Logging, auditing, and streaming
Each Tailscale agent in your distributed network streams its logs to a
central log server (at
log.tailscale.io). This includes real-time events for open and close
events for every inter-machine connection (TCP or UDP) on your network.
Because every connection requires two endpoints, and both endpoints log every connection, it’s possible to detect lost or tampered logs by comparing the double entries of each endpoint. You could also use IDS (intrusion detection system) rules to automatically detect suspicious activity on your network.
Logs can be accessed locally for nodes on some desktop platforms.
Logs are stored in
C:\ProgramData\Tailscale (or, more generally,
Open the Console application and search for
Logs are available in the shell:
journalctl -u tailscaled
Some logs are centrally collected by Tailscale for debugging. This is done with a custom-built, high-capacity, high-reliability, distributed logging system.
Client operational logs are only accessible locally on each node, but you could stream your system- and container-level logs to the same centralized data store for further analysis. Network flow logs are available from the admin console when enabled.
This is possible if you set the
TS_NO_LOGS_NO_SUPPORT environment variable in
To track when you can instead use the
--no-logs-no-support flag, follow our GitHub issue
for making it easier to use environment variables.
If you are running the open source
tailscaled macOS variant, pass the
--no-logs-no-support flag to
To track when you can use the
--no-logs-no-support flag for other macOS variants, follow our
GitHub issue for making it easier to use environment variables.
Either use the
--no-logs-no-support flag, or set the
TS_NO_LOGS_NO_SUPPORT environment variable.
To use the
--no-logs-no-support flag, pass it to
To set the
TS_NO_LOGS_NO_SUPPORT environment variable, edit
/etc/default/tailscaled and add the following line:
Network flow logs are available to help you understand which devices are connecting to one another over time, i.e. the flow of traffic across your tailnet.
These logs strictly do not contain any information about client operations or contents of network traffic.
Network flow logs must be enabled.
Configuration audit logs record actions that modify a tailnet’s configuration, including the type of action, the actor, the target resource, and the time.
Configuration audit logs are enabled by default for all tailnets, and are available for the most recent 90 days.
Local SSH session logs are not supported as of version 1.48.0.
You can use Tailscale SSH session recording to streaming recordings from the server device.