How to Programmatically Retrieve User Actions from Sessions for Automated Auditing?

[little-plant]

Hello Teleport Community,

I am currently using Teleport to manage access to our infrastructure and am quite satisfied with the session recording feature. However, I would like to take our auditing process a step further by programmatically retrieving user actions (commands) from sessions.

Based on the documentation, I understand that I can view session recordings via the Web UI or CLI, but this requires manual intervention. My goal is to automate this process, ideally through some API or script, to achieve the following:

Automate the auditing of all commands executed by users.
Monitor user activities in real-time and trigger alerts on detecting suspicious actions.
Store these command logs in our centralized logging system for further analysis.
I have reviewed the documentation and browsed through community posts but haven't found a clear solution. Therefore, I am reaching out to ask if there is a way to accomplish this? If so, could anyone provide some example code or relevant references?

Thank you very much for your help!

[zmb3]

Automate the auditing of all commands executed by users.

You have to be careful here. Session recordings capture what was written to the PTY, not what commands the user executes. Attempting to infer commands executed based on the PTY data is filled with corner cases and trivial to bypass for someone who doesn't want their actions to be detected.

[webvictim]

If you're looking to process SSH sessions, Teleport offers enhanced session recording using BPF which is able to write every command executed as part of a session to the Teleport audit log, making it easier to process automatically. You could then export the audit logs to a SIEM solution to facilitate the real-time alerting functionality.

[little-plant]

Thank you for the detailed explanation!

I appreciate the insight into the limitations of inferring commands from PTY data and the potential challenges in accurately auditing user actions. This information is very helpful.

Given these considerations, I would still like to explore the option of using an API to retrieve session PTY data. Could anyone point me to any documentation or examples that detail how to programmatically access session PTY data using Teleport's API?

Additionally, any best practices or tips on how to handle and interpret this data would be greatly appreciated.

Thanks again for your assistance!

[zmb3]

The API you're looking for is called StreamSessionEvents