Monitor Teleport With Datadog | Datadog

Monitor Teleport with Datadog

Author Shanel Huang
Author Mallory Mooney

Published: June 28, 2024

The Teleport Access Platform delivers on-demand, least-privileged access to infrastructure (for SSH, Kubernetes, RDP, Web, databases, and clouds) on a foundation of cryptographic identity and zero trust, which eliminates the attack surfaces of both shared secrets and standing privileges. Teleport also improves the efficiency of engineering teams, makes infrastructure resilient to human error, improves compliance and audit reporting, and defends infrastructure and applications against identity provider compromise.

We’re excited to announce our Agent-based integration with the Teleport platform, enabling you to easily monitor your Teleport services and audit user session activity.

Monitor Teleport services

The primary components of a Teleport cluster—the auth and proxy services and agents—all need to run efficiently in order to keep your infrastructure secure. If one of these components fails, your users may not be able to access your infrastructure, and its internal resources may become vulnerable to threats. Datadog’s Teleport integration collects a suite of metrics for monitoring the health and performance of each critical service, which you can visualize in an out-of-the-box dashboard.

Teleport Dashboard

The dashboard enables you to track any significant changes in key Teleport metrics. For example, a sudden spike in the number of failed login attempts could signify an issue with the auth service, which manages the Teleport cluster’s local users and configuration resources. Conversely, a sudden high volume of concurrent sessions could indicate a brute-force attack against your servers. You can mitigate this kind of activity by modifying the cluster’s max_sessions setting, which limits the number of sessions allowed for a single connection.

Closely audit user sessions

Knowing who is accessing your infrastructure resources, such as Kubernetes clusters and databases, is another critical part of ensuring Teleport’s performance and security. Datadog Cloud SIEM enables you to closely audit user sessions via Teleport audit logs and detect any unusual behavior. For example, you can create a custom signal via Datadog Cloud SIEM that surfaces spikes in the number of login attempts per workstation, which is a common starting point for attacks.

Teleport Cloud SIEM signal

When Datadog detects an event like this, it will generate a security signal with relevant audit logs, which include the necessary information for investigation, such as the user’s overall network activity, code execution, and file transfers. This data can help you determine if an attacker is using a workstation to access servers. You can also create custom security signals to automatically detect other types of activity captured in audit logs, giving you comprehensive monitoring coverage for your Teleport services.

Stay on top of infrastructure access with Teleport and Datadog

With Datadog’s Teleport integration, you can ensure that your Teleport services are working as expected. It also enables you to monitor access across your entire infrastructure, so you can detect and prevent any suspicious activity. Check out our documentation to learn more about enabling the Teleport integration for the Datadog Agent. If you don’t already have a Datadog account, you can sign up for a .