This can only get you so far. We invested a lot time into getting more from system access event using eBPF to take n unstructured SSH session and outputs a stream of structured events. https://gravitational.com/blog/enhanced-session-recording/
I was (naturally) skeptical at first as well, but this looks great.
I saw on another page that audit logs are sent off server, presumably append-only, but can Teleport pause execution until after log replication is verified?
For plain logs this would be straightforward, but for enhanced logging I suppose it'd be a matter of deciding when to pause execution, e.g. after downloading a file.
I saw on another page that audit logs are sent off server, presumably append-only, but can Teleport pause execution until after log replication is verified?
For plain logs this would be straightforward, but for enhanced logging I suppose it'd be a matter of deciding when to pause execution, e.g. after downloading a file.