{"slug":"logging-overview","title":"Logging overview","tags":["tailscale","logging"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Logging overview\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nEach Tailscale agent in your distributed network streams its logs to a central log server (at `log.tailscale.com`). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.\r\n\r\nBecause every connection requires two endpoints, and both endpoints log every connection, it's possible to detect lost or tampered logs by comparing the double entries of each endpoint. You could also use IDS (intrusion detection system) rules to automatically detect suspicious activity on your network.\r\n\r\n## [Client logs](https://tailscale.com/docs/features/logging\\#client-logs)\r\n\r\nEach client logs information about its own operation and its attempts to contact other nodes. The data collected and how it is used are described in our [privacy policy](https://tailscale.com/privacy-policy).\r\n\r\nYou can access logs locally for nodes on some desktop platforms.\r\n\r\n[Windows](https://tailscale.com/docs/features/logging?tab=windows) [macOS](https://tailscale.com/docs/features/logging?tab=macos) [iOS / tvOS](https://tailscale.com/docs/features/logging?tab=ios+%2F+tvos) [Android](https://tailscale.com/docs/features/logging?tab=android) [Linux](https://tailscale.com/docs/features/logging?tab=linux)\r\n\r\nLogs are stored in `C:\\ProgramData\\Tailscale` (or, more generally `$env:ALLUSERSPROFILE\\Tailscale`).\r\n\r\n### [Centralized log management](https://tailscale.com/docs/features/logging\\#centralized-log-management)\r\n\r\nSome logs are centrally collected by Tailscale for debugging. This is done with a [custom-built, high-capacity, high-reliability, distributed logging system](https://apenwarr.ca/log/20190216).\r\n\r\nClient operational logs are only accessible locally on each node, but you could stream your system- and container-level logs to the same centralized data store for further analysis. [Network flow logs](https://tailscale.com/docs/features/logging#network-flow-logs) are available from the admin console when enabled.\r\n\r\n### [Opt out of client logging](https://tailscale.com/docs/features/logging\\#opt-out-of-client-logging)\r\n\r\nIf you block client logging, Tailscale may not be able to provide technical support.\r\n\r\n[Windows](https://tailscale.com/docs/features/logging?tab=windows) [macOS](https://tailscale.com/docs/features/logging?tab=macos) [Linux](https://tailscale.com/docs/features/logging?tab=linux)\r\n\r\nThis is possible if you set the `TS_NO_LOGS_NO_SUPPORT` environment variable in `%ProgramData%\\Tailscale\\tailscaled-env.txt`:\r\n\r\n```powershell\r\nTS_NO_LOGS_NO_SUPPORT=true\r\n```\r\n\r\nTo track when you can instead use the `--no-logs-no-support` flag, follow our [GitHub issue](https://github.com/tailscale/tailscale/issues/5114) for making it easier to use environment variables.\r\n\r\n## [Kubernetes Operator logs](https://tailscale.com/docs/features/logging\\#kubernetes-operator-logs)\r\n\r\nThe Kubernetes Operator's reconciliation logs are centrally collected for debugging. These logs describe steps the Kubernetes Operator has taken to bring the deployed state in-line with the desired state regarding Kubernetes resources.\r\n\r\nRefer to our [privacy policy](https://tailscale.com/privacy-policy) to understand the data collected and how we use it.\r\n\r\nYou can access logs locally using the `kubectl logs` command.\r\n\r\n### [Opt out of Kubernetes logging](https://tailscale.com/docs/features/logging\\#opt-out-of-kubernetes-logging)\r\n\r\nIf you deployed the Kubernetes Operator with Helm, add the `TS_NO_LOGS_NO_SUPPORT` environment variable to the `operatorConfig.extraEnv` section:\r\n\r\n```yaml\r\noperatorConfig:\r\n  extraEnv:\r\n  - name: TS_NO_LOGS_NO_SUPPORT\r\n    value: \"true\"\r\n```\r\n\r\nIf you deployed the Kubernetes Operator with static manifests, add the `TS_NO_LOGS_NO_SUPPORT` environment variable to the Kubernetes Operator's Deployment:\r\n\r\n```yaml\r\nenv:\r\n- name: TS_NO_LOGS_NO_SUPPORT\r\n  value: \"true\"\r\n```\r\n\r\n## [Network flow logs](https://tailscale.com/docs/features/logging\\#network-flow-logs)\r\n\r\nNetwork flow logsare available for [the Premium and Enterprise plans](https://tailscale.com/pricing).