Log Streaming
Auris records audit logs for every significant event in your tenant: logins, user changes, role assignments, permission checks, API calls, and administrative actions. Log streaming allows you to export these events in real-time to external logging and analytics services, giving you a unified view of authentication activity alongside your application logs.
This guide covers the supported destinations, how to configure each one, the log entry format, and how to verify delivery.
Why Log Streaming
While the Auris Console provides a built-in audit log viewer with search and filters, organizations often need to:
- Centralize logs across all systems (application, infrastructure, authentication) in a single SIEM
- Retain logs beyond the default retention period (Auris retains logs for 90 days by default)
- Create custom dashboards and alerts based on authentication events
- Meet compliance requirements (SOC 2, HIPAA, GDPR) that mandate log export to a controlled storage system
- Correlate authentication events with application events for incident investigation
Log streaming sends events as they occur with minimal latency (typically under 5 seconds).
Supported Destinations
Auris supports four log streaming destination types:
| Destination | Transport | Authentication | Best for |
|---|---|---|---|
| Webhook | HTTPS POST | HMAC-SHA256 signing | Custom integrations, Elasticsearch, self-hosted SIEM |
| Amazon S3 | AWS S3 API | Access key + Secret key | Long-term archival, compliance, data lake |
| Datadog | Datadog Log API | API key | Real-time monitoring and alerting |
| Splunk | HTTP Event Collector (HEC) | HEC token | Enterprise SIEM and security analytics |
Log Entry Format
All log entries share the same JSON schema regardless of destination:
{
"id": "log_abc123def456",
"timestamp": "2026-01-15T10:30:00.000Z",
"type": "login.succeeded",
"severity": "info",
"actor": {
"id": "usr_xyz789",
"email": "[email protected]",
"type": "user"
},
"target": {
"id": "app_web123",
"type": "application",
"name": "Production Web App"
},
"action": "login.succeeded",
"description": "User logged in successfully",
"metadata": {
"ipAddress": "203.0.113.42",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"location": "Milan, Italy",
"authMethod": "password",
"mfaUsed": true,
"mfaMethod": "totp",
"sessionId": "sess_abc123"
},
"tenant": "your-tenant-id",
"source": "auris"
}Field Reference
| Field | Type | Description |
|---|---|---|
id | string | Unique event identifier |
timestamp | ISO 8601 | When the event occurred |
type | string | Event type (e.g., login.succeeded, user.created, role.assigned) |
severity | string | info, warn, or error |
actor | object | Who performed the action (user, admin, system, or M2M client) |
target | object | The resource affected (user, application, role, organization) |
action | string | The action performed |
description | string | Human-readable description |
metadata | object | Additional context (IP, user agent, location, specific parameters) |
tenant | string | The tenant ID |
source | string | Always auris |
Setting Up Webhook Destination
The Webhook destination sends log entries as HTTPS POST requests to your endpoint, signed with HMAC-SHA256 for verification.
Configuration
- Go to Console then Settings then Log Streaming
- Click Add Stream
- Select Webhook as the destination type
- Enter the configuration:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name for this stream |
| URL | Yes | Your HTTPS endpoint URL |
| Events | No | Filter which event types to stream (empty = all events) |
- Click Create
Auris generates a signing secret for the webhook. The request format is:
POST /your-log-endpoint HTTP/1.1
Host: api.yourcompany.com
Content-Type: application/json
X-Webhook-Signature: <hmac-sha256-hex>
X-Webhook-Timestamp: <unix-seconds>
{
"events": [
{ "id": "log_abc123", "type": "login.succeeded", ... },
{ "id": "log_def456", "type": "user.updated", ... }
]
}Events are batched (up to 100 per request) and delivered within seconds. Use the same signature verification logic as described in the Webhooks guide.
Example Receiver
import express from 'express'
import crypto from 'crypto'
const app = express()
app.post(
'/logs/auris',
express.raw({ type: 'application/json' }),
(req, res) => {
const signature = req.headers['x-webhook-signature'] as string
const timestamp = req.headers['x-webhook-timestamp'] as string
const secret = process.env.AURIS_LOG_STREAM_SECRET!
