Skip to main content
Version: 18.x (unreleased)

Analyze and Correlate Teleport Audit Logs

Report an issue with this page

In this guide, you will configure your Teleport cluster to forward Audit Logs to Identity Security product for better visibility and alerts on suspicious activities.

Teleport Identity Activity Center is a centralized data platform that enhances visibility, allows to search and analyze activity from both human and non-human identities across multiple data sources.

It provides a rich visualization layer that maps access policies across services such as AWS, GitHub, Okta, and Teleport with the real-time activity from those identities.

Built to assist security and operations teams, Identity Activity Center combines activities from the same identity across different platforms improving the correlation of identity-based events across platforms and expedites investigations. Through an intelligent alerting engine that detects irregularities in audit logs, emphasizes odd behavior, and describes the access levels each identity has across corporate services, it offers contextual insights during incident response.

Identity Activity Center is a feature of Teleport Identity Security product that is only available to Teleport Enterprise customers.

How it works

Your Teleport cluster will continuously monitor incoming Audit Logs and forward them to Identity Security, where they will be ingested, standardized, analyzed, and stored for long-term retention.

Prerequisites

  • A running Teleport Enterprise cluster v18.0.0 or later.
  • Identity Security enabled for your account.
  • For self-hosted clusters:
    • Ensure that an up-to-date license.pem is used in the Auth Service configuration.
    • A running Access Graph node v1.28.0 or later with Identity Activity Center enabled. Check the Identity Security page for details on how to set up Access Graph and enable Identity Activity Center.

Step 1/1. Enable Teleport Audit Log export

This section will guide you through the process of configuring your Teleport cluster to export audit logs to Teleport Identity Security.

note

start_date parameter is optional. When not set, it will default to 10 days prior to the first successful audit log export. This parameter can't be modified afterwards.

Please select the deployment mode used to deploy your cluster.

When running a self-hosted cluster, edit each one of your Teleport Auth Service instances' configuration files, by default /etc/teleport.yaml, and merge the following YAML snippet:

access_graph:
    # <...>

    audit_log:
        # enables Audit Log export from Teleport
        enabled: true
        # start_date is an optional field. It defines the date when
        # Identity Activity Center should ingest the Teleport Logs.
        # If not defined, it defaults to 10 days prior to the first init.
        #
        # start_date: "2025-06-01T00:00:00Z"

Once completed, restart your Teleport Auth Service with:

$ sudo systemctl restart teleport