Support for Network Flow Logging? #615

New Issue

Open

opened 2025-12-29 02:21:12 +01:00 by adam · 10 comments

adam commented 2025-12-29 02:21:12 +01:00

Owner

Copy Link

Originally created by @victorhooi on GitHub (Jan 16, 2024).

Would it be possible to add some kind of network flow logging to Headscale?

Perhaps something basic like byte counters between nodes to begin?

Originally created by @victorhooi on GitHub (Jan 16, 2024). Would it be possible to add some kind of network flow logging to Headscale? Perhaps something basic like byte counters between nodes to begin?

adam added the enhancementhelp wantedno-stale-botneeds investigationneeds design doc labels 2025-12-29 02:21:12 +01:00

adam commented 2025-12-29 02:21:12 +01:00

Author

Owner

Copy Link

@victorhooi commented on GitHub (Jan 28, 2024):

The network types for the client seem to be here:

https://github.com/tailscale/tailscale/blob/main/types/netlogtype/netlogtype.go

There's some documentation on the feature, and a blog post announcing it.

Does anybody know if there's anything special that needs to be done on the client, to enable them shipping the network log information? Or is it currently being sent by the Tailscale clients to headscale, and we simply discard it?

@victorhooi commented on GitHub (Jan 28, 2024): The network types for the client seem to be here: https://github.com/tailscale/tailscale/blob/main/types/netlogtype/netlogtype.go There's some [documentation on the feature](https://tailscale.com/kb/1219/network-flow-logs), and a [blog post announcing it](https://tailscale.com/blog/network-flow-logs). Does anybody know if there's anything special that needs to be done on the client, to enable them shipping the network log information? Or is it currently being sent by the Tailscale clients to headscale, and we simply discard it?

adam commented 2025-12-29 02:21:13 +01:00

Author

Owner

Copy Link

@Sh4d commented on GitHub (Jan 30, 2024):

I think this data is sent to their logtail server which we can't reconfigure. https://tailscale.com/kb/1011/log-mesh-traffic

@Sh4d commented on GitHub (Jan 30, 2024): I think this data is sent to their logtail server which we can't reconfigure. https://tailscale.com/kb/1011/log-mesh-traffic

adam commented 2025-12-29 02:21:13 +01:00

Author

Owner

Copy Link

@adipierro commented on GitHub (Feb 6, 2024):

@Sh4d we can reconfigure log server using LogTarget policy key, see https://github.com/tailscale/tailscale/blob/main/util/syspolicy/policy_keys.go

@adipierro commented on GitHub (Feb 6, 2024): @Sh4d we can reconfigure log server using `LogTarget` policy key, see https://github.com/tailscale/tailscale/blob/main/util/syspolicy/policy_keys.go

adam commented 2025-12-29 02:21:13 +01:00

Author

Owner

Copy Link

@adipierro commented on GitHub (Feb 12, 2024):

If anyone tries to implement logtail API, here are some tech docs 😊: https://github.com/tailscale/tailscale/blob/main/logtail/api.md

@adipierro commented on GitHub (Feb 12, 2024): If anyone tries to implement logtail API, here are some tech docs 😊: https://github.com/tailscale/tailscale/blob/main/logtail/api.md

adam commented 2025-12-29 02:21:13 +01:00

Author

Owner

Copy Link

@Qup42 commented on GitHub (Mar 16, 2024):

I would like to share some of my insights that I gained while working on the client logs.¹

What logtail is

Both network flow logs and client logs send their data to a Logtail² instance. The clients send the data to the logtail instance as JSON objects. The data is grouped by type (e.g. client logs, network flow logs). The originating node is also identifiable.

Configuration of the logtail instance

It is possible to configure the logtail instance locally with the LogTarget system policy under windows or the TS_LOG_TARGET environment variable under Linux.
These settings are only used for the client logs. The network flow logs are always sent to log.tailscale.io.

Problems:

• For this feature to be possible tailscaled must respect the set logtail instance for all logging. This has to be changed upstream in tailscale and is blocking this feature in headscale.
• It would be good if the logtail instance could be configured by the control server. This will take some thought to get right though.

Receiving the network flow logs

A corresponding service that receives and possibly processes the network flow logs would also be required for this feature.
The logtail protocol is fortunately very simple.
A simple receiver that only writes the data to the file system can be written in a short time.³
These logs can the be processed further using your own log pipelines.

Open Questions:

• Should this log receiver be part of headscale? I personally tend towards no.

