Audit Export
The audit export feature streams audit events from your Optimaite workspace to an external destination -- either a webhook endpoint (for SIEM integration) or an S3-compatible bucket (for long-term archival).
How It Works
- A user performs an action in Optimaite (e.g., opens a document, changes a setting, exports data)
- The system generates a structured audit event
- The event is delivered to your configured destination with a cryptographic signature
Destinations
Webhook (SIEM)
Events are sent as POST requests to your endpoint in real time. Each request includes an X-Optimaite-Signature header for verification.
Example event:
{
"event_id": "evt_01HXYZABCDEF",
"timestamp": "2026-05-22T10:30:00Z",
"action": "document.opened",
"actor": {
"user_id": "usr_01ABCDEFG",
"email": "jane@example.com",
"ip_address": "203.0.113.42"
},
"resource": {
"type": "document",
"id": "doc_01ABCDEF",
"name": "Contract_v2.docx"
},
"tenant_id": "ten_01ABCDEFG"
}
S3-Compatible Storage
Events are batched and written as JSONL files to your bucket (AWS S3, MinIO, Google Cloud Storage).
- Path pattern:
s3://bucket/optimaite-audits/{tenant_id}/{date}/{batch_id}.jsonl - Batch frequency: Every 5 minutes or when 1,000 events accumulate (whichever comes first)
Event Types
| Category | Actions |
|---|---|
| Documents | document.opened, document.created, document.deleted, document.exported, document.shared |
| Users | user.login, user.logout, user.invited, user.role_changed |
| Settings | settings.updated, settings.api_key_rotated |
| Security | security.mfa_enabled, security.sso_configured, security.audit_export_created |
Error Handling and Retries
- Webhook: Failed deliveries are retried up to 3 times with exponential backoff (30s, 5m, 30m)
- S3: Failed uploads are retried with the next batch
- If a destination is consistently failing, it is automatically paused and the admin is notified
Next Steps
- Document Ingestion -- Inbound document uploads
- SCIM Provisioning -- User provisioning
Was this helpful?