Back to Guides
Intermediate
45 minutes
Session Recording Setup
Enable comprehensive session recording for compliance and security auditing. Record, search, and replay all SSH, database, and Kubernetes sessions.
Overview
TigerAccess session recording captures all user activity:
- SSH Sessions: Terminal output and keystroke playback
- Database Queries: All SQL/NoSQL commands logged
- Kubernetes Exec: Pod exec and port-forward sessions
- Searchable: Full-text search across all recordings
Prerequisites
- TigerAccess proxy service running
- Storage backend (S3, MinIO, or local filesystem)
- Sufficient storage capacity (plan for 1-10MB per hour per session)
- ClickHouse or PostgreSQL for session metadata
Configure Storage Backend
S3-Compatible Storage
Recommended for production deployments:
# In /etc/tigeraccess/config.yaml
auth:
session_recording:
enabled: true
mode: "proxy-sync" # or "proxy-async", "node-sync"
storage:
type: "s3"
# AWS S3
region: "us-east-1"
bucket: "tigeraccess-recordings"
# Optional: custom endpoint for MinIO/Wasabi
endpoint: "https://s3.example.com"
# Credentials
access_key_id: "ACCESS_KEY"
secret_access_key: "SECRET_KEY"
# Optional: SSE encryption
sse:
enabled: true
kms_key_id: "arn:aws:kms:us-east-1:123456789:key/abcd"Local Filesystem
For testing or small deployments:
auth:
session_recording:
enabled: true
mode: "node-sync"
storage:
type: "filesystem"
path: "/var/lib/tigeraccess/recordings"
# Optional: permissions
file_mode: 0600
dir_mode: 0700Recording Modes
- proxy-sync: Proxy uploads synchronously (most reliable, slight latency)
- proxy-async: Proxy uploads asynchronously (faster, requires buffering)
- node-sync: Node uploads directly (lowest proxy load, requires node storage access)
SSH Session Recording
Enable SSH Recording
proxy:
ssh:
enabled: true
recording:
# Record all SSH sessions
enabled: true
# Capture keystroke timing for playback
capture_timing: true
# Optional: exclude specific commands from recording
exclude_commands:
- "password"
- "secret"Role-Based Recording
Require recording for specific roles:
# Create role with mandatory recording
tac roles create prod-access --spec - <<EOF
kind: role
version: v7
metadata:
name: prod-access
spec:
allow:
node_labels:
env: ["production"]
options:
# Always record production access
record_session:
desktop: true
default: "yes" # or "no", "best_effort"
EOFDatabase Session Recording
Enable Database Query Logging
proxy:
database:
enabled: true
audit:
# Log all database queries
enabled: true
# Include query results
log_results: true
# Include query parameters
log_parameters: true
# Redact sensitive fields
redact_fields:
- "password"
- "credit_card"
- "ssn"Query Pattern Detection
proxy:
database:
audit:
# Alert on dangerous patterns
dangerous_patterns:
- pattern: "DROP TABLE"
severity: "high"
action: "alert"
- pattern: "DELETE.*WHERE.*1=1"
severity: "high"
action: "block"
- pattern: "UPDATE.*SET.*password"
severity: "medium"
action: "alert"Kubernetes Session Recording
Enable Kubernetes Recording
proxy:
kubernetes:
enabled: true
recording:
# Record kubectl exec sessions
enabled: true
# Record port-forward sessions
record_port_forward: true
# Capture pod logs
capture_logs: trueAPI Audit Logging
proxy:
kubernetes:
audit:
# Log all API requests
enabled: true
# Log levels: Metadata, Request, RequestResponse
level: "RequestResponse"
# Exclude verbose resources
exclude_resources:
- "events"
- "endpoints"Playback & Search
List Recorded Sessions
# List all sessions
tac sessions ls
# Filter by user
tac sessions ls --user=alice
# Filter by date range
tac sessions ls --since=2024-01-01 --until=2024-12-31
# Filter by resource
tac sessions ls --resource=prod-dbPlay Back Sessions
# Play back SSH session
tac sessions play SESSION_ID
# Export to file
tac sessions export SESSION_ID --output=session.cast
# View in web UI
# Navigate to https://tigeraccess.example.com:3080/sessionsSearch Session Content
# Search for text in sessions
tac sessions search "sudo rm"
# Search database queries
tac sessions search --type=db "DROP TABLE"
# Search with regex
tac sessions search --regex "DELETE.*FROM users"Retention Policies
Configure Retention
auth:
session_recording:
retention:
# Default retention period
default: "90d"
# Retention by environment
by_labels:
- labels:
env: "production"
retention: "1y"
- labels:
env: "development"
retention: "30d"
# Compliance hold
compliance_hold:
enabled: true
duration: "7y"
label_selector:
compliance: "pci"Manual Cleanup
# Delete old sessions
tac sessions cleanup --older-than=90d
# Delete specific session
tac sessions delete SESSION_ID
# Dry run to preview deletions
tac sessions cleanup --older-than=90d --dry-runS3 Lifecycle Policies
# AWS S3 lifecycle policy (JSON)
{
"Rules": [
{
"Id": "ArchiveOldRecordings",
"Status": "Enabled",
"Transitions": [
{
"Days": 90,
"StorageClass": "GLACIER"
}
],
"Expiration": {
"Days": 365
}
}
]
}Troubleshooting
Sessions Not Recording
# Check recording configuration
tac config show | grep recording
# Verify storage backend
tac sessions test-storage
# Check proxy logs
journalctl -u tigeraccess -f | grep recordingUpload Failures
# Check S3 permissions
aws s3 ls s3://tigeraccess-recordings/
# Test upload
tac sessions test-upload
# Check failed uploads
tac sessions ls --status=failedPlayback Issues
# Verify session exists
tac sessions show SESSION_ID
# Check download permissions
tac sessions download SESSION_ID
# Re-index sessions
tac sessions reindexOn This Page
Ready to Secure Your Infrastructure?
Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.
No credit card required • 14-day free trial • Enterprise support available