Teleport Audit Log Events and Event Codes Reference

Teleport records every significant action in its audit log — SSH session starts and ends, user logins, Kubernetes API calls, database queries, access request decisions, and more. Each record is a JSON object written to a configurable backend, making it straightforward to stream events into SIEM tools, object storage, or time-series databases. Every audit event contains an event field with a dot-separated type identifier (e.g., session.start, user.login) and a code field with a unique alphanumeric code (e.g., T2000I). Codes ending in I are informational, W are warnings, and E are errors or failures.

Audit log storage

By default, Teleport writes audit events to the filesystem under <data_dir>/log/. Configure an alternative backend in auth_service.audit_events_uri:

Local Filesystem

Events are written as JSONL files under data_dir/log/. Suitable for small self-hosted deployments. No extra configuration required.

DynamoDB

Events are stored in a DynamoDB table. Supports automatic TTL and scales with cluster size. Configure with dynamodb://table-name.

Firestore

Events are stored in a Google Cloud Firestore collection. Configure with firestore://collection-name.

S3 / GCS

Events are stored as objects in S3 or Google Cloud Storage. Best for long-term, cost-effective archival. Configure with s3://bucket-name/prefix.

Example teleport.yaml configuration for multiple backends:

auth_service:
  audit_events_uri:
    - dynamodb://teleport-audit-events      # primary (hot)
    - s3://my-audit-bucket/events           # archive (cold)
  audit_sessions_uri: s3://my-audit-bucket/recordings

Teleport Cloud automatically configures audit log storage for you. The settings above apply only to self-hosted clusters.

Common event types

Session events

session.start — SSH or Kubernetes session initiated

Emitted when a user starts an interactive SSH or exec session.

Field	Description
`event`	`session.start`
`code`	`T2000I`
`user`	Teleport username.
`login`	OS login used on the SSH node.
`sid`	Session ID (UUID).
`server_id`	UUID of the SSH node.
`server_hostname`	Hostname of the SSH node.
`namespace`	Always `default`.
`size`	Terminal dimensions at start (`cols:rows`).
`time`	RFC 3339 timestamp.
`uid`	Unique event ID.

{
  "addr.local": "172.31.28.130:3022",
  "addr.remote": "151.181.228.114:51454",
  "code": "T2000I",
  "ei": 0,
  "event": "session.start",
  "login": "root",
  "namespace": "default",
  "server_id": "de3800ea-69d9-4d72-a108-97e57f8eb393",
  "sid": "56408539-6536-11e9-80a1-427cfde50f5a",
  "size": "80:25",
  "time": "2019-04-22T19:39:26.676Z",
  "uid": "84c07a99-856c-419f-9de5-15560451a116",
  "user": "admin@example.com"
}

session.end — session completed

Emitted when a session ends, including total duration, participants, and whether recording is available.

Field	Description
`event`	`session.end`
`code`	`T2004I`
`session_start`	Session start time (RFC 3339).
`session_stop`	Session end time (RFC 3339).
`participants`	List of Teleport usernames in the session.
`interactive`	Whether the session had an interactive PTY.
`enhanced_recording`	Whether BPF recording was active.

{
  "cluster_name": "example.teleport.sh",
  "code": "T2004I",
  "ei": 1,
  "enhanced_recording": false,
  "event": "session.end",
  "interactive": true,
  "login": "root",
  "namespace": "default",
  "participants": ["alice"],
  "server_hostname": "ip-172-31-30-254",
  "server_id": "d3ddd1f8-b602-488b-00c66e29879f",
  "session_start": "2021-05-21T22:23:55.313Z",
  "session_stop": "2021-05-21T22:54:27.122Z",
  "sid": "9d92ad96-a45c-4add-463cc7bc48b1",
  "time": "2021-05-21T22:54:27.123Z",
  "uid": "984ac949-6605-4f0a-e450aa5665f4",
  "user": "alice"
}

session.command — command executed in session (enhanced recording)

Emitted for each command run inside a session when BPF-based enhanced recording is enabled.

Field	Description
`event`	`session.command`
`code`	`T4000I`
`program`	Binary name (e.g., `bash`, `ping`).
`path`	Full path to the binary.
`argv`	Command arguments.
`pid`	Process ID.
`ppid`	Parent process ID.
`return_code`	Exit code.
`cgroup_id`	Cgroup ID used to attribute the command to the session.

