# Admin console - Audit log streaming

In addition to retaining audit logs in the Workato platform itself, Workato can optionally stream audit logs from all of a partner's customers to a single destination with a one-time setup. Partners can enable the feature through the Audit log streaming setting in the Admin console > Settings tab.

When a partner enables audit log streaming for all customers, Workato stores the customers' audit log activities, including job history, recipe step details, and user activity, in an Amazon S3 bucket or any log provider accessible through a REST endpoint. Each job or event is represented as a JSON file, which Workato sends to the log provider using the HTTP POST method. Examples of log providers include Sumo Logic (opens new window), Datadog (opens new window), and Splunk (opens new window), among others.

Note that the Workato platform retains audit logs for the designated retention period whether audit log streaming is enabled or not.

Alternatively, to enable audit log streaming for each customer individually, see Set unique log destinations.

FEATURE AVAILABILITY

The Audit log streaming feature is available to customers on specific pricing plans. Refer to your pricing plan and contract to learn more.

# Audit events

Audit events include:

Job summaries
Job details
User activity (log-ins, team changes, asset creation, edits, and deletions)

# Setting up audit log streaming

Navigate to Admin console > Settings and use the toggle button in the Audit log streaming section to enable audit log streaming.

Audit log streaming settings in the Admin console

Select the type of events to include in your audit log stream. If you choose to stream your job history, you have the additional option to include your recipe step details in your audit log stream.

Optionally, customize the log message format.

Select a Destination type from the picklist and enter any required fields for the selected destination type.

Select Save.

OVERRIDE BEHAVIOR FOR OEM WORKSPACES

Configuring audit log streaming for all OEM customer workspaces overrides any existing audit log streaming settings in the OEM admin workspace. For example, if you set the OEM admin workspace to stream logs to an S3 destination but configure streaming for all OEM customer workspaces to Sumo Logic, the system directs all logs, including those from the OEM admin workspace, to Sumo Logic. Consider this behavior carefully when you set up audit log streaming for multiple workspaces.

# Customize audit log JSON

Customize the audit log JSON to different formats to suit your needs. For example, you may require a source application (for example, workato) to process the event logs in the destination application automatically.

In the Admin console > Settings tab, you can create the custom log message using JSON format in the Audit log streaming > Customize log message section. Along with your custom fields, define the JSON structure with a placeholder for the Workato audit log. Workato replaces the placeholder value with the actual log message before the event is streamed.

For more information, see Supported placeholders.

# Identifying customers from JSON files

The JSON file includes the user_id and user_external_id parameters in the context block for all log files related to job details. These two IDs refer to the Workato customer ID and the partner-provided external ID for the customer.

Audit log streaming Sample JSON from a job event

The JSON file includes the id and external_id parameters nested in the user and team for all log files related to user activity. The IDs in the team block refer to the customer, while the IDs in the user block refer to the specific customer team member who performed the action.

Audit log streaming Sample JSON from a user activity event

If the partner did not provide any external ID while creating the customer or customer team member, the external_id value is null.

# Set unique audit log destinations

Partners can provide audit log replication configuration on each customer individually. This setting is available on each customer's Settings page as long as the audit log replication setting is not configured in the partner's Admin console. Therefore, if each customer requires a separate audit log destination, don't configure the overall setting in the Admin console.