Admin console - Audit log streaming

Audit log streaming replicates and stores log data from all managed customer workspaces in a destination you specify. This lets you maintain access to logs beyond the audit log and Workato logging service retention periods and ensures you have ample time to review and analyze your activity logs for security and operational insights.

LOG STREAMING FOR INDIVIDUAL CUSTOMERS

Refer to Set unique log destinations to enable audit log streaming for each customer individually.

Each job or event is represented as a JSON file, which Workato sends to the log provider using the HTTP POST method. Workato supports the following destinations:

• Amazon S3 Bucket
• Azure Monitor
• Azure Blob
• A cloud-based logging service, such as Sumo Logic, Datadog, Splunk, or Google Cloud Storage Buckets

FEATURE AVAILABILITY

Audit log streaming is included in specific pricing plans for direct customers and is available to Embedded partners and their end customers for an additional fee. Refer to your pricing plan and contract to learn more.

Log streaming events

Available Log streaming events include:

• Job status only: Logs whether a job succeeded or failed.
• Full job details: Logs job details, including status and data for each line action.
• User activity: Logs all user activity in the workspace.
• API platform logs: Logs all API requests handled by the API platform.
• Workato Log events: Logs all messages sent to the Workato logging service.

Setting up audit log streaming

1

Sign in to Workato with an Embedded partner workspace.

2

Go to Admin console > Settings > Audit log streaming.

Audit log streaming settings in the Admin console

3

Use the Enable setup and streaming of customer audit logs toggle to enable audit log streaming.

4

Select the events to stream:

• Job status only: Logs whether a job succeeded or failed.
• Full job details: Logs job details, including status and data for each line action.
• User activity: Logs all user activity in the workspace.
• API platform logs: Logs all API requests handled by the API platform.
• Workato Log events: Logs all messages sent to the Workato logging service.

Additionally, select the Log types and Log levels to include if you plan to stream events from the Workato logging service.

5

Optionally, customize the log message format.

6

Select a Destination type from the picklist and enter any required fields for the selected destination type.

7

Select Save.

OVERRIDE BEHAVIOR FOR OEM WORKSPACES

Configuring audit log streaming for all OEM customer workspaces overrides any existing audit log streaming settings in the OEM admin workspace. For example, if you set the OEM admin workspace to stream logs to an S3 destination but configure streaming for all OEM customer workspaces to Sumo Logic, the system directs all logs, including those from the OEM admin workspace, to Sumo Logic. Consider this behavior carefully when you set up audit log streaming for multiple workspaces.

Customize audit log JSON

Customize the audit log JSON to different formats to suit your needs. For example, you may require a source application (for example, workato) to process the event logs in the destination application automatically.

In the Admin console > Settings tab, you can create the custom log message using JSON format in the Audit log streaming > Customize log message section. Along with your custom fields, define the JSON structure with a placeholder for the Workato audit log. Workato replaces the placeholder value with the actual log message before the event is streamed.

For more information, see Supported placeholders.

Identifying customers from JSON files

The JSON file includes the user_id and user_external_id parameters in the context block for all log files related to job details. These two IDs refer to the Workato customer ID and the partner-provided external ID for the customer.

Sample JSON from a job event

The JSON file includes the id and external_id parameters nested in the user and team for all log files related to user activity. The IDs in the team block refer to the customer, while the IDs in the user block refer to the specific customer team member who performed the action.

Sample JSON from a user activity event

If the partner did not provide any external ID while creating the customer or customer team member, the external_id value is null.

Set unique audit log destinations

Partners can provide audit log replication configuration on each customer individually. This setting is available on each customer's Settings page as long as the audit log replication setting is not configured in the partner's Admin console. Therefore, if each customer requires a separate audit log destination, don't configure the overall setting in the Admin console.

FURTHER READING

See our audit log streaming guide for direct connections for more information about the following topics:

• Audit stream destinations
• JSON file details
• JSON file content - sample data