{
  "argv": ["google.com"],
  "cgroup_id": 4294968064,
  "code": "T4000I",
  "ei": 5,
  "event": "session.command",
  "login": "root",
  "namespace": "default",
  "path": "/bin/ping",
  "pid": 2653,
  "ppid": 2660,
  "program": "ping",
  "return_code": 0,
  "server_id": "96f2bed2-ebd1-494a-945c-2fd57de41644",
  "sid": "44c6cea8-362f-11ea-83aa-125400432324",
  "time": "2020-01-13T18:05:53.919Z",
  "uid": "734930bb-00e6-4ee6-8798-37f1e9473fac",
  "user": "benarent"
}

Authentication events

user.login — user authentication attempt

Emitted on every login attempt, regardless of outcome.

Field	Description
`event`	`user.login`
`code`	`T1000I` (local success), `T1000W` (local failure), `T1001I` (SSO), `T1001W` (SSO failure).
`method`	Authentication method: `local`, `oidc`, `saml`, `github`, `headless`.
`success`	`true` or `false`.
`error`	Error message on failure.

{
  "code": "T1000I",
  "event": "user.login",
  "method": "local",
  "success": true,
  "time": "2019-04-22T00:49:03Z",
  "uid": "173d6b6e-d613-44be-8ff6-f9f893791ef2",
  "user": "admin@example.com"
}

Failed login example:

{
  "code": "T1000W",
  "error": "user(name=\"fsdfsdf\") not found",
  "event": "user.login",
  "method": "local",
  "success": false,
  "time": "2019-04-22T18:06:32Z",
  "uid": "597bf08b-75b2-4dda-a578-e387c5ce9b76",
  "user": "fsdfsdf"
}

Database events

db.session.start — database session started

{
  "cluster_name": "root",
  "code": "TDB00I",
  "db_name": "",
  "db_protocol": "mongodb",
  "db_service": "mongo-primary",
  "db_uri": "mongodb://mongo-1:27017/?replicaSet=rs0",
  "db_user": "alice",
  "ei": 0,
  "event": "db.session.start",
  "namespace": "default",
  "server_id": "05ff66c9-a948-42f4-af0e-a1b6ba62561e",
  "sid": "13c04d4b-2e94-4106-a3a1-5ab8aae10465",
  "success": true,
  "time": "2021-07-14T07:01:31.958Z",
  "uid": "4a613b84-7315-41f4-9219-1afd6b08d4da",
  "user": "alice@example.com"
}

db.session.query — SQL or MongoDB query executed

{
  "cluster_name": "root",
  "code": "TDB02I",
  "db_name": "test",
  "db_protocol": "mongodb",
  "db_query": "{\"find\": \"test\",\"filter\": {}}",
  "db_service": "mongo-primary",
  "db_user": "alice",
  "ei": 11,
  "event": "db.session.query",
  "sid": "13c04d4b-2e94-4106-a3a1-5ab8aae10465",
  "success": true,
  "time": "2021-07-14T07:03:49.783Z",
  "uid": "c4550623-0538-452d-912b-1242715666c4",
  "user": "alice@example.com"
}

Kubernetes events

kube.request — Kubernetes API call

Emitted for every Kubernetes API request proxied through Teleport.

Field	Description
`kubernetes_cluster`	Name of the Kubernetes cluster.
`verb`	HTTP verb: `GET`, `POST`, `PATCH`, `DELETE`, etc.
`request_path`	Full API path.
`resource_kind`	Kubernetes resource kind (e.g., `pods`).
`resource_namespace`	Kubernetes namespace.
`resource_name`	Resource name.
`response_code`	HTTP status code.

