Skip to Content
GuidesLog Streaming

Log Streaming

Auris records audit logs for every significant event in your tenant: logins, user changes, role assignments, permission checks, API calls, and administrative actions. Log streaming allows you to export these events in real-time to external logging and analytics services, giving you a unified view of authentication activity alongside your application logs.

This guide covers the supported destinations, how to configure each one, the log entry format, and how to verify delivery.

Why Log Streaming

While the Auris Console provides a built-in audit log viewer with search and filters, organizations often need to:

  • Centralize logs across all systems (application, infrastructure, authentication) in a single SIEM
  • Retain logs beyond the default retention period (Auris retains logs for 90 days by default)
  • Create custom dashboards and alerts based on authentication events
  • Meet compliance requirements (SOC 2, HIPAA, GDPR) that mandate log export to a controlled storage system
  • Correlate authentication events with application events for incident investigation

Log streaming sends events as they occur with minimal latency (typically under 5 seconds).

Supported Destinations

Auris supports four log streaming destination types:

DestinationTransportAuthenticationBest for
WebhookHTTPS POSTHMAC-SHA256 signingCustom integrations, Elasticsearch, self-hosted SIEM
Amazon S3AWS S3 APIAccess key + Secret keyLong-term archival, compliance, data lake
DatadogDatadog Log APIAPI keyReal-time monitoring and alerting
SplunkHTTP Event Collector (HEC)HEC tokenEnterprise SIEM and security analytics

Log Entry Format

All log entries share the same JSON schema regardless of destination:

{ "id": "log_abc123def456", "timestamp": "2026-01-15T10:30:00.000Z", "type": "login.succeeded", "severity": "info", "actor": { "id": "usr_xyz789", "email": "[email protected]", "type": "user" }, "target": { "id": "app_web123", "type": "application", "name": "Production Web App" }, "action": "login.succeeded", "description": "User logged in successfully", "metadata": { "ipAddress": "203.0.113.42", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...", "location": "Milan, Italy", "authMethod": "password", "mfaUsed": true, "mfaMethod": "totp", "sessionId": "sess_abc123" }, "tenant": "your-tenant-id", "source": "auris" }

Field Reference

FieldTypeDescription
idstringUnique event identifier
timestampISO 8601When the event occurred
typestringEvent type (e.g., login.succeeded, user.created, role.assigned)
severitystringinfo, warn, or error
actorobjectWho performed the action (user, admin, system, or M2M client)
targetobjectThe resource affected (user, application, role, organization)
actionstringThe action performed
descriptionstringHuman-readable description
metadataobjectAdditional context (IP, user agent, location, specific parameters)
tenantstringThe tenant ID
sourcestringAlways auris

Setting Up Webhook Destination

The Webhook destination sends log entries as HTTPS POST requests to your endpoint, signed with HMAC-SHA256 for verification.

Configuration

  1. Go to Console then Settings then Log Streaming
  2. Click Add Stream
  3. Select Webhook as the destination type
  4. Enter the configuration:
FieldRequiredDescription
NameYesA descriptive name for this stream
URLYesYour HTTPS endpoint URL
EventsNoFilter which event types to stream (empty = all events)
  1. Click Create

Auris generates a signing secret for the webhook. The request format is:

POST /your-log-endpoint HTTP/1.1 Host: api.yourcompany.com Content-Type: application/json X-Webhook-Signature: <hmac-sha256-hex> X-Webhook-Timestamp: <unix-seconds> { "events": [ { "id": "log_abc123", "type": "login.succeeded", ... }, { "id": "log_def456", "type": "user.updated", ... } ] }

Events are batched (up to 100 per request) and delivered within seconds. Use the same signature verification logic as described in the Webhooks guide.

Example Receiver

import express from 'express' import crypto from 'crypto' const app = express() app.post( '/logs/auris', express.raw({ type: 'application/json' }), (req, res) => { const signature = req.headers['x-webhook-signature'] as string const timestamp = req.headers['x-webhook-timestamp'] as string const secret = process.env.AURIS_LOG_STREAM_SECRET! // Verify signature const payload = `${timestamp}.${req.body.toString()}` const expected = crypto .createHmac('sha256', secret) .update(payload) .digest('hex') if ( !crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(expected) ) ) { return res.status(401).send('Invalid signature') } const { events } = JSON.parse(req.body.toString()) // Forward to your logging system for (const event of events) { console.log(`[${event.severity}] ${event.type}: ${event.description}`) } res.status(200).json({ received: events.length }) } )

Setting Up Amazon S3 Destination

The S3 destination writes log entries as JSON files to an S3 bucket. Files are organized by date and batched for efficient storage.

