Docs / Solutions

Logging, auditing, and streaming

Each Tailscale agent in your distributed network streams its logs to a central log server (at This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.

Because every connection requires two endpoints, and both endpoints log every connection, it’s possible to detect lost or tampered logs by comparing the double entries of each endpoint. You could also use IDS (intrusion detection system) rules to automatically detect suspicious activity on your network.

Client logs

Each client logs information about its own operation and its attempts to contact other nodes. The data collected and how it is used are described in our privacy policy.

Logs can be accessed locally for nodes on desktop platforms.


Open the Event Viewer application and find Tailscale. Alternatively, logs can be accessed in %LOCALAPPDIR%\Tailscale.


Open the Console application and search for IPN.


Logs are available in the shell:

journalctl -u tailscaled

Centralized log management

Right now, logs are only accessible locally on each node. You could stream your system- and container-level logs to the same centralized data store for further analysis.

Implementation note

Tailscale uses a custom-built, high-capacity, high-reliability, distributed logging system called logtail.

If you’d like to talk about logtail’s real-time streaming and analysis features and how they might work for your own product or business, contact us.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2021 Tailscale Inc.

Privacy & Terms