Expected behavior:

Setting types = "db.session.query" in teleport-event-handler.toml should make the event handler export only that event type.

Current behavior:

When using an event backend that supports the new bulk export API, both types and skip-event-types settings seem to be ignored.

These settings work correctly on a Teleport cluster that uses the legacy event watcher.

Bug details:

Teleport version

17.5.2

reported and reproduced with Teleport Cloud

Recreation steps

Follow any typical teleport-event-handler setup instructions. We were following https://goteleport.com/docs/admin-guides/management/export-audit-events/fluentd/ when we ran into this.

Add types = "db.session.query" to the config file. Observe every event type is sent to the FluentD endpoint, and not only db.session.query.

Adding skip-session-types to the config file also had no effect. Here's the first several lines of the TOML. It was originally generated with teleport-event-handler configure ... and the two options were manually added below the batch = 20 line.

storage = "./storage"
timeout = "10s"
batch = 20
types = "db.session.query"
skip-session-types = "access_list.create,access_list.delete,access_list.member.create,access_list.member.delete,access_list.member.update,access_list.review,access_list.update,access_request.create,access_request.review,auth,bot.join,cert.create,db.session.query.failed,db.session.start,device.authenticate,device.enroll,exec,instance.join,join_token.create,kube.request,lock.created,lock.deleted,recovery_code.used,reset_password_token.create,saml.idp.auth,session.command,session.join,session.rejected,session.start,user.create,user.login,user.password_change,windows.desktop.session.end,windows.desktop.session.start"

[forward.fluentd]

Debug logs

N/A