Keep session logs on client machine

Hello Gravitational community,

As far as I know, Teleport (v4.0.x) is saving session binary logs either on the “node” server, on a “proxy” server or not at all as per the config file key session_recording.

There’s doesn’t seems to be an easy way to keep those session logs on the client machine they originated which is problematic for our use case since if you access sensitive data on the client machine running Teleport during a tsh session, this data will be copied along with the session logs back to the Bastion machine (the “node”)

Am I the only one with the issue ? Any workarounds to still have session logs but keep them on the client ?

Using a 3rd party storage is not ideal for our use case, data should stay on the client machine.

Promoting our clients to act as proxies seems overkill as our Teleport clients are just that … bare minimum clients while our Bastion handle the authentication & so on.

Cheers,

Laurent

Hi - your explanation of how Teleport works is mostly correct. Logs will either be created initially on the node (default) or on the proxy server (when using proxy recording mode). In both cases, however, logs are always uploaded back to the auth server (and then to some kind of object storage if configured) once the session is terminated.

Yours isn’t a request that we’ve had before and there isn’t currently any easy way to make this happen, short of doing what you already described - promoting every server to be its own auth server in order to force logs to be stored there. This would theoretically solve your problem (and you could use Teleport’s trusted clusters feature to make signing into each cluster somewhat easier) but this may be undesirable in general due to extra administration overhead.

If you wanted to fork the Teleport codebase and implement this behaviour yourself, we’d be happy to review a PR to add the functionality. Otherwise, you could always open an issue to make a feature request - but please bear in mind that there is already a large number of open, higher-priority feature requests.

1 Like

Hello Gus,

Thanks for the thorough explanation, really appreciated :slightly_smiling_face: ! We’ll evaluate whether or not a PR would be feasible for us.

Have a good one,

Cheers,

Laurent

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.