Workspace File Access events

Workspace File Access events capture file-level access activity inside Domino Workspaces. Domino tracks these events only for Domino Datasets and NetApp Volumes. Domino records Workspace lifecycle actions as system events.

Domino records these file operations:

  • Read

  • Write

  • Create

  • Delete

  • Rename

How Workspace File Access auditing works

Domino monitors file system activity inside active Workspaces and records relevant events.

Workspace audit trail diagram

File system monitoring

A Falco daemon runs alongside each workspace pod and observes file system calls. Falco monitors at the kernel level, so it captures file access consistently. This works regardless of access method: code execution, terminals, notebooks, or IDE tooling.

Deduplication

Domino deduplicates events to reduce noise and storage overhead. The system records repeated access to the same file by the same user as a single event. This deduplication uses a configurable time window. The process reduces event volumes while preserving meaningful access records. Advanced configuration has details on how to adjust deduplication settings.

Event processing and storage

The system periodically processes staged events and writes them to object storage. The pipeline:

  1. Cleans and deduplicates raw JSON events

  2. Converts JSON to Parquet format for optimized querying

  3. Archives events for long-term retention (up to 30 years)

Processing delay

Domino processes events asynchronously in scheduled batches, not in real time. The system captures and stages file system events continuously. It then processes and writes them to object storage during each run (default: every 60 minutes).

Expect a delay between when a file access event occurs and when it appears in object storage, APIs, or the Workspace File Audit App.

You can configure processing frequency with com.cerebro.domino.workspaceFileAudit.eventProcessingInMinutes. The default is 60 minutes (minimum 60, maximum 360).

Query and access

You can access events through:

  • The Workspace Audit App

  • The Audit Trail API

  • Direct object storage queries

Storage and retention

Storage location and retention depend on your deployment type:

Deployment typeStorage locationWho managesRetention

Customer-managed

Customer-owned object storage (S3, Azure Blob, or GCS)

Customer

Customer sets policy

Domino Cloud

Domino-owned object storage

Domino

30 years

Domino Cloud for Life Sciences (DCLS)

Customer-owned S3

Domino

30 years

Performance considerations

Enabling Workspace File Access events adds processing overhead to active workspaces. Based on Domino performance testing, enabling file access auditing typically adds:

  • ~ 15 percent CPU usage

  • ~ 10 percent memory usage

Workloads with heavy workspace usage or high file I/O may see higher overhead. Plan for larger hardware tiers if you enable this feature.

How hardware sizing is determined

These estimates come from Domino scale and performance testing of the full audit pipeline, including kernel level event capture, event ingestion, and audit record processing. Customers should plan for slightly larger hardware tiers when this feature is enabled.

Monitoring and alerting

Important
 Enable Grafana alerting before you enable Workspace File Access auditing.

Two components are critical for audit data integrity:

  • Falco: Captures file system events

  • Workspace Audit service: Processes and stores events

Monitor for these failure conditions:

  • Falco drops events due to resource pressure

  • Workspace Audit service fails to process events

If alerts fire

An alert means audit events may be delayed or dropped. To resolve:

  • Increase CPU or memory for affected workspaces or services

  • Restart or recover the affected audit components

  • Verify event flow returns to normal

Normal audit capture resumes after the alert clears.

Next steps