Say goodbye to your legacy VPNMake the switch to Tailscale
Get started
Login
WireGuard is a registered trademark of Jason A. Donenfeld.
© 2024 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.
Blog|April 27, 2023

Announcing network flow logs and log streaming

Branded artwork in greyscale

Tailscale takes your network’s security and reliability seriously. That’s why we built features like configuration audit logs to help you monitor and review changes to your network. Recently, we released network flow logs, in beta, to help you monitor network activity in your tailnet. These logs allow you to detect threats, investigate security incidents, maintain compliance with your network security policies, and troubleshoot network issues. 

Network flow logs record the metadata about your network traffic. Your connections on Tailscale are (and remain) end-to-end encrypted and we never log the content of your network traffic, nor do we have access to do so.

Take a look at the JSON code snippet below to see an example:

{"logs": [{
  "nodeId": "aBcdef1CNTRL",
  "logged": "2022-10-28T22:40:00.290605382Z",
  "start":  "2022-10-28T22:39:51.890385065Z",
  "end":    "2022-10-28T22:39:56.886545512Z",
  "virtualTraffic": [{
    "proto": 6, "src": "100.111.22.33:21291", "dst": "100.111.44.55:63281",
    "txPkts": 2, "txBytes": 108, "rxPkts": 2, "rxBytes": 112
  }, {
    "proto": 6, "src": "100.111.22.33:864", "dst": "100.44.55.66:2049",
    "txPkts": 6, "txBytes": 900, "rxPkts": 3, "rxBytes": 728
  }, {
    "proto": 6, "src": "100.111.22.33:723", "dst": "100.99.888.77:2049",
    "txPkts": 4, "txBytes": 596, "rxPkts": 2, "rxBytes": 432
  }, {
    "proto": 6, "src": "100.111.22.33:21291", "dst": "100.111.44.55:63280",
    "txPkts": 2, "txBytes": 108, "rxPkts": 2, "rxBytes": 112
  }],

Monitor tailnet connections with network flow logs

Network flow logs provide insight into the traffic to and from devices on your tailnet. These logs are sent at regular intervals and are directly tied to the device identities that send them. This makes it easier to attribute activity patterns to specific devices over longer periods of time.

Most administrator roles can enable network flow logs from the admin console by visiting the Logs tab. These logs can be accessed via our APIs or they can be streamed directly to a security information and event management (SIEM) system from the admin console. These systems are well set up for customers to index large volumes of logs, search for specific keywords and setup alerts. This enables customers to effectively monitor the health of nodes and gain visibility into traffic patterns on their tailnets. We currently support Splunk and ELK as streaming destinations, and we are working to add more partner integrations. Please let us know if you need support for a specific SIEM partner. 

Watch Pouyan set up network flow logs & log streaming

Network flow logs are available on the Premium and Enterprise plans

Log streaming for both network flow logs and configuration audit logs is available on the Enterprise plans.

Ready to use the feature? Go to admin console to enable it and try it now!

Share

Authors

Pouyan AminianPouyan Aminian
Jairo CamachoJairo Camacho
Loading...

Try Tailscale for free

Schedule a demo
Contact sales
cta phone
mercury
instacrt
Retool
duolingo
Hugging Face