// Verify signature
const payload = `${timestamp}.${req.body.toString()}`
const expected = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex')
if (
!crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
)
) {
return res.status(401).send('Invalid signature')
}
const { events } = JSON.parse(req.body.toString())
// Forward to your logging system
for (const event of events) {
console.log(`[${event.severity}] ${event.type}: ${event.description}`)
}
res.status(200).json({ received: events.length })
}
)Setting Up Amazon S3 Destination
The S3 destination writes log entries as JSON files to an S3 bucket. Files are organized by date and batched for efficient storage.
Configuration
- Go to Console then Settings then Log Streaming
- Click Add Stream
- Select Amazon S3 as the destination type
- Enter the configuration:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name for this stream |
| Bucket | Yes | S3 bucket name (e.g., my-company-auris-logs) |
| Region | Yes | AWS region (e.g., eu-west-1) |
| Access Key ID | Yes | AWS IAM access key with s3:PutObject permission |
| Secret Access Key | Yes | Corresponding secret key |
| Prefix | No | Object key prefix (e.g., auris/production/) |
| Events | No | Filter which event types to stream |
- Click Create
S3 Object Structure
Log files are written with the following key pattern:
{prefix}yyyy/MM/dd/HH/auris-logs-{timestamp}-{uuid}.jsonExample:
auris/production/2026/01/15/14/auris-logs-1737014400-a1b2c3d4.jsonEach file contains a JSON array of log entries:
[
{ "id": "log_abc123", "type": "login.succeeded", "timestamp": "..." },
{ "id": "log_def456", "type": "user.created", "timestamp": "..." }
]Required IAM Policy
Create an IAM user or role with the following minimum policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::my-company-auris-logs/auris/*"
}
]
}Follow the principle of least privilege. Only grant PutObject permission on the specific prefix Auris will use. Do not grant s3:* or access to the entire bucket.
Setting Up Datadog Destination
The Datadog destination sends log entries to the Datadog Logs API, where they appear in Log Explorer and can be used in monitors, dashboards, and alerts.
Configuration
- Go to Console then Settings then Log Streaming
- Click Add Stream
- Select Datadog as the destination type
- Enter the configuration:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name for this stream |
| API Key | Yes | Datadog API key (from Organization Settings) |
| Site | Yes | Your Datadog site: datadoghq.com (US), datadoghq.eu (EU), us3.datadoghq.com (US3), us5.datadoghq.com (US5) |
| Source Tag | No | Source tag for filtering in Datadog (default: auris) |
| Events | No | Filter which event types to stream |
- Click Create
Datadog Log Format
Auris maps log entries to Datadog’s log format:
{
"ddsource": "auris",
"ddtags": "env:production,tenant:your-tenant-id",
"hostname": "auth.yourcompany.com",
"service": "auris",
"status": "info",
"message": "User logged in successfully",
"timestamp": "2026-01-15T10:30:00.000Z",
"auris": {
"event_type": "login.succeeded",
"actor_id": "usr_xyz789",
"actor_email": "[email protected]",
"target_type": "application",
"target_id": "app_web123",
"ip_address": "203.0.113.42",
"session_id": "sess_abc123"
}
}Creating Datadog Monitors
After log streaming is active, create monitors in Datadog to alert on critical events:
Failed login spike:
logs("source:auris @auris.event_type:login.failed").index("main").rollup("count").last("5m") > 50Account lockout:
logs("source:auris @auris.event_type:user.blocked").index("main").rollup("count").last("1h") > 5Suspicious login detected:
logs("source:auris @auris.event_type:login.suspicious").index("main").rollup("count").last("15m") > 0Setting Up Splunk Destination
The Splunk destination sends log entries to a Splunk HTTP Event Collector (HEC) endpoint.
