Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated the documentation #2011

Merged
merged 1 commit into from
Jun 15, 2018
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 31 additions & 7 deletions docs/2.5/admin-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -733,8 +733,7 @@ turing d52527f9-b260 10.1.0.5:3022 kernel=3.19.0-56,uptime=up 1 hour

## Audit Log

Teleport logs every SSH event into its audit log. The log is stored on the auth server(s)
in the `data_dir` location, under `log` subdirectory.
Teleport logs every SSH event into its audit log.

There are two components of the audit log:

Expand All @@ -744,6 +743,10 @@ There are two components of the audit log:
later. The recording by default is done by the nodes themselves, but can be configured
to be done by the proxy.

By default the audit log is stored on the auth server(s) in the `data_dir` location, under
`log` subdirectory. Starting with Teleport 2.6 AWS users can configure Teleport to store
the audit log events in [DynamoDB](#using-dynamodb) and interactive sessions in AWS S3.

Refer to the "Audit Log" chapter in the [Teleport Architecture](architecture#audit-log) to
learn more about how the audit Log and session recording are designed.

Expand Down Expand Up @@ -1589,7 +1592,7 @@ To configure Teleport for using etcd as a storage back-end:
* Deploy several auth servers connected to etcd back-end.
* Deploy several proxy nodes that have `auth_servers` pointed to list of auth servers to connect to.

```yaml
```bash
teleport:
storage:
type: etcd
Expand Down Expand Up @@ -1617,7 +1620,7 @@ teleport:
If you are running Teleport on AWS, you can use [DynamoDB](https://aws.amazon.com/dynamodb/)
as a storage back-end to achieve high availability.

To configure Teleport to use DynamoDB as a storage back-end:
To configure Teleport to use DynamoDB as a storage back-end for storing the cluster state:

* Make sure you have AWS access key and a secret key which give you access to
DynamoDB account. If you're using (as recommended) an IAM role for this, the policy
Expand All @@ -1627,18 +1630,39 @@ To configure Teleport to use DynamoDB as a storage back-end:
* Deploy several auth servers connected to DynamoDB storage back-end.
* Deploy several proxy nodes that have `auth_servers` pointed to list of Auth servers to connect to.

```yaml
```bash
teleport:
storage:
type: dynamodb
region: eu-west-1
table_name: teleport.state

# Authentication settings are optional (see below)
access_key: BKZA3H2LOKJ1QJ3YF21A
secret_key: Oc20333k293SKwzraT3ah3Rv1G3/97POQb3eGziSZ

# Audit log configuration (starting with Teleport 2.6)
audit_table_name: teleport.events
audit_sessions_uri: s3://example.com/teleport.events
```

Replace `region` and `table_name` with your own settings. Teleport will create the table automatically.
Also, here's the example of the IAM policy to grant access to DynamoDB:
* Replace `region` and `table_name` with your own settings. Teleport will
create the table automatically.
* The AWS authentication setting below can be omitted if the machine itself is
running on an EC2 instance with an IAM role.
* Audit log settings above are optional. If specified, Teleport will store the
audit log in DyamoDB and the session recordings **must** be stored in an S3
bucket, i.e. both `audit_xxx` settings must be present. If they are not set,
Teleport will default to a local file system for the audit log, i.e.
`/var/lib/teleport/log` on an auth server.
* If DynamoDB is used for the audit log, the logged events will be stored with
a TTL of 1 year. Currently this TTL is not configurable.

!!! warning "Access to DynamoDB":
Make sure that the IAM role assigned to Teleport is configured with the
sufficient access to MongoDB. Below is the example of the IAM policy you
can use:


```json
{
Expand Down