Audit Log Export and Integrations

Export organization audit records and connect them to SIEM, notification, and reporting workflows.

AuthOS release 0.8.2 API v1 Latest-only documentation
Updated Jul 15, 2026 Edit this page
On this page

Exports must paginate through the complete result set needed by the use case. Protect both the AuthOS bearer token and downstream collector credentials.

Common Use Cases

Compliance Evidence Export

Scenario: Export selected records for review within a SOC 2 control program. This export is not a SOC 2 report or certification and its coverage must be validated by the operator.

# 1. Export all security events
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=100" \
  -H "Authorization: Bearer ..." | \
  jq '.logs[] | select(.category == "Security")' > security_events.json

# 2. Export all user management events
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?target_type=user" \
  -H "Authorization: Bearer ..." > user_management.json

# 3. Generate CSV report
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=1000" \
  -H "Authorization: Bearer ..." | \
  jq -r '.logs[] | [.created_at, .actor.email, .action, .target_type, .target_id, .success] | @csv' \
  > audit_report.csv

Integration Examples

Export to Splunk

#!/bin/bash
# Export audit logs to Splunk

ORG_SLUG="acme-corp"
AUTH_TOKEN="your-jwt-token"
SPLUNK_URL="https://splunk.example.com:8088/services/collector"
SPLUNK_TOKEN="your-splunk-hec-token"

# Fetch logs
logs=$(curl -s -X GET "https://sso.example.com/api/organizations/$ORG_SLUG/audit-log?limit=100" \
  -H "Authorization: Bearer $AUTH_TOKEN")

# Send to Splunk
echo "$logs" | jq -c '.logs[]' | while read log; do
  curl -X POST "$SPLUNK_URL" \
    -H "Authorization: Splunk $SPLUNK_TOKEN" \
    -d "{\"event\": $log, \"sourcetype\": \"sso_audit_log\"}"
done

Slack Notifications

// Node.js: Send critical audit events to Slack

const axios = require('axios');

const CRITICAL_EVENTS = [
  'service.deleted',
  'user.removed',
  'api_key.created',
  'api_key.deleted',
  'security.mfa.disabled'
];

async function pollAuditLogs() {
  const response = await axios.get(
    'https://sso.example.com/api/organizations/acme-corp/audit-log?limit=10',
    { headers: { Authorization: `Bearer ${process.env.SSO_JWT}` } }
  );

  for (const log of response.data.logs) {
    if (CRITICAL_EVENTS.includes(log.action)) {
      await sendSlackAlert(log);
    }
  }
}

async function sendSlackAlert(log) {
  await axios.post(process.env.SLACK_WEBHOOK_URL, {
    text: `=� Critical Action: ${log.action}`,
    attachments: [{
      color: 'danger',
      fields: [
        { title: 'Actor', value: log.actor.email, short: true },
        { title: 'Target', value: log.target_type, short: true },
        { title: 'Time', value: log.created_at, short: true },
        { title: 'IP', value: log.ip_address || 'N/A', short: true }
      ]
    }]
  });
}

// Poll every 5 minutes
setInterval(pollAuditLogs, 5 * 60 * 1000);

Python Report Generator

import requests
import csv
from datetime import datetime

SSO_API = 'https://sso.example.com'
ORG_SLUG = 'acme-corp'
AUTH_TOKEN = 'your-jwt-token'

def export_audit_logs_to_csv(output_file='audit_logs.csv'):
    """Export paginated audit records to CSV for operator review."""

    headers = {'Authorization': f'Bearer {AUTH_TOKEN}'}
    page = 1
    all_logs = []

    # Paginate through all logs
    while True:
        response = requests.get(
            f'{SSO_API}/api/organizations/{ORG_SLUG}/audit-log',
            params={'page': page, 'limit': 100},
            headers=headers
        )
        data = response.json()
        all_logs.extend(data['logs'])

        if not data['pagination']['has_next']:
            break
        page += 1

    # Write to CSV
    with open(output_file, 'w', newline='') as csvfile:
        fieldnames = ['timestamp', 'actor_email', 'action', 'target_type',
                      'target_id', 'success', 'ip_address']
        writer = csv.DictWriter(csvfile, fieldnames=fieldnames)

        writer.writeheader()
        for log in all_logs:
            writer.writerow({
                'timestamp': log['created_at'],
                'actor_email': log['actor']['email'],
                'action': log['action'],
                'target_type': log['target_type'],
                'target_id': log['target_id'],
                'success': log['success'],
                'ip_address': log.get('ip_address', 'N/A')
            })

    print(f'Exported {len(all_logs)} audit logs to {output_file}')

if __name__ == '__main__':
    export_audit_logs_to_csv()