Logging overview
Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.
Because every connection requires two endpoints, and both endpoints log every connection, it's possible to detect lost or tampered logs by comparing the double entries of each endpoint. You could also use IDS (intrusion detection system) rules to automatically detect suspicious activity on your network.
Client logs
Each client logs information about its own operation and its attempts to contact other nodes. The data collected and how it is used are described in our privacy policy.
You can access logs locally for nodes on some desktop platforms.
Logs are available in the shell:
journalctl -u tailscaled
Centralized log management
Some logs are centrally collected by Tailscale for debugging. This is done with a custom-built, high-capacity, high-reliability, distributed logging system.
Client operational logs are only accessible locally on each node, but you could stream your system- and container-level logs to the same centralized data store for further analysis. Network flow logs are available from the admin console when enabled.
Opt out of client logging
If you block client logging, Tailscale may not be able to provide technical support.
Either use the --no-logs-no-support flag, or set the TS_NO_LOGS_NO_SUPPORT environment variable.
To use the --no-logs-no-support flag, pass it to tailscaled:
tailscaled --no-logs-no-support
To set the TS_NO_LOGS_NO_SUPPORT environment variable, edit /etc/default/tailscaled and add the following line:
TS_NO_LOGS_NO_SUPPORT=true
Kubernetes Operator logs
The Kubernetes Operator's reconciliation logs are centrally collected for debugging. These logs describe steps the Kubernetes Operator has taken to bring the deployed state in-line with the desired state regarding Kubernetes resources.
Refer to our privacy policy to understand the data collected and how we use it.
You can access logs locally using the kubectl logs command.
Opt out of Kubernetes logging
If you deployed the Kubernetes Operator with Helm, add the TS_NO_LOGS_NO_SUPPORT environment variable to the operatorConfig.extraEnv section:
operatorConfig:
extraEnv:
- name: TS_NO_LOGS_NO_SUPPORT
value: "true"
If you deployed the Kubernetes Operator with static manifests, add the TS_NO_LOGS_NO_SUPPORT environment variable to the Kubernetes Operator's Deployment:
env:
- name: TS_NO_LOGS_NO_SUPPORT
value: "true"
Network flow logs
Network flow logs are available to help you understand which devices are connecting to one another over time, that is, the flow of traffic across your tailnet.
These logs strictly do not contain any information about client operations or contents of network traffic.
Network flow logs must be enabled.
Flow logs can be configured to stream to a security information and event management (SIEM) system.
Server logs
Configuration audit logs record actions that modify a tailnet's configuration, including the type of action, the actor, the target resource, and the time.
All users who have access to the admin console can view configuration audit logs in the Logs page of the admin console, and can filter these logs to find specific events.
Configuration audit logs are enabled by default for all tailnets, and are available for the most recent 90 days.
Audit logs can be configured to stream to a security information and event management (SIEM) system.
Local SSH session logs
Local SSH session logs are not supported as of version 1.48.0.
You can use Tailscale SSH session recording to streaming recordings from the server device.