Double entry traffic logs, auditing, and streaming
Each Tailscale agent in your distributed network streams its logs to a central log server (either hosted by Tailscale or directly under your control). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.
Because every connection requires two endpoints, and both endpoints log every connection, it's possible to detect lost or tampered logs using a correlation analysis on the log server. You can also make IDS (intrusion detection system) rules to automatically detect suspicious activity such as port scans, password guessing attempts, and the spread of malware.
If you want, you can also configure Tailscale to stream your system- and container-level logs to the same data store to be used in more detailed analysis.
Tailscale uses a custom-built, high-capacity, high-reliability, distributed logging system called logtail, based on an architecture explained in Avery's blog post about logging.
Some people have inquired about using logtail for their own projects. We are excited about the potential for logtail but have not yet committed to commercializing it. If you'd like to talk about logtail's real-time streaming and analysis features and how they might work for your own product or business, please contact us.