---

1. Clients Logs is a feature for the central collection of client's logs that works very similar to the network flow logs behind the scenes. ↩︎

2. API Docs: https://github.com/tailscale/tailscale/blob/main/logtail/api.md ↩︎

3. A simple receiver for client logs (and ssh session monitoring): https://github.com/Qup42/loghead ↩︎

@Qup42 commented on GitHub (Mar 16, 2024): I would like to share some of my insights that I gained while working on the client logs.[^1] ## What logtail is Both network flow logs and client logs send their data to a Logtail[^2] instance. The clients send the data to the logtail instance as JSON objects. The data is grouped by type (e.g. client logs, network flow logs). The originating node is also identifiable. ## Configuration of the logtail instance It is possible to configure the logtail instance locally with the `LogTarget` system policy under windows or the `TS_LOG_TARGET` environment variable under Linux. These settings are only used for the client logs. The network flow logs are always sent to `log.tailscale.io`. Problems: - For this feature to be possible tailscaled must respect the set logtail instance for all logging. This has to be changed upstream in tailscale and is blocking this feature in headscale. - It would be good if the logtail instance could be configured by the control server. This will take some thought to get right though. ## Receiving the network flow logs A corresponding service that receives and possibly processes the network flow logs would also be required for this feature. The logtail protocol is fortunately very simple. A simple receiver that only writes the data to the file system can be written in a short time.[^3] These logs can the be processed further using your own log pipelines. Open Questions: - Should this log receiver be part of headscale? I personally tend towards no. [^1]: Clients Logs is a feature for the central collection of client's logs that works very similar to the network flow logs behind the scenes. [^2]: API Docs: https://github.com/tailscale/tailscale/blob/main/logtail/api.md [^3]: A simple receiver for client logs (and ssh session monitoring): https://github.com/Qup42/loghead

adam commented 2025-12-29 02:21:14 +01:00

Author

Owner

Copy Link

@lockness-Ko commented on GitHub (Apr 5, 2024):

How does one enable network flow logging on the client? I've setup a simple http server that gets the contents of the requests but I can't see any network flow logs (logs for the tailtraffic.log.tailscale.io collection). Is there an environment variable or config that needs to be set on the client?

@lockness-Ko commented on GitHub (Apr 5, 2024): How does one enable network flow logging on the client? I've setup a simple http server that gets the contents of the requests but I can't see any network flow logs (logs for the tailtraffic.log.tailscale.io collection). Is there an environment variable or config that needs to be set on the client?

adam commented 2025-12-29 02:21:14 +01:00

Author

Owner

Copy Link

@Qup42 commented on GitHub (Apr 8, 2024):

For network flow logging to work you currently have to patch both the local client and the control plane. As stated above some patches to the client are required and support for this feature is not yet implement in the headscale control server.

But you can of course patch your executables for debugging purposes:

control plane

diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go
index df0f4d9..4dac498 100644
--- a/hscontrol/mapper/mapper.go
+++ b/hscontrol/mapper/mapper.go
@@ -560,6 +560,8 @@ func (m *Mapper) baseMapResponse() tailcfg.MapResponse {
                // TODO(kradalby): Implement PingRequest?
        }
 
+       resp.DomainDataPlaneAuditLogID = "6262626262626262626262626262626262626262626262626262626262626262"
+
        return resp
 }
 
@@ -594,6 +596,9 @@ func (m *Mapper) baseWithConfigMapResponse(
                DisableLogTail: !m.logtail,
        }
 
+       // 32*b
+       resp.DomainDataPlaneAuditLogID = "6262626262626262626262626262626262626262626262626262626262626262"
+
        return &resp, nil
 }
 
diff --git a/hscontrol/mapper/tail.go b/hscontrol/mapper/tail.go
index c10da4d..459069f 100644
--- a/hscontrol/mapper/tail.go
+++ b/hscontrol/mapper/tail.go
@@ -128,9 +128,10 @@ func tailNode(
        //   - 74: 2023-09-18: Client understands NodeCapMap
        if capVer >= 74 {
                tNode.CapMap = tailcfg.NodeCapMap{
-                       tailcfg.CapabilityFileSharing: []tailcfg.RawMessage{},
-                       tailcfg.CapabilityAdmin:       []tailcfg.RawMessage{},
-                       tailcfg.CapabilitySSH:         []tailcfg.RawMessage{},
+                       tailcfg.CapabilityFileSharing:        []tailcfg.RawMessage{},
+                       tailcfg.CapabilityAdmin:              []tailcfg.RawMessage{},
+                       tailcfg.CapabilitySSH:                []tailcfg.RawMessage{},
+                       tailcfg.CapabilityDataPlaneAuditLogs: []tailcfg.RawMessage{},
                }
 
                if randomClientPort {
@@ -159,5 +160,8 @@ func tailNode(
                tNode.LastSeen = node.LastSeen
        }
 
