From 66b7d2e294a4ae11cc40b576569b793053c01435 Mon Sep 17 00:00:00 2001
From: stevenGravy <steven@goteleport.com>
Date: Tue, 26 Nov 2024 15:17:46 -0500
Subject: [PATCH 1/4] Include node name or k8s cluster for session started
 audit entry display

---
 .../teleport/src/services/audit/makeEvent.ts      | 15 ++++++++++++++-
 web/packages/teleport/src/services/audit/types.ts |  5 +++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/web/packages/teleport/src/services/audit/makeEvent.ts b/web/packages/teleport/src/services/audit/makeEvent.ts
index 5ab85766209df..ffa83910c0427 100644
--- a/web/packages/teleport/src/services/audit/makeEvent.ts
+++ b/web/packages/teleport/src/services/audit/makeEvent.ts
@@ -649,7 +649,20 @@ export const formatters: Formatters = {
   [eventCodes.SESSION_START]: {
     type: 'session.start',
     desc: 'Session Started',
-    format: ({ user, sid }) => `User [${user}] has started a session [${sid}]`,
+    format: event => {
+      const user = event.user || '';
+      const node =
+        event.server_hostname || event.server_addr || event.server_id;
+
+      if (event.proto === 'kube') {
+        if (!event.kubernetes_cluster) {
+          return `User [${user}] has started a Kubernetes session [${event.sid}]`;
+        }
+        return `User [${user}] has started a session [${event.sid}] on Kubernetes cluster [${event.kubernetes_cluster}]`;
+      }
+
+      return `User [${user}] has started a session [${event.sid}] on node [${node}] `;
+    },
   },
   [eventCodes.SESSION_UPLOAD]: {
     type: 'session.upload',
diff --git a/web/packages/teleport/src/services/audit/types.ts b/web/packages/teleport/src/services/audit/types.ts
index d20c51ee63813..509ca2ab1d956 100644
--- a/web/packages/teleport/src/services/audit/types.ts
+++ b/web/packages/teleport/src/services/audit/types.ts
@@ -573,6 +573,11 @@ export type RawEvents = {
     typeof eventCodes.SESSION_START,
     {
       sid: string;
+      kubernetes_cluster: string;
+      proto: string;
+      server_hostname: string;
+      server_addr: string;
+      server_id: string;
     }
   >;
   [eventCodes.SESSION_REJECT]: RawEvent<

From b46f60cea754ba268c2e86b970828df75fabd0c6 Mon Sep 17 00:00:00 2001
From: stevenGravy <steven@goteleport.com>
Date: Thu, 5 Dec 2024 11:40:00 -0500
Subject: [PATCH 2/4] update for order of variable assignment

---
 web/packages/teleport/src/services/audit/makeEvent.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/packages/teleport/src/services/audit/makeEvent.ts b/web/packages/teleport/src/services/audit/makeEvent.ts
index ffa83910c0427..be19b2d33e4ed 100644
--- a/web/packages/teleport/src/services/audit/makeEvent.ts
+++ b/web/packages/teleport/src/services/audit/makeEvent.ts
@@ -651,8 +651,6 @@ export const formatters: Formatters = {
     desc: 'Session Started',
     format: event => {
       const user = event.user || '';
-      const node =
-        event.server_hostname || event.server_addr || event.server_id;
 
       if (event.proto === 'kube') {
         if (!event.kubernetes_cluster) {
@@ -661,6 +659,8 @@ export const formatters: Formatters = {
         return `User [${user}] has started a session [${event.sid}] on Kubernetes cluster [${event.kubernetes_cluster}]`;
       }
 
+      const node =
+        event.server_hostname || event.server_addr || event.server_id;
       return `User [${user}] has started a session [${event.sid}] on node [${node}] `;
     },
   },

From 57569d1d70a3e2c9451f711991ff831eace50712 Mon Sep 17 00:00:00 2001
From: stevenGravy <steven@goteleport.com>
Date: Thu, 5 Dec 2024 12:15:00 -0500
Subject: [PATCH 3/4] update web ui tests for audit

---
 .../teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap b/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap
index ebc8b9cb72f2b..49ed216da21d9 100644
--- a/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap
+++ b/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap
@@ -12800,7 +12800,7 @@ exports[`list of all events 1`] = `
         <td
           style="word-break: break-word;"
         >
-          User [admin@example.com] has started a session [56408539-6536-11e9-80a1-427cfde50f5a]
+          User [admin@example.com] has started a session [56408539-6536-11e9-80a1-427cfde50f5a] on node [de3800ea-69d9-4d72-a108-97e57f8eb393]
         </td>
         <td
           style="min-width: 120px;"

From 850d6dc0b0b3e27c75911def2ec9d4cee877bafe Mon Sep 17 00:00:00 2001
From: stevenGravy <steven@goteleport.com>
Date: Thu, 5 Dec 2024 12:32:17 -0500
Subject: [PATCH 4/4] test update for audit web

---
 .../teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap b/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap
index 49ed216da21d9..06a6e5cf686b7 100644
--- a/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap
+++ b/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap
@@ -12800,7 +12800,7 @@ exports[`list of all events 1`] = `
         <td
           style="word-break: break-word;"
         >
-          User [admin@example.com] has started a session [56408539-6536-11e9-80a1-427cfde50f5a] on node [de3800ea-69d9-4d72-a108-97e57f8eb393]
+          User [admin@example.com] has started a session [56408539-6536-11e9-80a1-427cfde50f5a] on node [de3800ea-69d9-4d72-a108-97e57f8eb393] 
         </td>
         <td
           style="min-width: 120px;"