Prerequisites
- Enable HTTP Event Collector in Splunk (Settings > Data Inputs > HTTP Event Collector)
- Create a new HEC token
- Note the HEC URL and token
Configuration
- Go to Console then Settings then Log Streaming
- Click Add Stream
- Select Splunk as the destination type
- Enter the configuration:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name for this stream |
| HEC URL | Yes | Splunk HEC endpoint (e.g., https://splunk.yourcompany.com:8088) |
| Token | Yes | HEC token |
| Index | No | Target Splunk index (default: Splunk’s default index) |
| Events | No | Filter which event types to stream |
- Click Create
Splunk HEC Format
Auris sends events in Splunk HEC JSON format:
{
"time": 1737014400,
"host": "auth.yourcompany.com",
"source": "auris",
"sourcetype": "auris:audit",
"index": "auris_logs",
"event": {
"id": "log_abc123",
"type": "login.succeeded",
"severity": "info",
"actor": { "id": "usr_xyz789", "email": "[email protected]" },
"description": "User logged in successfully",
"metadata": { "ipAddress": "203.0.113.42" }
}
}Splunk Search Examples
After ingestion, search Auris events with SPL:
# All authentication failures in the last hour
sourcetype="auris:audit" type="login.failed" earliest=-1h
# Count logins by country
sourcetype="auris:audit" type="login.succeeded"
| spath path=metadata.location
| stats count by metadata.location
# Detect impossible travel
sourcetype="auris:audit" type="login.suspicious"
| where metadata.reason="impossible_travel"Filtering Events
By default, a log stream receives all audit events. You can filter by event type when creating or updating a stream to reduce volume and cost.
Available Event Categories
| Category | Example events |
|---|---|
| Authentication | login.succeeded, login.failed, login.mfa_required, login.suspicious |
| User lifecycle | user.created, user.updated, user.deleted, user.blocked |
| Password | user.password_changed, user.password_reset_requested |
| Role & permissions | role.created, role.assigned, permission.changed |
| Organization | organization.created, organization.member_added, organization.invitation_sent |
| Application | application.created, application.secret_rotated |
| Session | session.created, session.revoked |
| Admin | admin.settings_changed, admin.user_impersonated |
Example: Stream only authentication and security-relevant events:
curl -X POST https://auth.yourdomain.com/api/log-streams \
-H "Authorization: Bearer $AURIS_ACCESS_TOKEN" \
-H "x-tenant: your-tenant-id" \
-H "Content-Type: application/json" \
-d '{
"name": "Security events to Datadog",
"type": "DATADOG",
"config": {
"apiKey": "dd-api-key-here",
"site": "datadoghq.eu",
"sourceTag": "auris"
},
"events": [
"login.failed",
"login.suspicious",
"user.blocked",
"user.unblocked",
"user.password_changed",
"session.revoked",
"role.assigned",
"role.unassigned"
]
}'Verifying Delivery
After creating a log stream, verify it is working:
Console Verification
- Go to Settings then Log Streaming
- Click on your stream to view its detail page
- The Status indicator shows whether recent deliveries succeeded
- The Last Delivery timestamp shows when the last batch was sent
Trigger a Test Event
Generate a test event by performing an action in the Console (e.g., creating a test user and then deleting it). Within a few seconds, the event should appear in your destination.
Check Delivery Failures
If deliveries are failing, the stream detail page shows:
- Error message — The HTTP status code or error returned by the destination
- Consecutive failures — How many deliveries have failed in a row
- Last successful delivery — When the stream last worked
If a stream accumulates too many consecutive failures, Auris pauses it automatically and notifies tenant administrators. Fix the underlying issue (credentials, network, endpoint availability) and re-enable the stream from the Console.
Troubleshooting
Webhook: 401 or 403 Errors
- Verify the signing secret matches between Auris and your endpoint
- Ensure your endpoint does not require additional authentication headers that Auris does not send
- Check that your server clock is synchronized (NTP) — timestamp verification fails if clocks are skewed more than 5 minutes
S3: Access Denied
- Verify the IAM access key and secret key are correct
- Ensure the IAM policy grants
s3:PutObjecton the correct bucket and prefix - Check that the S3 bucket exists in the specified region
- If using a bucket policy, ensure it does not deny access from Auris’s IP range
Datadog: Events Not Appearing
- Verify the API key is valid (test with
curl -X POST "https://http-intake.logs.datadoghq.com/api/v2/logs" -H "DD-API-KEY: your-key" -d '...') - Ensure you selected the correct Datadog site (US, EU, US3, US5)
- Check the Datadog Logs > Configuration > Pipeline for any processing rules that might be dropping events
Splunk: Connection Refused
- Verify the HEC URL is correct and includes the port (typically 8088)
- Ensure HEC is enabled in Splunk (Settings > Data Inputs > HTTP Event Collector > Global Settings)
- Verify the HEC token is valid and has the correct index permissions
- Check SSL certificates if using HTTPS — Auris requires a valid certificate
Related Guides
- Setting Up Webhooks — Real-time event notifications to your application
- Attack Protection — Understanding the events generated by the security pipeline
- Session Management — Session events in the audit log