WorkOS Audit Logs: how do we stream events to a SIEM and what’s the pricing per SIEM connection and retention?
Authentication & Identity APIs

WorkOS Audit Logs: how do we stream events to a SIEM and what’s the pricing per SIEM connection and retention?

7 min read

For teams standardizing on WorkOS Audit Logs, being able to stream events to an existing SIEM and understanding exactly what it costs are two of the biggest implementation questions. WorkOS is designed to plug into your customers’ security stack with minimal engineering lift, while offering clear, scalable pricing based on SIEM connections and event retention.

This guide walks through how SIEM streaming works with WorkOS Audit Logs, how your customers enable it, and what you’ll pay per SIEM connection and per million events stored.

How SIEM streaming works with WorkOS Audit Logs

WorkOS Audit Logs lets you capture detailed security and activity events from your application and then stream those events directly into your customers’ existing SIEM providers.

At a high level, the flow looks like this:

  1. Your app generates events

    • You define the actions, targets, and metadata to record (for example, user.login, file.deleted, admin.permission_updated).
    • Using the WorkOS SDK and Audit Log API, you send these events whenever they occur in your application lifecycle.

  2. Events are stored and retained in WorkOS

    • Events are ingested, indexed, and retained for search, viewing, and export.
    • Retention is priced per million events stored (details in the pricing section below).

  3. Events are streamed to your customer’s SIEM

    • Your customer connects their SIEM provider via the WorkOS Admin Portal.
    • Once configured, WorkOS streams audit log events to that SIEM connection in near real time.
    • Your customers can centralize monitoring, alerting, and incident response in the SIEM tools they already use.

Because WorkOS handles the ingestion, indexing, export, and streaming, your engineering team can focus on defining the right events and metadata instead of building and maintaining custom logging pipelines.

Customer self‑service via the WorkOS Admin Portal

A key benefit of WorkOS Audit Logs is that your customers can set up SIEM streaming themselves:

  • From the WorkOS Admin Portal, they:
    • Configure a new SIEM connection to their existing provider.
    • Provide any required connection details or credentials.
    • Enable streaming for their organization’s audit logs.

This self‑serve approach lets you:

  • Support enterprise security requirements with minimal support overhead.
  • Reduce custom one‑off integrations for different customers and SIEM vendors.
  • Let security teams manage their own connections without waiting on your engineering team.

Once enabled, streaming runs continuously, delivering new audit events from WorkOS to the configured SIEM destination.

Defining and sending audit log events

Before streaming can be useful, you need rich, well‑structured events in WorkOS.

1. Define events in the WorkOS Dashboard

In the WorkOS Dashboard, you can:

  • Define event types that represent key actions in your app (for example, user.invited, role.assigned, file.viewed).
  • Specify targets and actors, such as:
    • Actor: the user or system that performed the action.
    • Target: the resource affected (file, organization, project, etc.).
  • Plan which metadata fields you want to attach to each event (e.g., IP address, user agent, location, role, or custom attributes).

This upfront modeling makes events more meaningful once they land in a SIEM, enabling your customers to build precise alerts and investigations.

2. Send events with the Audit Log API and SDKs

After you define events:

  • Use WorkOS SDKs to send structured events from your codebase to the Audit Log API with a few lines of code.
  • Attach custom metadata to each event.
  • Optionally validate against a JSON schema to ensure all events follow the expected structure.

These events are then:

  • Stored and retained in WorkOS (subject to your retention configuration),
  • Available in the WorkOS Dashboard and customer-facing audit log views,
  • Streamed to any configured SIEM connections.

Viewing, searching, and exporting audit logs

Even if your customers use a SIEM, WorkOS still provides a powerful, built-in audit log experience:

  • Quick filtering and search
    Use a robust filtering engine to search by:

    • Event type
    • Actor
    • Target
    • Metadata fields
    • Time ranges

  • In‑dashboard viewing
    Security and support teams can inspect events directly in the WorkOS Dashboard or via a private URL for each customer.

  • CSV export
    Audit logs can be exported to CSV (audit_logs_export.csv) with a simple flow:

    • Prepare CSV for download
    • Download the generated file

This makes it easy to share logs with external stakeholders or perform ad‑hoc analysis—even outside a SIEM.

