OutworxOutworx Docs
Audit log + SIEM webhook · Business

Every change. Every actor. Every source.

Every dashboard mutation and every v1 API call writes a row with a stable action code, structured metadata, and a dashboard / api / system source. Pipe the stream into your SIEM. Configure retention from 30 days to 10 years.

BusinessReplaces: Splunk Cloud (audit ingest) · Drata audit-log connector
Open the activity logRead the guide
docs.outworx.io/settings/activity

Activity log

Every mutation across your projects, including dashboard and API actions.

Export CSV

From

2026-05-02

To

2026-05-09

Actor

Anyone

Search

email, slug…

Project

All projects

Category

All actions
  • Collaborator role changed·Payments API

    bob@acme.io: editor → viewer (project override)

    alice@acme.io·dashboard··Details
  • PR preview pushed·Payments API

    PR 247 · feat/checkout-v2 · @8f3a1c0

    github-actions·apitoken··Details
  • Visibility changed·Status API

    Now public

    alice@acme.io·dashboard··Details
  • API token revoked

    ci-pipeline · otwx_pat

    alice@acme.io·dashboard··Details

30+

Stable UPPER_SNAKE action codes

HMAC

SHA-256 signature on every webhook

30d–10y

Configurable per-account retention

CSV

Export endpoint for evidence dumps

Stable action codes

Pattern-match without parsing strings.

Every mutation that the dashboard or v1 API performs writes a row with a stable UPPER_SNAKE code. Human- readable labels render on top via describeEvent(), but the underlying machine-readable surface stays stable across releases.

Project lifecycle

  • PROJECT_CREATED
  • PROJECT_DELETED
  • PROJECT_VISIBILITY_CHANGED

Versions + previews

  • VERSION_PROMOTED_DEFAULT
  • PREVIEW_CREATED
  • VERSION_DEACTIVATED

Branding + theme

  • BRANDING_UPDATED
  • THEME_UPDATED
  • CUSTOMIZATION_UPDATED

Specs

  • SPEC_UPLOADED
  • SPEC_EDITED
  • SPEC_SYNCED

Collaborators

  • COLLABORATOR_INVITED
  • COLLABORATOR_ROLE_CHANGED
  • COLLABORATOR_REMOVED

API tokens

  • TOKEN_CREATED
  • TOKEN_REVOKED
  • UPLOAD_TOKEN_ROTATED

HMAC-signed webhook

One POST per row, signed and tagged.

Configure a receiver URL + secret on Settings → Audit log. Every audit row gets POSTed with three headers: the action code, an idempotency UUID, and the HMAC-SHA256 signature over the body. Datadog Logs, Splunk HEC, Honeycomb — same payload, same signature scheme.

  • `X-Outworx-Event` lets receivers route by code without parsing JSON. `X-Outworx-Delivery` is the event UUID for idempotent dedupe.

  • `X-Outworx-Signature: sha256=<hex>` — compute HMAC-SHA256 over the raw body with your stored secret. Constant-time compare, please.

  • Secret minted server-side as 32 random bytes (base64url) on save. Shown ONCE in the dashboard — same convention as personal access tokens.

5-second timeout. Failures are logged + swallowed; we never throw on a flapping receiver.

POST https://siem.acme.com/webhooks/outworx
200 OK
Content-Type: application/json
X-Outworx-Event: COLLABORATOR_ROLE_CHANGED
X-Outworx-Delivery: 2f1c0d8a-…-9b3e
X-Outworx-Signature: sha256=8a1f…c0d
User-Agent: Outworx-Audit-Webhook/1

{
  "id": "2f1c0d8a-…-9b3e",
  "account_user_id": "alice@acme.io",
  "actor_user_id": "alice@acme.io",
  "action": "COLLABORATOR_ROLE_CHANGED",
  "target_type": "collaborator",
  "target_id": "bob@acme.io",
  "project_id": "payments-api",
  "metadata": {
    "scope": "project",
    "from": "editor",
    "to": "viewer",
    "source": "dashboard"
  },
  "created_at": "2026-05-09T17:14:08.302Z"
}

Per-account retention

30 days for dev. 10 years for SEC.

Set a retention window that matches your compliance framework. Default 730 days (2 years) covers SOC2 Type II. Daily prune at 03:23 UTC via pg_cron — single-statement DELETE through the indexed (account_user_id, created_at) path.

WindowTypical useCompliance fit
30 daysCost-conscious dev / staging accountsInternal review only
90 daysPCI DSS minimum windowPCI DSS 10.5.3
1 yearGDPR minimum + ISO 27001GDPR Art. 30 · ISO 27001
2 yearsSOC2 Type II evidence (default)SOC2 Type II
5 yearsHIPAA log retentionHIPAA 164.316(b)(2)
10 yearsSEC + financial industry ceilingsSEC Rule 17a-4

Plan tiers

Audit log is a Business-plan feature.

Free

  • No audit log writes
  • No SIEM webhook
  • Upgrade to enable

Pro

  • No audit log writes
  • No SIEM webhook
  • Upgrade to Business for SOC2 readiness
Most popular

Business

Full audit pipeline

  • Audit log on every mutation (dashboard + API)
  • SIEM webhook with HMAC-SHA256
  • 30d–10y configurable retention
  • CSV export endpoint
  • Free-text search across metadata
  • Send-test-event button to verify receiver

Pairs well with

Webhooks playground

Same HMAC-SHA256 verification pattern. Test your audit-log webhook receiver alongside Stripe / GitHub / Shopify in one playground.

PR Preview Deploys

Every preview push writes a `PREVIEW_CREATED` row with the PR / commit / branch. Audit pipeline captures every preview that touched production.

CLI + GitHub Action

API tokens used by the CLI stamp `metadata.token_id` on every event. A leaked-token forensic trace is one indexed query.

SOC2 evidence in one filter strip + CSV download.

Business plan unlocks the full audit pipeline for $19/month flat. Every change, every actor, every source — captured, signed, and searchable.

Start freeCompare plans