Workspace File Access events

Workspace File Access events capture file-level access activity inside Domino Workspaces. Domino tracks these events only for Domino Datasets and NetApp Volumes. Domino records Workspace lifecycle actions as system events.

Domino records these file operations:

  • Read

  • Write

  • Create

  • Delete

  • Rename

How Workspace File Access auditing works

Domino monitors file system activity inside active Workspaces and records relevant events.

Workspace audit trail diagram

File system monitoring

A Falco daemon runs alongside each workspace pod and observes file system calls. Falco monitors at the kernel level, so it captures file access consistently. This works regardless of access method: code execution, terminals, notebooks, or IDE tooling.

Deduplication

Domino deduplicates events to reduce noise and storage overhead. The system records repeated access to the same file by the same user as a single event. This deduplication uses a configurable time window. The process reduces event volumes while preserving meaningful access records. Advanced configuration has details on how to adjust deduplication settings.

Event processing and storage

The system periodically processes staged events and writes them to object storage. The pipeline:

  1. Cleans and deduplicates raw JSON events

  2. Converts JSON to Parquet format for optimized querying

  3. Archives events for long-term retention (up to 30 years)

Processing delay

Domino processes events asynchronously in scheduled batches, not in real time. The system captures and stages file system events continuously. It then processes and writes them to object storage during each run (default: every 60 minutes).

Expect a delay between when a file access event occurs and when it appears in object storage, APIs, or the Workspace File Audit App.

You can configure processing frequency with com.cerebro.domino.workspaceFileAudit.eventProcessingInMinutes. The default is 60 minutes (minimum 60, maximum 360).

Query and access

You can access events through:

  • The Workspace Audit App

  • The Audit Trail API

  • Direct object storage queries

Storage and retention

Storage location and retention depend on your deployment type:

Deployment typeStorage locationWho managesRetention

Customer-managed

Customer-owned object storage

Customer

Customer sets policy

Domino Cloud

Domino-owned object storage

Domino

30 years

Domino Cloud for Life Sciences (DCLS)

Customer-owned S3

Domino

30 years

Performance considerations

Enabling Workspace File Access events adds processing overhead to active workspaces. Based on Domino performance testing, enabling file access auditing typically adds:

  • ~ 15 percent CPU usage

  • ~ 10 percent memory usage

Workloads with heavy workspace usage or high file I/O may see higher overhead. Plan for larger hardware tiers if you enable this feature.

How hardware sizing is determined

These estimates come from Domino scale and performance testing of the full audit pipeline, including kernel level event capture, event ingestion, and audit record processing. Customers should plan for slightly larger hardware tiers when this feature is enabled.

Monitoring and alerting

In cloud deployments, Domino’s platform team monitors the Workspace Audit pipeline and manages all underlying audit infrastructure alerts on your behalf.

To monitor the health and activity of your own workloads, go to /grafana-workload.

If you suspect audit events are delayed or dropped

Contact Domino Support. Provide the approximate time the issue began and any relevant workspace details.

Normal audit capture resumes after Domino resolves the issue.

Next steps