\r\n\r\n[Network flow logs](https://tailscale.com/docs/features/logging/network-flow-logs) are available to help you understand which devices are connecting to one another over time, that is, the _flow_ of traffic across your tailnet.\r\n\r\nThese logs strictly do not contain any information about client operations or contents of network traffic.\r\n\r\nNetwork flow logs must be [enabled](https://tailscale.com/docs/features/logging/network-flow-logs#enable-network-flow-logs).\r\n\r\nFlow logs can be configured to [stream](https://tailscale.com/docs/features/logging/log-streaming) to a security information and event management (SIEM) system.\r\n\r\n## [Server logs](https://tailscale.com/docs/features/logging\\#server-logs)\r\n\r\n[Configuration audit logs](https://tailscale.com/docs/features/logging/audit-logging) record actions that modify a tailnet's configuration, including the type of action, the actor, the target resource, and the time.\r\n\r\nAll [users who have access to the admin console](https://tailscale.com/docs/reference/user-roles) can inspect configuration audit logs in the [Logs](https://login.tailscale.com/admin/logs) page of the admin console, and can filter these logs to find specific events.\r\n\r\nConfiguration audit logs are enabled by default for all tailnets, and are available for the most recent 90 days.\r\n\r\nAudit logs can be configured to [stream](https://tailscale.com/docs/features/logging/log-streaming) to a security information and event management (SIEM) system.\r\n\r\n## [Local SSH session logs](https://tailscale.com/docs/features/logging\\#local-ssh-session-logs)\r\n\r\nLocal SSH session logs are not supported as of version 1.48.0.\r\n\r\nYou can use [Tailscale SSH session recording](https://tailscale.com/docs/features/tailscale-ssh/tailscale-ssh-session-recording) to streaming recordings from the server device.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Logging overview</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>Each Tailscale agent in your distributed network streams its logs to a central log server (at <code>log.tailscale.com</code>). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.</p>\n<p>Because every connection requires two endpoints, and both endpoints log every connection, it's possible to detect lost or tampered logs by comparing the double entries of each endpoint. You could also use IDS (intrusion detection system) rules to automatically detect suspicious activity on your network.</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging#client-logs\">Client logs</a></h2>\n<p>Each client logs information about its own operation and its attempts to contact other nodes. The data collected and how it is used are described in our <a href=\"https://tailscale.com/privacy-policy\">privacy policy</a>.</p>\n<p>You can access logs locally for nodes on some desktop platforms.</p>\n<p><a href=\"https://tailscale.com/docs/features/logging?tab=windows\">Windows</a> <a href=\"https://tailscale.com/docs/features/logging?tab=macos\">macOS</a> <a href=\"https://tailscale.com/docs/features/logging?tab=ios+%2F+tvos\">iOS / tvOS</a> <a href=\"https://tailscale.com/docs/features/logging?tab=android\">Android</a> <a href=\"https://tailscale.com/docs/features/logging?tab=linux\">Linux</a></p>\n<p>Logs are stored in <code>C:\\ProgramData\\Tailscale</code> (or, more generally <code>$env:ALLUSERSPROFILE\\Tailscale</code>).</p>\n<h3><a href=\"https://tailscale.com/docs/features/logging#centralized-log-management\">Centralized log management</a></h3>\n<p>Some logs are centrally collected by Tailscale for debugging. This is done with a <a href=\"https://apenwarr.ca/log/20190216\">custom-built, high-capacity, high-reliability, distributed logging system</a>.</p>\n<p>Client operational logs are only accessible locally on each node, but you could stream your system- and container-level logs to the same centralized data store for further analysis. <a href=\"https://tailscale.com/docs/features/logging#network-flow-logs\">Network flow logs</a> are available from the admin console when enabled.</p>\n<h3><a href=\"https://tailscale.com/docs/features/logging#opt-out-of-client-logging\">Opt out of client logging</a></h3>\n<p>If you block client logging, Tailscale may not be able to provide technical support.