Configuration

  1. Go to Console then Settings then Log Streaming
  2. Click Add Stream
  3. Select Amazon S3 as the destination type
  4. Enter the configuration:
FieldRequiredDescription
NameYesA descriptive name for this stream
BucketYesS3 bucket name (e.g., my-company-auris-logs)
RegionYesAWS region (e.g., eu-west-1)
Access Key IDYesAWS IAM access key with s3:PutObject permission
Secret Access KeyYesCorresponding secret key
PrefixNoObject key prefix (e.g., auris/production/)
EventsNoFilter which event types to stream
  1. Click Create

S3 Object Structure

Log files are written with the following key pattern:

{prefix}yyyy/MM/dd/HH/auris-logs-{timestamp}-{uuid}.json

Example:

auris/production/2026/01/15/14/auris-logs-1737014400-a1b2c3d4.json

Each file contains a JSON array of log entries:

[ { "id": "log_abc123", "type": "login.succeeded", "timestamp": "..." }, { "id": "log_def456", "type": "user.created", "timestamp": "..." } ]

Required IAM Policy

Create an IAM user or role with the following minimum policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::my-company-auris-logs/auris/*" } ] }

Follow the principle of least privilege. Only grant PutObject permission on the specific prefix Auris will use. Do not grant s3:* or access to the entire bucket.

Setting Up Datadog Destination

The Datadog destination sends log entries to the Datadog Logs API, where they appear in Log Explorer and can be used in monitors, dashboards, and alerts.

Configuration

  1. Go to Console then Settings then Log Streaming
  2. Click Add Stream
  3. Select Datadog as the destination type
  4. Enter the configuration:
FieldRequiredDescription
NameYesA descriptive name for this stream
API KeyYesDatadog API key (from Organization Settings)
SiteYesYour Datadog site: datadoghq.com (US), datadoghq.eu (EU), us3.datadoghq.com (US3), us5.datadoghq.com (US5)
Source TagNoSource tag for filtering in Datadog (default: auris)
EventsNoFilter which event types to stream
  1. Click Create

Datadog Log Format

Auris maps log entries to Datadog’s log format:

{ "ddsource": "auris", "ddtags": "env:production,tenant:your-tenant-id", "hostname": "auth.yourcompany.com", "service": "auris", "status": "info", "message": "User logged in successfully", "timestamp": "2026-01-15T10:30:00.000Z", "auris": { "event_type": "login.succeeded", "actor_id": "usr_xyz789", "actor_email": "[email protected]", "target_type": "application", "target_id": "app_web123", "ip_address": "203.0.113.42", "session_id": "sess_abc123" } }

Creating Datadog Monitors

After log streaming is active, create monitors in Datadog to alert on critical events:

Failed login spike:

logs("source:auris @auris.event_type:login.failed").index("main").rollup("count").last("5m") > 50

Account lockout:

logs("source:auris @auris.event_type:user.blocked").index("main").rollup("count").last("1h") > 5

Suspicious login detected:

logs("source:auris @auris.event_type:login.suspicious").index("main").rollup("count").last("15m") > 0

Setting Up Splunk Destination

The Splunk destination sends log entries to a Splunk HTTP Event Collector (HEC) endpoint.

Prerequisites

  1. Enable HTTP Event Collector in Splunk (Settings > Data Inputs > HTTP Event Collector)
  2. Create a new HEC token
  3. Note the HEC URL and token

Configuration

  1. Go to Console then Settings then Log Streaming
  2. Click Add Stream
  3. Select Splunk as the destination type
  4. Enter the configuration:
FieldRequiredDescription
NameYesA descriptive name for this stream
HEC URLYesSplunk HEC endpoint (e.g., https://splunk.yourcompany.com:8088)
TokenYesHEC token
IndexNoTarget Splunk index (default: Splunk’s default index)
EventsNoFilter which event types to stream
  1. Click Create

Splunk HEC Format

Auris sends events in Splunk HEC JSON format:

{ "time": 1737014400, "host": "auth.yourcompany.com", "source": "auris", "sourcetype": "auris:audit", "index": "auris_logs", "event": { "id": "log_abc123", "type": "login.succeeded", "severity": "info", "actor": { "id": "usr_xyz789", "email": "[email protected]" }, "description": "User logged in successfully", "metadata": { "ipAddress": "203.0.113.42" } } }

Splunk Search Examples

After ingestion, search Auris events with SPL:

# All authentication failures in the last hour sourcetype="auris:audit" type="login.failed" earliest=-1h # Count logins by country sourcetype="auris:audit" type="login.succeeded" | spath path=metadata.location | stats count by metadata.location # Detect impossible travel sourcetype="auris:audit" type="login.suspicious" | where metadata.reason="impossible_travel"

Filtering Events

By default, a log stream receives all audit events. You can filter by event type when creating or updating a stream to reduce volume and cost.

Available Event Categories

CategoryExample events
Authenticationlogin.succeeded, login.failed, login.mfa_required, login.suspicious
User lifecycleuser.created, user.updated, user.deleted, user.blocked
Passworduser.password_changed, user.password_reset_requested
Role & permissionsrole.created, role.assigned, permission.changed
Organizationorganization.created, organization.member_added, organization.invitation_sent
Applicationapplication.created, application.secret_rotated
Sessionsession.created, session.revoked
Adminadmin.settings_changed, admin.user_impersonated

Example: Stream only authentication and security-relevant events:

curl -X POST https://auth.yourdomain.com/api/log-streams \ -H "Authorization: Bearer $AURIS_ACCESS_TOKEN" \ -H "x-tenant: your-tenant-id" \ -H "Content-Type: application/json" \ -d '{ "name": "Security events to Datadog", "type": "DATADOG", "config": { "apiKey": "dd-api-key-here", "site": "datadoghq.eu", "sourceTag": "auris" }, "events": [ "login.failed", "login.suspicious", "user.blocked", "user.unblocked", "user.password_changed", "session.revoked", "role.assigned", "role.unassigned" ] }'

Verifying Delivery

After creating a log stream, verify it is working:

Console Verification

  1. Go to Settings then Log Streaming
  2. Click on your stream to view its detail page
  3. The Status indicator shows whether recent deliveries succeeded
  4. The Last Delivery timestamp shows when the last batch was sent

Trigger a Test Event

Generate a test event by performing an action in the Console (e.g., creating a test user and then deleting it). Within a few seconds, the event should appear in your destination.

Check Delivery Failures

If deliveries are failing, the stream detail page shows:

  • Error message — The HTTP status code or error returned by the destination
  • Consecutive failures — How many deliveries have failed in a row
  • Last successful delivery — When the stream last worked

If a stream accumulates too many consecutive failures, Auris pauses it automatically and notifies tenant administrators. Fix the underlying issue (credentials, network, endpoint availability) and re-enable the stream from the Console.

Troubleshooting

Webhook: 401 or 403 Errors

  • Verify the signing secret matches between Auris and your endpoint
  • Ensure your endpoint does not require additional authentication headers that Auris does not send
  • Check that your server clock is synchronized (NTP) — timestamp verification fails if clocks are skewed more than 5 minutes

S3: Access Denied

  • Verify the IAM access key and secret key are correct
  • Ensure the IAM policy grants s3:PutObject on the correct bucket and prefix
  • Check that the S3 bucket exists in the specified region
  • If using a bucket policy, ensure it does not deny access from Auris’s IP range

Datadog: Events Not Appearing

  • Verify the API key is valid (test with curl -X POST "https://http-intake.logs.datadoghq.com/api/v2/logs" -H "DD-API-KEY: your-key" -d '...')
  • Ensure you selected the correct Datadog site (US, EU, US3, US5)
  • Check the Datadog Logs > Configuration > Pipeline for any processing rules that might be dropping events

Splunk: Connection Refused

  • Verify the HEC URL is correct and includes the port (typically 8088)
  • Ensure HEC is enabled in Splunk (Settings > Data Inputs > HTTP Event Collector > Global Settings)
  • Verify the HEC token is valid and has the correct index permissions
  • Check SSL certificates if using HTTPS — Auris requires a valid certificate