Boundary audit Logs and ssh Session recording

Is there any way of Recording the Commands send over the ssh/rdp sessions ?
could not find anything in the docs
our company is forced by law to audit/record these

Hey @miconx, thanks for reaching out. Session Recording is one of our more highly-requested features, and one that we are actively exploring over the next fiscal year.

If you have some time to chat next week, my email is – it’d be great to chat about some of the requirements you have as we build out the feature.

Thanks, and have a great weekend!!

thanks for your response
our legal requirements are as follows:

  • fine-grained audit logs and session recordings. (ASCIIRAMA/tlog?)
  • send recorded sessions to central logserver/ELK stack
    we areforced to keep records of ssh/telnet and VN/RDP sessions
    at the moment only gravitational teleport has these features
    because we are already using several hashicorp products (nomad/consul/vault) we would need a solution for integrating teleport with vault OR replacing it (which we would prefer…) by boundary
1 Like

Hi, I am on Adam’s team and just wanted to chime in here that HCP Boundary already does audit log streaming and you can store those events in a streaming destination of your choice (currently we support Datadog and Cloudwatch with more coming soon).

As far as session recording goes, Adam has you covered.

as far as i understood - boundary is NOT able to log the content of sessions (which we do need )
and IF audit streaming CAN do this its not of any use for us because we are not allowed to use cany cloud products (even if they are as cool as the hashicorp ones :wink: )
we are forced to use everthing on-premise servers


Can you tell me more about the implementation of the session recording funcionality in OSS Boundary? Are you still planning on the implementation or not?
In my opinion recording of the typed in command in logs alone is enough.


I understand this might be on the oven, but we decided to go with Boundary to close up the many gaps we had with accessing data within our company. But it is also a requirement for us that we would be able to tell who did what, and when.

The scenario is:

  • User connects with Boundary through Okta
  • Vault generates a temp credential to the specified target
  • User uses that temp credential to log into the database with a role we pre-configured

We have enabled Audit logs in Vault, in Boundary, and over the databases themselves, but so far we have not been able to correlate the pg_audit logs with the users who are making these requests, as the user is just a temporary one, and we need a way to link it with an SSO user.

I’ve logged more details over Correlating pg_audit, Boundary and Vault audit logs · hashicorp/vault · Discussion #20955 · GitHub about what we’re trying to achieve.

But if you can help us to understand how to make this correlation, we can already get what we need while you cook something within the product itself. :wink:

Hey folks,

At HashiDays, our team released SSH Session Recording, available for both Enterprise & HCP Boundary. Administrators can now enable session recording on SSH targets in their Boundary environment, store signed recordings in their Amazon S3 storage bucket, and replay recordings back within the Boundary admin UI. You can read more about it on our release blog here.

A number of other features were released as part of 0.13, notably the support for the LDAP as an auth method, support for LDAP managed groups, default client listening ports, and improvements to Dynamic Host Catalogs.

As always, we’re excited to gather feedback from the community.

1 Like

i would like to know why only AWS bucket? Is or will it be possible to save on a local machine when using Boundary Enterprise in a private cloud? When will it be possible to save protocols other than ssh, e.g. RDP, Postgres, etc