</p>\n<p><a href=\"https://tailscale.com/docs/features/logging?tab=windows\">Windows</a> <a href=\"https://tailscale.com/docs/features/logging?tab=macos\">macOS</a> <a href=\"https://tailscale.com/docs/features/logging?tab=linux\">Linux</a></p>\n<p>This is possible if you set the <code>TS_NO_LOGS_NO_SUPPORT</code> environment variable in <code>%ProgramData%\\Tailscale\\tailscaled-env.txt</code>:</p>\n<pre><code class=\"language-powershell\">TS_NO_LOGS_NO_SUPPORT=true\n</code></pre>\n<p>To track when you can instead use the <code>--no-logs-no-support</code> flag, follow our <a href=\"https://github.com/tailscale/tailscale/issues/5114\">GitHub issue</a> for making it easier to use environment variables.</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging#kubernetes-operator-logs\">Kubernetes Operator logs</a></h2>\n<p>The Kubernetes Operator's reconciliation logs are centrally collected for debugging. These logs describe steps the Kubernetes Operator has taken to bring the deployed state in-line with the desired state regarding Kubernetes resources.</p>\n<p>Refer to our <a href=\"https://tailscale.com/privacy-policy\">privacy policy</a> to understand the data collected and how we use it.</p>\n<p>You can access logs locally using the <code>kubectl logs</code> command.</p>\n<h3><a href=\"https://tailscale.com/docs/features/logging#opt-out-of-kubernetes-logging\">Opt out of Kubernetes logging</a></h3>\n<p>If you deployed the Kubernetes Operator with Helm, add the <code>TS_NO_LOGS_NO_SUPPORT</code> environment variable to the <code>operatorConfig.extraEnv</code> section:</p>\n<pre><code class=\"language-yaml\">operatorConfig:\r\n  extraEnv:\r\n  - name: TS_NO_LOGS_NO_SUPPORT\r\n    value: \"true\"\n</code></pre>\n<p>If you deployed the Kubernetes Operator with static manifests, add the <code>TS_NO_LOGS_NO_SUPPORT</code> environment variable to the Kubernetes Operator's Deployment:</p>\n<pre><code class=\"language-yaml\">env:\r\n- name: TS_NO_LOGS_NO_SUPPORT\r\n  value: \"true\"\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/features/logging#network-flow-logs\">Network flow logs</a></h2>\n<p>Network flow logsare available for <a href=\"https://tailscale.com/pricing\">the Premium and Enterprise plans</a>.</p>\n<p><a href=\"https://tailscale.com/docs/features/logging/network-flow-logs\">Network flow logs</a> are available to help you understand which devices are connecting to one another over time, that is, the <em>flow</em> of traffic across your tailnet.</p>\n<p>These logs strictly do not contain any information about client operations or contents of network traffic.</p>\n<p>Network flow logs must be <a href=\"https://tailscale.com/docs/features/logging/network-flow-logs#enable-network-flow-logs\">enabled</a>.</p>\n<p>Flow logs can be configured to <a href=\"https://tailscale.com/docs/features/logging/log-streaming\">stream</a> to a security information and event management (SIEM) system.</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging#server-logs\">Server logs</a></h2>\n<p><a href=\"https://tailscale.com/docs/features/logging/audit-logging\">Configuration audit logs</a> record actions that modify a tailnet's configuration, including the type of action, the actor, the target resource, and the time.</p>\n<p>All <a href=\"https://tailscale.com/docs/reference/user-roles\">users who have access to the admin console</a> can inspect configuration audit logs in the <a href=\"https://login.tailscale.com/admin/logs\">Logs</a> page of the admin console, and can filter these logs to find specific events.</p>\n<p>Configuration audit logs are enabled by default for all tailnets, and are available for the most recent 90 days.</p>\n<p>Audit logs can be configured to <a href=\"https://tailscale.com/docs/features/logging/log-streaming\">stream</a> to a security information and event management (SIEM) system.</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging#local-ssh-session-logs\">Local SSH session logs</a></h2>\n<p>Local SSH session logs are not supported as of version 1.48.0.</p>\n<p>You can use <a href=\"https://tailscale.com/docs/features/tailscale-ssh/tailscale-ssh-session-recording\">Tailscale SSH session recording</a> to streaming recordings from the server device.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}