Include Node Hostname in access_request.create Event Logs

[programmerq]

What would you like Teleport to do?

Enhance the access_request.create event logs to include both the node name (hostname), in addition to the Teleport-generated resource ID.

What problem does this solve?

Currently, the access_request.create events log only the resource ID, which is not easily interpretable when ingesting logs into a SIEM for alert generation. Security teams need the resource node name to promptly identify which resources are being accessed, especially when monitoring access to sensitive resources. The lack of clear identification hinders the security operations center (SOC) from setting precise alerts and monitoring access efficiently.

If a workaround exists, please include it.

Only partial workarounds are available.

Right now, one must look up the hostname using an external system/connector that can list the Teleport Inventory. Especially in a case with ephemeral resources, the inventory data may not be present at some point in the future.

Other log types may mention both the node/host name and the resource ID. This means that while the data may be present in the event log, it could be at any point in time, and impractical to find efficiently. The original instance.join event mentions the node id and the node name. This does not, however, account for any subsequent changes to node names or labels after the initial join. The session.start, session.end, session.join, and sftp events can link activity to node names. This is not helpful for nodes that have not been accessed in the time frame of available logs in a logging system.

Neither of these workarounds completely fulfill the requirement to be able to create an actionable SIEM alert from data in the audit log stream directly.