Use the Workspace File Audit App

Set up the Workspace File Audit App to query and export file-level audit data from Domino Workspaces for compliance reporting and investigations. After enabling the service and deploying the application, explore and export audit events by user, project, and event type.

Prerequisites

Before you set up the Workspace File Audit App, verify your deployment meets these requirements:

  • AWS-based Domino deployment (on-prem or cloud)

  • Domino version 6.2 or later

  • Domino Cloud for Life Sciences(DCLS): Contact Domino Support to enable the Workspace File Audit service. Domino provisions and manages the S3 bucket for audit data storage.

  • Self-managed deployments: Enable Workspace File Audit in your deployment

Note
 Azure and GCP support will be available in future releases.

Deploy the application

Deploy the Domino-provided Workspace File Audit app from GitHub.

  1. Go to Projects > New Project, then select Import from Git and enter the repository URL:

    https://github.com/dominodatalab/Workspace-File-Audit-Application

  2. Complete the project creation and open the project.

  3. Go to Deployments > Apps & Agents > Publish > App.

  4. Configure the deployment:

    • Name and Description (example: "Workspace File Audit Query Tool").

    • Environment: Choose the latest Domino Standard Environment. If you don’t see it in your deployment, please contact your Domino administrator.

    • Code: Select start.sh as the App File

    • Hardware Tier: Medium

  5. Select Enable deep linking and query parameters then click Publish.

  6. Wait for the app status to show Running, then select Open.

Filter and export audit data

Filter workspace file audit events by date range, event type, user, project, and file path. Refine results to isolate specific activity patterns, then export data for compliance reporting or offline analysis.

Workspace File Audit App

  1. Go to Deploy > Apps > Workspace File Audit App.

  2. Set your Date Range. Choose 90 days or less and maximum: 1 year for best performance.

  3. Add optional filters:

    1. Event Type: Read, Write, Create, Delete, or Rename

    2. Username: Supports partial matches

    3. Project Name: Supports partial matches

    4. File Path: Supports partial matches and regex patterns starting with /

  4. Select Submit to run your query.

View filtered results

Results appear in two formats:

  • Events Over Time chart: Shows total event counts across your selected timeframe. Use the Breakdown By dropdown to change how results are grouped.

  • Events Details table: Shows individual events including Timestamp, User Name, Event Type, and File. Columns are sortable and searchable to quickly isolate patterns or anomalies.

Export filtered results

To export filtered results, select Export and choose CSV or Parquet format. Exports include all filtered results, not just visible rows.

Result sets over 1 million records are automatically split and packaged as a ZIP archive archive when using CSV export.

Refresh event data

The audit trail updates automatically every hour, with the last updated status shown in a label to the right.

Advanced configuration

Configure audit behavior, access raw data directly from blob storage, or customize the query application to meet specialized requirements.

Configuration records

Customize audit event capture using these configuration records:

  • Read event deduplication interval: Configures the read event de-duplication time interval. Default is 60 mins.

    • Flag: com.cerebro.domino.workspaceFileAudit.UniqueReadEventPeriodInMinutes

  • Write event deduplication interval: Configures the write event de-duplication time interval. Default is 60 mins.

    • Flag: com.cerebro.domino.workspaceFileAudit.UniqueWriteEventPeriodInMinutes

  • Tracked event types: Configures which events are tracked. Defaults are ["Read","Write","Delete","Create","Rename"].

    • Flag: com.cerebro.domino.workspaceFileAudit.TrackedEventTypes

  • Event processing frequency: Configures when the event processor runs. Default is every 60 mins.

    • Flag: com.cerebro.domino.workspaceFileAudit.eventProcessingInMinutes

For information on modifying these settings, see the Configuration records documentation.

Access raw data in S3

Processed audit events are stored as Parquet files in your read bucket. Access these records directly using your cloud provider tools or query tools like DuckDB.

Use raw data to integrate with custom BI tools or build specialized analytics platforms tailored to your organization.

Regex pattern matching

Prefix your File Name filter with a backslash (\) to use regular expressions.

For example, use \.*exampleFile\.txt$ to find all files ending with exampleFile.txt regardless of path.

Customize the app

Customize the audit query application by cloning the official Domino repository to your organization’s Git account. Create a Git-Based Project in Domino pointing to your cloned repository.

Note
 Custom modifications are not covered by Domino support. You are responsible for testing and maintaining custom changes. Periodically merge changes from the official repository into your custom branch to stay current with Domino updates.

Next Steps