Logging, auditing, and streaming
Each Tailscale agent in your distributed network streams its logs to a
central log server (at
log.tailscale.io). This includes real-time events for open and close
events for every inter-machine connection (TCP or UDP) on your network.
Because every connection requires two endpoints, and both endpoints log every connection, it’s possible to detect lost or tampered logs by comparing the double entries of each endpoint. You could also use IDS (intrusion detection system) rules to automatically detect suspicious activity on your network.
Logs can be accessed locally for nodes on desktop platforms.
Open the Event Viewer application and find
Tailscale. Alternatively, logs can be accessed in
Open the Console application and search for
Logs are available in the shell:
journalctl -u tailscaled
Tailscale SSH has the ability to optionally record SSH sessions. With session recording enabled, all SSH commands and responses are recorded locally on the device.
To enable session recording on a device, you need to set the environment variable
can typically be done by editing
/etc/default/tailscaled and adding the following line:
tailscaled after setting
systemctl restart tailscaled
Session logs are available locally on the device under
/var/lib/tailscale/ssh-sessions. These logs are
*.cast files, in asciicast v2 format. Use
asciinema to watch them.
Session logs are currently limited:
- Session recordings are stored locally on the device, and not currently streamed to remote storage. If the device is compromised, then you should not assume that the logs have not been tampered with.
- Session recordings only include information about the user on the device, not the authenticated user. That is, if
Alice authenticated as
rooton a device, session recordings would only show the user
root, not Alice. We are planning to make it easier to correlate SSH session logs to Tailscale client connection logs.
Some logs are centralized collected by Tailscale for debugging. This is done with a custom-built, high-capacity, high-reliability, distributed logging system.
Right now, logs are only accessible locally on each node. You could stream your system- and container-level logs to the same centralized data store for further analysis.