Skip to main content
Audit logging requires the Audit Logging add-on. See Add-ons pricing for details.

Overview

These events track when organization administrators generate portal URLs to access WorkOS management interfaces. These are meta-events that record when admins request access to audit logging configuration—they do not track changes to log streams or audit log configurations themselves. Both events follow identical schemas and differ only in the portal type being accessed:
  • audit_logs.create_management_portal_url - Tracks portal URL generation for viewing and exporting audit logs
  • log_streams.create_management_portal_url - Tracks portal URL generation for configuring SIEM integrations and log streaming

audit_logs.create_management_portal_url

Triggered when an organization administrator generates a portal URL to access the WorkOS Audit Logs management interface.

When This Event Occurs

This event records when an admin:
  • Opens the audit logs portal from organization settings
  • Generates a URL to view, search, or export audit logs
  • Accesses the audit logs management interface for compliance review

Event Schema

action
string
required
audit_logs.create_management_portal_url
actor
object
required
The administrator accessing the audit logs portal
targets
array
required
context
object
required
metadata
object
required

Example Event

{
  "action": "audit_logs.create_management_portal_url",
  "occurredAt": "2024-11-02T19:30:00.000Z",
  "version": 1,
  "actor": {
    "type": "user",
    "id": "user_01JA2B3C4D5E6F7G8H9J0K1M",
    "name": "Jane Smith",
    "metadata": {
      "first_name": "Jane",
      "last_name": "Smith",
      "email": "[email protected]",
      "impersonator_email": "",
      "impersonator_reason": ""
    }
  },
  "targets": [
    {
      "type": "organization",
      "id": "org_01JA2B3C4D5E6F7G8H9J0K1M",
      "name": "Example Corp",
      "metadata": {
        "name": "Example Corp"
      }
    }
  ],
  "context": {
    "location": "203.0.113.42",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36"
  },
  "metadata": {
    "source": "/organizations/org_01JA2B3C4D5E6F7G8H9J0K1M/audit-logs"
  }
}

log_streams.create_management_portal_url

Triggered when an organization administrator generates a portal URL to access the WorkOS Log Streams management interface for SIEM integrations.

When This Event Occurs

This event records when an admin:
  • Opens the log streams portal from organization settings
  • Generates a URL to configure SIEM integrations
  • Accesses log streaming settings to connect to external security platforms (Splunk, Datadog, etc.)

Event Schema

action
string
required
log_streams.create_management_portal_url
actor
object
required
The administrator accessing the log streams portal
targets
array
required
context
object
required
metadata
object
required

Example Event

{
  "action": "log_streams.create_management_portal_url",
  "occurredAt": "2024-11-02T19:45:00.000Z",
  "version": 1,
  "actor": {
    "type": "user",
    "id": "user_01JA2B3C4D5E6F7G8H9J0K1M",
    "name": "Jane Smith",
    "metadata": {
      "first_name": "Jane",
      "last_name": "Smith",
      "email": "[email protected]",
      "impersonator_email": "",
      "impersonator_reason": ""
    }
  },
  "targets": [
    {
      "type": "organization",
      "id": "org_01JA2B3C4D5E6F7G8H9J0K1M",
      "name": "Example Corp",
      "metadata": {
        "name": "Example Corp"
      }
    }
  ],
  "context": {
    "location": "203.0.113.42",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36"
  },
  "metadata": {
    "source": "/organizations/org_01JA2B3C4D5E6F7G8H9J0K1M/audit-logs"
  }
}

Common Fields

Both events share the same structure and only differ in the action field. They track administrative access to audit log infrastructure rather than changes to resources.

Authorization

These events are only generated when:
  • The user has the admin role in the organization
  • The organization has the Audit Logging add-on enabled
  • The user successfully generates a WorkOS portal URL

Portal URLs

Generated portal URLs:
  • Redirect users to the WorkOS management interface
  • Are temporary and expire after use
  • Include successUrl and returnUrl parameters to return to the Centure dashboard
  • Grant access to either audit logs (view/export) or log streams (SIEM configuration)

Use Cases

Track these events to:
  • Monitor who accesses audit log management capabilities
  • Audit administrative access to compliance tools
  • Track SIEM configuration changes (via log streams portal access)
  • Detect unusual access patterns to security infrastructure