:"required" description:"Event type"`
	Code  null.String `json:"code" validate:"required" description:"Event code"`
	Time  time.Time   `json:"time" tcodec:"rfc3339" validate:"required" panther:"event_time" description:"Event timestamp"`
	UID   null.String `json:"uid" validate:"required" description:"Event unique id"`

	User      null.String `json:"user" description:"Teleport user name (event type is 'user.login')"`
	Namespace null.String `json:"namespace" description:"Server namespace. This field is reserved for future use."`
	ServerID  null.String `json:"server_id" description:"Unique server ID."`
	SessionID null.String `json:"sid" panther:"trace_id" description:"Session ID. Can be used to replay the session."`
	EventID   null.Int32  `json:"ei" description:"Event numeric id"`

	Login         null.String `json:"login" description:"OS login"`
	AddressLocal  null.String `json:"addr.local" panther:"net_addr" description:"Address of the SSH node"`
	AddressRemote null.String `json:"addr.remote" panther:"net_addr" description:"Address of the connecting client (user)"`
	TerminalSize  null.String `json:"size" description:"Size of terminal"`

	// auth event type fields
	Success null.Bool   `json:"success" description:"Authentication success (if event type is 'auth')"`
	Error   null.String `json:"error" description:"Authentication error (event type is 'auth')"`

	// exec event type fields
	Command   null.String `json:"command" description:"Command that was executed (event type is 'exec')"`
	ExitCode  null.Int32  `json:"exitCode" description:"Exit code of the command (event type is 'exec')"`
	ExitError null.String `json:"exitError" description:"Exit error of the command (event type is 'exec')"`

	// session.command type fields
	PID        null.Int64  `json:"pid" description:"Process id of command"`
	ParentPID  null.Int64  `json:"ppid" description:"Process id of the parent process"`
	CGroupID   null.Int64  `json:"cgroup_id" description:"Control group id"`
	ReturnCode null.Int32  `json:"return_code" description:"Return code of the command"`
	Program    null.String `json:"program" description:"Name of the command"`
	ArgV       []string    `json:"argv" description:"Arguments passed to command"`

	// scp event type fields
	Path   null.String `json:"path" description:"Executable path or SCP action target file path (scp, session.command)"`
	Len    null.Int64  `json:"len" description:"SCP target file size (scp)"`
	Action null.String `json:"action" description:"SCP action (scp)"`

	// user.login event type fields
	Method     null.String          `json:"method" description:"Login method used (user.login)"`
	Attributes *jsoniter.RawMessage `json:"attributes" description:"User login attributes (user.login)"`

	// user.create event type fields
	Roles     []string    `json:"roles" description:"Roles for the new user (user.create)"`
	Connector null.String `json:"connector" description:"Connector that created the user (user.create)"`
	Expires   time.Time   `json:"expires" tcodec:"rfc3339" description:"Expiration date "`

	// user.create, user.update, github.create
	Name null.String `json:"name" description:"Name of user or service (github.created, user.create, user.update)"`

	// session.data
	BytesSent     null.Int64 `json:"tx" description:"Number of bytes sent"`
	BytesReceived null.Int64 `json:"rx" description:"Number of bytes received"`

	// session.start
	ServerLabels   map[string]string `json:"server_labels" description:"Server labels"`
	ServerHostname null.String       `json:"server_hostname" panther:"hostname" description:"Server hostname"`
	ServerAddress  null.String       `json:"server_addr" panther:"net_addr" description:"Server hostname"`

	// session.end
	SessionStart      time.Time `json:"session_start" tcodec:"rfc3339" description:"Timestamp of session start"`
	SessionStop       time.Time `json:"session_stop" tcodec:"rfc3339" description:"Timestamp of session end"`
	Interactive       null.Bool `json:"interactive" description:"Whether the session was interactive"`
	EnhancedRecording null.Bool `json:"enhanced_recording" description:"Whether enhanced recording is enabled"`
	Participants      []string  `json:"participants" description:"Users that participated in the session"`

	// session.network
	DestinationAddress null.String `json:"dst_addr" panther:"ip" description:"Destination IP address"`
	SourceAddress      null.String `json:"src_addr" panther:"ip" description:"Source IP address"`
	DestinationPort    null.Uint16 `json:"dst_port" description:"Destination port"`
	Version            null.Int32  `json:"version" description:"Event version"`
}

TeleportAudit is a log event in a Teleport audit log file. NOTE: Each event type has a different mix of fields. nolint:lll,maligned

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL