Logging, auditing, and streaming
Each Tailscale agent in your distributed network streams its logs to a
central log server (at
log.tailscale.io). This includes real-time events for open and close
events for every inter-machine connection (TCP or UDP) on your network.
Because every connection requires two endpoints, and both endpoints log every connection, it’s possible to detect lost or tampered logs by comparing the double entries of each endpoint. You could also use IDS (intrusion detection system) rules to automatically detect suspicious activity on your network.
Logs can be accessed locally for nodes on desktop platforms.
Open the Event Viewer application and find
Tailscale. Alternatively, logs can be accessed in
Open the Console application and search for
Logs are available in the shell:
journalctl -u tailscaled
Centralized log management
Right now, logs are only accessible locally on each node. You could stream your system- and container-level logs to the same centralized data store for further analysis.
Tailscale uses a custom-built, high-capacity, high-reliability, distributed logging system called logtail.
If you’d like to talk about logtail’s real-time streaming and analysis features and how they might work for your own product or business, contact us.