Audit Log page shows a timed out error on high-activity Firestore backends

[TeleLos]

What would you like Teleport to do?

In self-hosted environments with a GCP Firestore backend, The Teleport UI Audit activity does not render successfully if the cluster has high event activity. This was observed when the events exceeded 1 million Firestore documents per day. With Firestore, the query will time out because too much data is being requested.

The feature request is to improve the Teleport UI offering selection options that allow for smaller queries to the backend. Less data will be requested. Grafana for example offers query options for the last 5, 15, or 30 minutes.

What problem does this solve? Currently, the Teleport UI does not render any data for the customer and displaces an error.

If a workaround exists, please include it. Customers can implement the event handler and ship audit events to a SIEM or logging system.

[rosstimothy]

This issue is not unique to the Firestore events backend. Similar problems may arise when using Athena depending on the limits configured in the workgroup: https://github.com/gravitational/teleport/issues/41544.

[tigrato]

PR https://github.com/gravitational/teleport/pull/42902 improved the query and now doesn't pull all the events in the [from, to] window.