This is a small service that's forwards Tailscale audit events to Log Analytics.
You can either build the docker image yourself by cloning the repo or you can pull the latest image from github using these instructions
By default the docker container listens on 8080. You can change that by adjusting the ASPNETCORE_URLS environment variable or "Urls" key in appsettings.json. Details for doing that are available here.
Events will be in Log Analytics under the table name "TailscaleEvents_CL". You can change this by adjusting the log analytics table name setting detailed below. Log analytics will automatically add "_CL" to the end of this string.
You can set the following configuration values either in appsettings.json or via environment variables. Note that environment variables take precedence over the JSON configuration.
It is recommended that you store these values in a secure manner, especially the Workspace and Webhook keys.
| Setting | Default | JSON Path | Environment variable Name |
|---|---|---|---|
| Log Analytics Workspace Id | None | LogAnalyticsClient.WorkspaceId | LogAnalyticsClient__WorkspaceId |
| Log Analytics Workspace Key | None | LogAnalyticsClient.WorkspaceKey | LogAnalyticsClient__WorkspaceKey |
| Log Analytics Table Name | TailscaleEvents | LogAnalyticsClient.Tablename | LogAnalyticsClient__Tablename |
| Log Analytics API Host | ods.opinsights.azure.com | LogAnalyticsClient.ApiHost | LogAnalyticsClient__ApiHost |
| Tailscale Webhook Key | None | TailscaleWebhookSecret | TailscaleWebhookSecret |
This can be found on the Overview section of the Log Analytics workspace.
This is either the Primary or Secondary Key found under "Agents" > "Log Analytics agent instructions" in the Log Analytics workspace
The name of the table that tailscale events will be logged under. Default: TailscaleEvents
The root hostname for log analytics. For the public azure cloud this is ods.opinsights.azure.com. Default: ods.opinsights.azure.com
This is given to you when creating the webhook in tailscale