Tailscale Audit Logs

Tailscale is a VPN service that simplifies secure network connections using a peer-to-peer mesh network. Tailscale audit logs capture information about user and device activity, such as authentication events, access control changes, connection attempts, and traffic flow across the network. These logs are valuable for monitoring network security, tracking who accessed resources, and auditing for compliance with access policies.

Ingest Method

This source is a polling source and will download new logs from the app API approximately every 60 seconds. When first added RunReveal will backfill the last 30 days worth of audit logs.

Setup

⚠️

Important: When setting up your OAuth client, please only enable the read permissions for audit logs. Do not grant any other permissions or the source will fail.

Step 1: Create an OAuth Client in Tailscale

To set up the Tailscale integration, you need to create an OAuth client in your Tailnet settings. For detailed instructions, see the Tailscale OAuth client documentation.

Brief setup steps:

Log into your Tailscale admin console
Navigate to the Trust credentials page
Click Create OAuth client
Give your client a descriptive name (e.g., “RunReveal Audit Logs”)
Select the Audit Logs Read scope only
Click Create

Step 2: Configure RunReveal

Once created, you’ll be provided a Client ID and a Client secret.

In the RunReveal dashboard, enter your tailnet name (not the tailnet ID)
- You can find your tailnet name in the General page of the Tailscale admin console
Copy both the Client ID and Client secret from the OAuth client you just created
Paste these credentials into the corresponding fields in RunReveal
Click Connect to begin collecting your Tailscale audit logs

RunReveal will begin collecting your Tailscale logs immediately and backfill the last 30 days of audit logs.

Structured Webhooks Flow