EncodeMap encodes map[string]interface{} to map<string, Value>.

EncodeMapStrings encodes map[string][]string to map<string, Value>.

FromOneOf converts audit event from one of wrapper to interface.

MustEncodeMap panics if EncodeMap returns error.

MustToOneOf converts audit event to OneOf or panics, used in tests.

EventResourceIDs converts a []ResourceID to a []events.ResourceID.

ToOneOf converts audit event to union type of the events.

GENERAL is for otherwise uncategorized calls.

SEARCH is for search-related APIs.

SECURITY is for _security and _ssl APIs.

SQL covers _sql API.

TCP connection establishment or binding a UDP socket to a remote address.

Transmission of data to a remote endpoint.

UnknownCode is used when an event of unknown type is encountered.

UnknownEvent is any event received that isn't recognized as any other event type.

AccessRequestCreate is emitted when access request has been created or updated.

AccessRequestDelete is emitted when an access request has been deleted.

AccessRequestResourceSearch is emitted when a user searches for resources as part of a search-based access request.

AppCreate is emitted when a new application resource is created.

AppDelete is emitted when an application resource is deleted.

AppMetadata contains common application information.

AppSessionChunk is emitted at the start of a 5 minute chunk on each proxy.

AppSessionDynamoDBRequest is emitted when a user executes a DynamoDB request via app access.

AppSessionEnd is emitted when an application session ends.

AppSessionRequest is an HTTP request and response.

AppSessionStart is emitted when a user is issued an application certificate.

AppUpdate is emitted when an existing application resource is updated.

AuthAttempt is emitted upon a failed or successfull authentication attempt.

AWSRequestMetadata contains extra AWS metadata of an AppSessionRequest.

BillingCardCreate is emitted when a user creates or updates a credit card.

BillingCardDelete is emitted when a user deletes a credit card.

BillingInformationUpdate is emitted when a user updates the billing information.

BPFMetadata is a common BPF process metadata.

CassandraBatch is emitted when a Cassandra client executes a batch of CQL statements.

BatchChild represents a single child batch statement.

Value is a single value to bind to the query.

CassandraExecute is emitted when a Cassandra client executes a CQL statement.

CassandraSession is emitted when a Cassandra client sends the prepare a CQL statement.

CassandraRegister is emitted when a Cassandra client request to register for the specified event types.

CertificateCreate is emitted when a certificate is issued.

ClientDisconnect is emitted when client is disconnected by the server due to inactivity or any other reason.

ClientMetadata identifies the originating client for an event.

CommandMetadata specifies common command fields.

Connection contains connection info.

DatabaseCreate is emitted when a new database resource is created.

DatabaseDelete is emitted when a database resource is deleted.

DatabaseMetadata contains common database information.

DatabaseSessionEnd is emitted when a user ends the database session.

DatabaseSessionMalformedPacket is emitted when a database sends a malformed packet.

DatabaseSessionQuery is emitted when a user executes a database query.

DatabaseSessionStart is emitted when a user connects to a database.

DatabaseUpdate is emitted when an existing database resource is updated.

DesktopClipboardReceive is emitted when Teleport receives clipboard data from a remote desktop.

DesktopClipboardSend is emitted when clipboard data is sent from a user's workstation to Teleport.

DesktopRecording happens when a Teleport Desktop Protocol message is captured during a Desktop Access Session.

DesktopSharedDirectoryRead is emitted when Teleport attempts to read from a file in a shared directory at the behest of the remote desktop.

DesktopSharedDirectoryStart is emitted when Teleport successfully begins sharing a new directory to a remote desktop.

DesktopSharedDirectoryWrite is emitted when Teleport attempts to write to a file in a shared directory at the behest of the remote desktop.

ElasticsearchRequest is emitted when user executes an Elasticsearch request, which isn't covered by API-specific events.

Exec specifies command exec event.

GithubConnectorCreate fires when a Github connector is created/updated.

GithubConnectorDelete fires when a Github connector is deleted.

Identity matches github.com/gravitational/teleport/lib/tlsca.Identity except for RouteToApp and RouteToDatabase which are nullable and Traits which is represented as a google.protobuf.Struct (still containing a map from string to strings).

KubeClusterMetadata contains common kubernetes cluster information.

KubeRequest specifies a Kubernetes API request event.

KubernetesClusterCreate is emitted when a new kubernetes cluster resource is created.

KubernetesClusterDelete is emitted when a kubernetes cluster resource is deleted.

KubernetesClusterMetadata contains common metadata for kubernetes-related events.

KubernetesClusterUpdate is emitted when an existing kubernetes cluster resource is updated.

KubernetesPodMetadata contains common metadata for kubernetes pod-related events.

LockCreate is emitted when a lock is created/updated.

LockDelete is emitted when a lock is deleted.

Metadata is a common event metadata.

MFADeviceAdd is emitted when a user adds an MFA device.

MFADeviceDelete is emitted when a user deletes an MFA device.

MFADeviceMetadata is a common MFA device metadata.

MySQLCreateDB is emitted when a MySQL client creates a schema.

MySQLDebug is emitted when a MySQL client asks the server to dump internal debug info to stdout.

