Logging, auditing, and streaming
Each Tailscale agent in your distributed network streams its logs to a
central log server (at log.tailscale.io
). This includes real-time events for open and close
events for every inter-machine connection (TCP or UDP) on your network.
Because every connection requires two endpoints, and both endpoints log every connection, it’s possible to detect lost or tampered logs by comparing the double entries of each endpoint. You could also use IDS (intrusion detection system) rules to automatically detect suspicious activity on your network.
Client logs
Each client logs information about its own operation and its attempts to contact other nodes. The data collected and how it is used are described in our privacy policy.
Logs can be accessed locally for nodes on desktop platforms.
Windows
Logs can be accessed in %ProgramData%\Tailscale\Logs
.
macOS
Open the Console application and search for IPN
.
Linux
Logs are available in the shell:
journalctl -u tailscaled
Centralized log management
Some logs are centrally collected by Tailscale for debugging. This is done with a custom-built, high-capacity, high-reliability, distributed logging system.
Right now, logs are only accessible locally on each node. You could stream your system- and container-level logs to the same centralized data store for further analysis.
Opting out of client logging
Windows
This is possible if you set the TS_NO_LOGS_NO_SUPPORT
environment variable in %ProgramData%\Tailscale\tailscaled-env.txt
:
TS_NO_LOGS_NO_SUPPORT=true
To track when you can instead use the --no-logs-no-support
flag, follow our GitHub issue
for making it easier to use environment variables.
macOS
If you are running the open source tailscaled
macOS variant, pass the --no-logs-no-support
flag to tailscaled
:
tailscaled --no-logs-no-support
To track when you can use the --no-logs-no-support
flag for other macOS variants, follow our
GitHub issue for making it easier to use environment variables.
Linux
Either use the --no-logs-no-support
flag, or set the TS_NO_LOGS_NO_SUPPORT
environment variable.
To use the --no-logs-no-support
flag, pass it to tailscaled
:
tailscaled --no-logs-no-support
To set the TS_NO_LOGS_NO_SUPPORT
environment variable, edit /etc/default/tailscaled
and add the following line:
TS_NO_LOGS_NO_SUPPORT=true
Server logs
Configuration audit logs record actions that modify a tailnet’s configuration, including the type of action, the actor, the target resource, and the time.
All users who have access to the admin console can view configuration audit logs in the Logs page of the admin console, and can filter these logs to find specific events.
Configuration audit logs are enabled by default for all tailnets, and are available for the most recent 90 days.
Local SSH session logs
Tailscale SSH has the ability to record SSH sessions locally on the server device.
To enable session recording on a device, you need to set the environment variable TS_DEBUG_LOG_SSH
on tailscaled
. This
can typically be done by editing /etc/default/tailscaled
and adding the following line:
TS_DEBUG_LOG_SSH=1
Restart tailscaled
after setting TS_DEBUG_LOG_SSH
:
systemctl restart tailscaled
Session logs are available locally on the device under /var/lib/tailscale/ssh-sessions
. These logs are *.cast
files, in asciicast v2 format. Use asciinema
to watch them.
Session logs are currently limited:
- Session recordings are stored locally on the device, and not currently streamed to remote storage. If the device is compromised, then you should not assume that the logs have not been tampered with.
- Session recordings only include information about the user on the device, not the authenticated user. That is, if Alice authenticated as
root
on a device, session recordings would only show the userroot
, not Alice.