SIEM streaming pricing: per connection

Streaming audit logs from WorkOS to a SIEM is priced per SIEM connection.

  • Log streaming to SIEM
    • $125 / month per SIEM connection

Key implications:

  • Each unique SIEM connection you or a customer configures is billed at $125/month.
  • If you have multiple customers, each with their own SIEM connection, you’ll pay for each connection separately.
  • This pricing scales linearly as more customers require SIEM integration.

If your product targets security‑sensitive or enterprise customers, this predictable per‑connection pricing makes it straightforward to model your margins and pass costs through as part of an enterprise plan.

Event retention pricing: per million events stored

In addition to SIEM streaming, WorkOS charges for how many events are stored and retained.

  • Event Retention
    • $99 / month per million events stored

How this works in practice:

  • You’re billed based on the number of events retained during the billing period.
  • Pricing is metered in units of one million events.
    • 1,000,000 events stored → $99 / month
    • 5,000,000 events stored → $495 / month
    • And so on, scaling with your volume.
  • This applies to the events that remain in WorkOS for search, viewing, and export.

The combination of per‑connection and per‑million‑events pricing allows you to align cost with customer usage and scale—from early deployments to high‑volume enterprise scenarios.

Reliability, SLAs, and support for demanding apps

WorkOS Audit Logs is designed for applications with strict reliability and compliance requirements:

  • 99.99% uptime

    • WorkOS offers guaranteed uptime SLAs for enterprise customers.
    • This level of availability is critical when audit logs are feeding into a SIEM used for real‑time incident detection.

  • Premium support

    • Expert‑guided integration support to help your team implement Audit Logs and SIEM streaming correctly.
    • Response time SLAs that match enterprise expectations.

  • Custom enterprise plans

    • Contract-based plans tailored around your:
      • Expected event volumes,
      • Number of SIEM connections,
      • Compliance and security needs,
      • Migration and rollout timelines.

If your usage or scale doesn’t fit neatly into standard pricing, you can work with WorkOS to design a custom plan.

Getting started quickly

To get up and running with SIEM streaming and clear pricing:

  1. Model your events

    • Use the WorkOS Dashboard to define actions, actors, targets, and metadata that matter for security and compliance.

  2. Integrate the SDK

    • Add a few lines of code to start sending events to the Audit Log API.
    • Validate your events against JSON schemas where needed.

  3. Enable SIEM streaming for customers

    • Have customers configure their SIEM connections in the WorkOS Admin Portal.
    • Confirm that events are flowing end‑to‑end into their SIEM.

  4. Plan for cost and scale

    • Estimate:
      • Number of SIEM connections you’ll support → $125 / month each.
      • Monthly event volume stored → $99 / month per million events.
    • Discuss enterprise SLAs and discounts if you anticipate large scale.

Summary: SIEM streaming and pricing at a glance

  • How streaming works

    • Your app sends structured events to WorkOS Audit Logs.
    • Events are stored, searchable, and exportable in WorkOS.
    • Customers configure SIEM connections in the Admin Portal.
    • WorkOS streams audit events to their existing SIEM provider.

  • Pricing

    • SIEM streaming (per connection): $125 / month per SIEM connection.
    • Event retention (per volume): $99 / month per million events stored.

  • Why it matters

    • You deliver enterprise‑grade audit logs and SIEM integrations without building a custom pipeline.
    • Customers keep using their preferred SIEM tools with minimal friction.
    • Costs scale logically with both your customer count and audit event volume.

With this model, WorkOS Audit Logs gives you a clear path to offer robust security logging, SIEM integrations, and predictable pricing as you grow.

Back to Authentication & Identity APIs

Keep Reading

More from Authentication & Identity APIs

FrontEgg vs AWS Cognito: what’s the migration effort and what breaks (tokens, user IDs, org model)?

Read more

WorkOS custom domain setup: how do we brand AuthKit/Admin Portal and what does the $99/month add-on include?

Read more

WorkOS annual credits: how do we request a quote that includes the 99.99% uptime SLA and guided onboarding?

Read more