+       // must be 32 decoded bytes, here: 32*a
+       tNode.DataPlaneAuditLogID = "6161616161616161616161616161616161616161616161616161616161616161"
+
        return &tNode, nil
 }

client

Patch the client to send the traffic for the tailtraffic.log.tailscale.io collection to your host instead of the default host/log URL.

@Qup42 commented on GitHub (Apr 8, 2024): For network flow logging to work you currently have to patch both the local client and the control plane. As stated above some patches to the client are required and support for this feature is not yet implement in the headscale control server. But you can of course patch your executables for debugging purposes: ## control plane ```diff diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go index df0f4d9..4dac498 100644 --- a/hscontrol/mapper/mapper.go +++ b/hscontrol/mapper/mapper.go @@ -560,6 +560,8 @@ func (m *Mapper) baseMapResponse() tailcfg.MapResponse { // TODO(kradalby): Implement PingRequest? } + resp.DomainDataPlaneAuditLogID = "6262626262626262626262626262626262626262626262626262626262626262" + return resp } @@ -594,6 +596,9 @@ func (m *Mapper) baseWithConfigMapResponse( DisableLogTail: !m.logtail, } + // 32*b + resp.DomainDataPlaneAuditLogID = "6262626262626262626262626262626262626262626262626262626262626262" + return &resp, nil } diff --git a/hscontrol/mapper/tail.go b/hscontrol/mapper/tail.go index c10da4d..459069f 100644 --- a/hscontrol/mapper/tail.go +++ b/hscontrol/mapper/tail.go @@ -128,9 +128,10 @@ func tailNode( // - 74: 2023-09-18: Client understands NodeCapMap if capVer >= 74 { tNode.CapMap = tailcfg.NodeCapMap{ - tailcfg.CapabilityFileSharing: []tailcfg.RawMessage{}, - tailcfg.CapabilityAdmin: []tailcfg.RawMessage{}, - tailcfg.CapabilitySSH: []tailcfg.RawMessage{}, + tailcfg.CapabilityFileSharing: []tailcfg.RawMessage{}, + tailcfg.CapabilityAdmin: []tailcfg.RawMessage{}, + tailcfg.CapabilitySSH: []tailcfg.RawMessage{}, + tailcfg.CapabilityDataPlaneAuditLogs: []tailcfg.RawMessage{}, } if randomClientPort { @@ -159,5 +160,8 @@ func tailNode( tNode.LastSeen = node.LastSeen } + // must be 32 decoded bytes, here: 32*a + tNode.DataPlaneAuditLogID = "6161616161616161616161616161616161616161616161616161616161616161" + return &tNode, nil } ``` ## client Patch the client to send the traffic for the `tailtraffic.log.tailscale.io` collection to your host instead of the default host/log URL.

adam commented 2025-12-29 02:21:14 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Jul 8, 2024):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Jul 8, 2024): This issue is stale because it has been open for 90 days with no activity.

adam commented 2025-12-29 02:21:14 +01:00

Author

Owner

Copy Link

@benley commented on GitHub (Jul 8, 2024):

This issue is stale because it has been open for 90 days with no activity.

not stale

@benley commented on GitHub (Jul 8, 2024): > This issue is stale because it has been open for 90 days with no activity. not stale

adam commented 2025-12-29 02:21:14 +01:00

Author

Owner

Copy Link

@jirutka commented on GitHub (Nov 5, 2024):

I’m currently analyzing available VPN solutions for the university’s needs, Tailscale/Headscale looked very promising, but once I started dealing with monitoring, this turned out to be a blocker. :(

@jirutka commented on GitHub (Nov 5, 2024): I’m currently analyzing available VPN solutions for the university’s needs, Tailscale/Headscale looked very promising, but once I started dealing with monitoring, this turned out to be a blocker. :(

adam referenced this issue 2025-12-29 02:30:26 +01:00

[PR #615] [MERGED] fix typo for GGO->CGO #1526

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label enhancement help wanted needs design doc needs investigation no-stale-bot

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#615