Skip to main content
Send organization audit events to an external log collector over HTTPS. You must be an organization administrator to configure the endpoint.

Connect a log collector

1

Open organization settings

Open the workspace menu, select Organization, then open Audit Logs under Settings.
2

Connect the endpoint

Click Connect and enter the HTTPS URL that accepts your audit events.
Connect an organization audit webhook
3

Configure the request

Add any headers your collector requires. You can also merge custom JSON into every event, wrap the payload under a key such as event, and control TLS certificate verification.
4

Save and verify delivery

Click Save changes, then confirm that your collector receives an organization_setting event with a SUCCESS status.

Request options

OptionBehavior
Audit webhook URLReceives each event as a JSON POST request.
Custom headersAdds static headers to every request. Header names are case-insensitive.
Custom payloadMerges a JSON object into every event. Custom keys replace matching default keys.
Payload attributeWraps the complete payload under the configured key.
Verify SSL certificateVerifies the endpoint certificate. Disable this only for a trusted endpoint that uses a private or self-signed certificate.
Tracecat encrypts the webhook URL, custom headers, and custom payload at rest. Choose custom payload keys that do not overlap default fields unless you intend to replace them.

Event payload

An audit event contains the actor, affected resource, action, result, and scope.
{
  "organization_id": "00000000-0000-4000-8000-000000000001",
  "workspace_id": "00000000-0000-4000-8000-000000000002",
  "actor_type": "USER",
  "actor_id": "00000000-0000-4000-8000-000000000003",
  "actor_label": "avery@example.com",
  "ip_address": "192.0.2.10",
  "resource_type": "workflow",
  "resource_id": "00000000-0000-4000-8000-000000000004",
  "action": "update",
  "status": "SUCCESS",
  "data": null,
  "created_at": "2026-01-15T14:03:12.123456Z"
}
FieldDescription
organization_idOrganization that owns the event.
workspace_idWorkspace that owns the resource, when applicable.
actor_typeUSER or SERVICE_ACCOUNT.
actor_idID of the user or service account that performed the action.
actor_labelUser email or service account name, when available.
ip_addressSource IP address, when available.
resource_typeType of resource affected by the action.
resource_idID of the affected resource, when available.
actionOperation performed on the resource.
statusATTEMPT, SUCCESS, or FAILURE.
dataAdditional event-specific context, when available.
created_atUTC timestamp for the event.
Most audited changes emit an ATTEMPT event followed by SUCCESS or FAILURE. Your endpoint should return a successful response within 10 seconds; delivery failures do not block the audited action.

Update or disconnect the endpoint

Return to Organization → Audit Logs to update the request settings. Click the disconnect button to stop sending new organization audit events.
  • See Security for deployment hardening guidance.