{
  "code": "T3009I",
  "event": "kube.request",
  "kubernetes_cluster": "gke_teleport-a",
  "login": "awly",
  "request_path": "/api/v1/namespaces/teletest/pods/test-pod",
  "resource_api_group": "core/v1",
  "resource_kind": "pods",
  "resource_name": "test-pod",
  "resource_namespace": "teletest",
  "response_code": 200,
  "time": "2020-11-12T20:35:44.978Z",
  "uid": "8c1459a8-9199-4d25-bc5d-38e000ddd9ab",
  "user": "alex",
  "verb": "GET"
}

Application events

app.session.start — application session started

{
  "addr.remote": "50.34.48.113:56902",
  "code": "T2007I",
  "ei": 0,
  "event": "app.session.start",
  "namespace": "default",
  "public_addr": "grafana.example.teleport.sh",
  "server_id": "a0518380-0d53-4188-ac8b-8ddd8103e45b",
  "sid": "6593cf87-9839-4f18-abf8-c54873aaeb4e",
  "time": "2020-10-30T17:28:14.381Z",
  "uid": "80400ed9-644e-4a6e-ab99-b264b34d0f55",
  "user": "alice",
  "app_name": "grafana"
}

Access Request events

access_request.create / update — Access Request lifecycle

{
  "id": "66b827b2-1b0b-512b-965d-6c789388d3c9",
  "code": "T5000I",
  "event": "access_request.create",
  "time": "2020-06-05T19:26:53Z",
  "uid": "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0",
  "user": "alice",
  "state": "PENDING",
  "roles": ["prod-access"]
}

Review/approval event:

{
  "id": "66b827b2-1b0b-512b-965d-6c789388d3c9",
  "code": "T5001I",
  "event": "access_request.update",
  "time": "2020-06-05T19:26:53Z",
  "uid": "68a83a99-73ce-4bd7-bbf7-99103c2ba6a0",
  "state": "APPROVED",
  "updated_by": "bob"
}

Event type quick reference

Event	Code (success)	Description
`session.start`	`T2000I`	SSH/Kubernetes session started.
`session.end`	`T2004I`	Session ended.
`session.command`	`T4000I`	Command executed (enhanced recording).
`session.network`	`T4002I`	Network connection in session (enhanced recording).
`user.login`	`T1000I`	User authenticated.
`user.create`	`T1002I`	User created.
`user.delete`	`T1004I`	User deleted.
`db.session.start`	`TDB00I`	Database session started.
`db.session.end`	`TDB01I`	Database session ended.
`db.session.query`	`TDB02I`	Database query executed.
`kube.request`	`T3009I`	Kubernetes API request.
`app.session.start`	`T2007I`	Application session started.
`app.session.end`	`T2011I`	Application session ended.
`windows.desktop.session.start`	`TDP00I`	Windows RDP session started.
`windows.desktop.session.end`	`TDP01I`	Windows RDP session ended.
`access_request.create`	`T5000I`	Access Request created.
`access_request.update`	`T5001I`	Access Request approved or denied.
`role.created`	`T9000I`	Role created.
`role.deleted`	`T9001I`	Role deleted.
`github.created`	`T8000I`	GitHub connector created.
`oidc.created`	`T8100I`	OIDC connector created.
`saml.created`	`T8200I`	SAML connector created.
`bot.join`	`TJ001I`	Machine ID bot joined the cluster.
`cert.create`	`TC000I`	Certificate issued.

Browsing audit events

You can browse audit events in the Teleport Web UI under Activity → Audit Log, where you can filter by event type, user, and date range. For automated processing, export events to a SIEM or object storage backend and query them with standard tooling. You can also query session recordings with:

# List session recordings from the last 24 hours
tctl recordings ls --last=24h

# Search session recordings by date range
tctl recordings ls \
  --from-utc="2024-01-01T00:00:00Z" \
  --to-utc="2024-01-02T00:00:00Z"

For long-term audit log analysis, export events to a SIEM (Splunk, Elastic, Datadog) or query them directly from S3/DynamoDB using standard tooling. See the Export Audit Events guide for integration options.

CLI Reference

Configuration & API

Teleport Audit Log Events and Event Codes Reference

Audit log storage

Local Filesystem

DynamoDB

Firestore

S3 / GCS

Common event types

Session events

Authentication events

Database events

Kubernetes events

Application events

Access Request events

Event type quick reference

Browsing audit events

Build docs developers (and LLMs) love

CLI Reference

Configuration & API

Documentation Index

​Audit log storage

Local Filesystem

DynamoDB

Firestore

S3 / GCS

​Common event types

​Session events

​Authentication events

​Database events

​Kubernetes events

​Application events

​Access Request events

​Event type quick reference

​Browsing audit events

Build docs developers (and LLMs) love

Audit log storage

Common event types

Session events

Authentication events

Database events

Kubernetes events

Application events

Access Request events

Event type quick reference

Browsing audit events