Sending teleport audit events to syslog

Is it possible to send teleport audit events to syslog (not the session blobs, just the json events)? From the docs, I see they can be sent to stdout, but nothing about syslog, which would make it really easy to integrate into our logging infrastructure.

@sskousen yes it is possible. Logging configuration is defined in the teleport.yaml file. Under log the output can be updated.

You can view this in the docs here: https://gravitational.com/teleport/docs/admin-guide/#configuration-file

@abdu I see that as a configuration option, but I don’t want all the normal logging events that teleport generates, I want the contents of audit_events_uri so that we can feed the audit events into a SIEM.

You could try audit_events_uri: ['syslog://'] but I suspect it’s not currently implemented. I will test it and if necessary, raise a feature request for this and add it to the backlog.

error: unsupported scheme for audit_events_uri: "syslog", currently supported schemes are "dynamodb" and "file", initialization failed

syslog is not currently supported. I’ll raise an issue.

https://github.com/gravitational/teleport/issues/3331 created