Required fields are in bold.
Teleport logs events like successful user logins along with the metadata like remote IP address, time and the session ID. Reference: https://gravitational.com/teleport/docs/admin-guide/#audit-log​
Column | Type | Description |
|
| Event type |
|
| Event code |
|
| Event timestamp |
|
| Event unique id |
|
| Teleport user name (event type is 'user.login') |
|
| Server namespace. This field is reserved for future use. |
|
| Unique server ID. |
|
| Session ID. Can be used to replay the session. |
|
| Event numeric id |
|
| OS login |
|
| Address of the SSH node |
|
| Address of the connecting client (user) |
|
| Size of terminal |
|
| Authentication success (if event type is 'auth') |
|
| Authentication error (event type is 'auth') |
|
| Command that was executed (event type is 'exec') |
|
| Exit code of the command (event type is 'exec') |
|
| Exit error of the command (event type is 'exec') |
|
| Process id of command |
|
| Process id of the parent process |
|
| Control group id |
|
| Return code of the command |
|
| Name of the command |
|
| Arguments passed to command |
|
| Executable path or SCP action target file path (scp, session.command) |
|
| SCP target file size (scp) |
|
| SCP action (scp) |
|
| Login method used (user.login) |
|
| User login attributes (user.login) |
|
| Roles for the new user (user.create) |
|
| Connector that created the user (user.create) |
|
| Expiration date |
|
| Name of user or service (github.created, user.create, user.update) |
|
| Number of bytes sent |
|
| Number of bytes received |
|
| Server labels |
|
| Server hostname |
|
| Server hostname |
|
| Timestamp of session start |
|
| Timestamp of session end |
|
| Whether the session was interactive |
|
| Whether enhanced recording is enabled |
|
| Users that participated in the session |
|
| Destination IP address |
|
| Source IP address |
|
| Destination port |
|
| Event version |
|
| Panther added standardized event time (UTC) |
|
| Panther added standardized log parse time (UTC) |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of context trace identifiers |