Join us June 23 to see the ROI of switching to Tailscale.REGISTER ->

tsrecorder

Last validated:

When accessing sensitive infrastructure through your tailnet, you might need a record of what happened during those sessions. Compliance frameworks might require it, security teams want it for incident investigation, and audits go faster when you can replay exactly what a user did. tsrecorder provides this record.

Tailscale is expanding its privileged access management capabilities with Border0 by Tailscale, which provides session recording for SSH, Kubernetes, RDP, VNC, and database sessions, along with detailed command and query visibility. Tailscale is working to integrate these capabilities into the platform. tsrecorder remains the method for recording Tailscale SSH and kubectl sessions in your tailnet. If you are planning a new session recording deployment, contact Tailscale Sales to discuss whether Border0 fits your environment.

tsrecorder is a node that joins your tailnet and receives recordings of terminal sessions from other devices. It works the same way regardless of what kind of session it records. A device hosting a session streams session data to tsrecorder over the tailnet, and tsrecorder writes it to storage. Because the stream travels over the tailnet, it is end-to-end encrypted like any other tailnet traffic.

What you can record

tsrecorder supports two recording scenarios:

  • Tailscale SSH sessions: Devices running Tailscale SSH stream their sessions to tsrecorder. For more information, refer to Tailscale SSH session recording.
  • Kubernetes sessions: Kubernetes API server proxy streams all Kubernetes API calls to tsrecorder, including endpoints for interactive sessions such as kubectl exec and kubectl attach. For more information, refer to Record kubectl sessions.

In both scenarios, recordings capture terminal output (stdout and stderr) along with session metadata such as timestamps, the source device, and the user who started the session. Kubernetes session recordings do not capture stdin, which prevents sensitive input such as passwords from appearing in recordings. tsrecorder stores sessions in asciinema format, which lets you replay them later as they appeared in the terminal.

Border0 by Tailscale supports recording additional session types, such as RDP, VNC, and database sessions.

How recording is controlled

Recording is policy-driven. You deploy tsrecorder with a tag, such as tag:recorder, then reference that tag in a recorder field on the general access rules that govern the sessions you want to record. When a session matches a rule with a recorder field, recording starts automatically. Sessions that do not match a recording rule are not recorded.

By default, session recording "fails open". If the recorder node is unreachable, Tailscale still lets the session connect. If your compliance requirements demand that every session is recorded, you can "fail closed" instead by setting enforceRecorder to true. With enforcement on, Tailscale blocks the session if it cannot reach a recorder.

Where recordings are stored

tsrecorder writes recordings to one of two destinations:

  • A local file path, such as a mounted volume
  • An S3-compatible object storage bucket

To configure object storage, refer to Send session recordings to S3.

Set up tsrecorder

Setup follows the same shape for every scenario. You deploy the tsrecorder container, point it at a storage destination, and reference its tag in your tailnet policy file. The scenario-specific topics walk through each configuration:

View recordings

You can review recordings in the Tailscale admin console or retrieve them directly from your storage backend. tsrecorder also includes an optional web UI for browsing and replaying recorded sessions. If you enable the UI, configure your tailnet policy file to restrict access to port 443 on the recorder so that only authorized users can view recordings. For more information about configuring the web UI including tailnet policy file examples, refer to Deploy a session recorder in your Kubernetes cluster.