Atmos Pro Logo

Atmos Pro

ProductPricingDocsBlogChangelog
Create Workspace
← Back to Changelog
Feature

Audit Log Forwarding

Erik Osterman

Erik Osterman

CEO & Founder of Cloud Posse

|April 7, 2026

Older

Media Kit

Newer

Approvals Dashboard

Erik Osterman

Erik Osterman

CEO & Founder of Cloud Posse

Erik is the founder of Cloud Posse and creator of Atmos. With over a decade of experience helping teams adopt Terraform at scale, he is passionate about open-source infrastructure tooling and developer experience.

Book a Meeting
Atmos Pro Logo

Atmos Pro

The fastest way to deploy your apps on AWS with Terraform and GitHub Actions.

GitHubTwitterLinkedInYouTubeSlack

For Developers

  • Quick Start
  • Example Workflows
  • Atmos Documentation

Community

  • Register for Office Hours
  • Join the Slack Community
  • Try our Newsletter

Company

  • About Cloud Posse
  • Security
  • Pricing
  • Blog
  • Media Kit

Legal

  • SaaS Agreement
  • Terms of Use
  • Privacy Policy
  • Disclaimer
  • Cookie Policy

© 2026 Cloud Posse, LLC. All rights reserved.

Checking status...

Stream Audit Events to Your SIEM in Real-Time

Every action in your workspace — sign-ins, permission changes, drift detections, workflow dispatches — now streams to external systems the moment it happens. Configure one or more HTTPS webhook destinations and Atmos Pro delivers audit events in CloudEvents v1.0 structured content mode, ready for Splunk, Datadog, Sumo Logic, or any system that speaks HTTP.
DestinationStatusActions
Splunk SIEM
https://siem.acme-corp.com/ingest/atmos
Last delivery 2m ago
Active
Security alerts channel
https://hooks.slack.com/services/T00/B00/xxxx
Last delivery 15m ago
Active
Datadog compliance logs
https://datadog.acme-corp.com/api/v1/events
Last delivery 3d ago (failed)
Disabled

How It Works

Events are batched (up to 100 per delivery) and forwarded within seconds of being recorded. Each payload is signed with HMAC-SHA256 using a per-destination secret, so your receiving service can verify authenticity before processing. The signature is sent in the X-Webhook-Signature header alongside a stable X-Webhook-Id for deduplication.
Every event arrives as a typed CloudEvents envelope with a pro.atmos.{category}.{action} type string, making it straightforward to route events by category in your SIEM — filter on pro.atmos.billing.* for payment events, pro.atmos.workflow.* for deployment activity, or pro.atmos.team_member.* for access changes.

Managing Destinations

Webhook destinations are managed from Workspace Settings. Each destination can be independently enabled or disabled without deletion, and you can send a test event to verify connectivity before going live. Failed deliveries are retried automatically and the last delivery status is visible at a glance.
SSRF protections prevent webhooks from targeting private networks, and custom headers let you pass authentication tokens your receiving service requires — while reserved headers like Authorization and Content-Type cannot be overridden.

Automatic Retention

Audit logs are retained according to your plan's entitlement. A daily background job purges expired records automatically, so you stay within your retention window without manual intervention. Enterprise plans support extended retention periods.
Audit log forwarding is available on Enterprise plans. Visit plan options to upgrade.