MySQLDropDB is emitted when a MySQL client drops a schema.

MySQLInitDB is emitted when a MySQL client changes the default schema for the connection.

MySQLProcessKill is emitted when a MySQL client asks the server to terminate a connection.

MySQLRefresh is emitted when a MySQL client sends refresh commands.

MySQLShutDown is emitted when a MySQL client asks the server to shut down.

MySQLStatementBulkExecute is emitted when a MySQL client executes a bulk insert of a prepared statement using the prepared statement protocol.

MySQLStatementClose is emitted when a MySQL client deallocates a prepared statement using the prepared statement protocol.

MySQLStatementExecute is emitted when a MySQL client executes a prepared statement using the prepared statement protocol.

MySQLStatementFetch is emitted when a MySQL client fetches rows from a prepared statement using the prepared statement protocol.

MySQLStatementPrepare is emitted when a MySQL client creates a prepared statement using the prepared statement protocol.

MySQLStatementReset is emitted when a MySQL client resets the data of a prepared statement using the prepared statement protocol.

MySQLStatementSendLongData is emitted when a MySQL client sends long bytes stream using the prepared statement protocol.

OIDCConnectorCreate fires when OIDC connector is created/updated.

OIDCConnectorDelete fires when OIDC connector is deleted.

OneOf is a union of one of audit events submitted to the auth service.

PortForward is emitted when a user requests port forwarding.

PostgresBind is emitted when a Postgres client readies a prepared statement for execution and binds it to parameters.

PostgresClose is emitted when a Postgres client closes an existing prepared statement.

PostgresExecute is emitted when a Postgres client executes a previously bound prepared statement.

PostgresFunctionCall is emitted when a Postgres client calls internal database function.

PostgresParse is emitted when a Postgres client creates a prepared statement using extended query protocol.

RecoveryCodeGenerate is emitted when a user's new recovery codes are generated and updated.

RecoveryCodeUsed is emitted when a user's recovery code was used successfully or unsuccessfully.

RenewableCertificateGenerationMismatch is emitted when a renewable certificiate's generation counter fails to validate, possibly indicating a stolen certificate and an invalid renewal attempt.

Resize means that some user resized PTY on the client.

ResourceID is a unique identifier for a teleport resource.

ResourceMetadata is a common resource metadata.

RoleCreate is emitted when a role is created/updated.

RoleDelete is emitted when a role is deleted.

RouteToApp contains parameters for application access certificate requests.

RouteToDatabase combines parameters for database service routing information.

SAMLConnectorCreate fires when SAML connector is created/updated.

SAMLConnectorDelete fires when SAML connector is deleted.

SCP is emitted when data transfer has occurred between server and client.

Server is a server metadata.

SessionCommand is a session command event.

SessionConnect is emitted when a non-Teleport connection is made over net.Dial.

SessionData is emitted to report session data usage.

SessionDisk is a session disk access event.

SessionEnd is a session end event.

SessionJoin emitted when another user joins a session.

SessionLeave is emitted to report that a user left the session.

SesssionMetadata is a common session event metadata.

SessionNetwork is a network event.

SessionPrint event happens every time a write occurs to temirnal I/O during a session.

SessionRecordingAccess is emitted when a session recording is accessed, allowing session views to be included in the audit log.

SessionReject event happens when a user hits a session control restriction.

SessionStart is a session start event.

SessionUpload is a session upload.

SFTP is emitted when file operations have occurred between server and client.

SFTPAttributes are file metadata sent over SFTP.

SQLServerRPCRequest is emitted when a user executes a MSSQL Server RPC command.

SSMRun is emitted after an AWS SSM document completes execution.

Status contains common command or operation status fields.

StreamStatus reflects stream status.

Struct is a wrapper around types.Struct that marshals itself into json.

Subsystem is emitted when a user requests a new subsystem.

TrustedClusterCreate is the event for creating a trusted cluster.

TrustedClusterDelete is the event for removing a trusted cluster.

TrustedClusterTokenCreate is the event for creating new join token for a trusted cluster.

Unknown is a fallback event used when we don't recognize an event from the backend.

UpgradeWindowStartMetadata contains common upgrade window information.

UpgradeWindowStartUpdate is emitted when a user updates the cloud upgrade window start time.

UserCreate is emitted when the user is created or updated (upsert).

UserDelete is emitted when a user gets deleted.

UserLogin records a successfull or failed user login event.

UserMetadata is a common user event metadata.

UserPasswordChange is emitted when the user changes their own password.

UserTokenCreate is emitted when a user token is created.

WindowsDesktopSessionEnd is emitted when a user ends a Windows desktop session.

WindowsDesktopSessionStart is emitted when a user connects to a desktop.

X11Forward is emitted when a user requests X11 protocol forwarding.

AuditEvent represents audit event.

Emitter creates and manages audit log streams.

ProtoMarshaler implements marshaler interface.

Stream is used to create continuous ordered sequence of events associated with a session.

ElasticsearchCategory specifies Elasticsearch request category.

Action communicates what was done in response to the event.

Operation is the network operation that was performed or attempted.

SFTPAction denotes what type of SFTP request was made.