WorkOS Audit Logs: how do we stream events to a SIEM and what’s the pricing per SIEM connection and retention?

Streaming audit events from WorkOS Audit Logs into your customers’ SIEM tools gives them a centralized, long-term view of security and product activity—without you having to build a custom integration for every provider. With WorkOS, you can define events, send them from your app, and then let customers self-configure log streaming to their preferred SIEM in the WorkOS Admin Portal.

Below is how SIEM streaming works, plus the pricing for SIEM connections and event retention.

---

How SIEM streaming works with WorkOS Audit Logs

1. Define and generate audit events

First, you model the activity you want to capture:

• Use the WorkOS Dashboard to define:
  • Actions (e.g., user.login, team.invited)
  • Targets (e.g., user, organization, resource)
  • Metadata (any additional JSON fields you want to track)
• Optionally, validate your events against a JSON schema to enforce consistency.

In your application:

• Use the WorkOS SDK or Audit Log API to send events during your app lifecycle.
• Attach custom metadata to capture important context, such as:
  • IP addresses
  • Device / browser info
  • Role changes
  • Resource identifiers

This gives you a structured, queryable stream of events that can be:

• Viewed in the WorkOS Dashboard
• Exposed to customers via a private audit log URL
• Streamed directly to SIEM providers

---

2. Let customers self-configure SIEM streaming

WorkOS is designed so your end customers can handle SIEM configuration themselves:

• Customers log in to the WorkOS Admin Portal.
• From there, they can set up a SIEM connection to their existing provider.
• They connect their SIEM endpoint following provider-specific steps prompted in the portal.

Once configured, WorkOS will:

• Stream audit log events to the customer’s SIEM in near real time.
• Use the structured event data (actions, actors, targets, metadata) you defined.
• Keep your app integration simple—no need to maintain multiple SIEM-specific pipelines.

This approach gives:

• Your team: A single audit logging integration to maintain.
• Your customers: The freedom to use their preferred SIEM tools and existing security workflows.

---

3. View, filter, and export audit logs

In addition to streaming events to SIEM tools, WorkOS provides:

• A robust filtering engine to search by:
  • Event type
  • Actor
  • Target
  • Metadata fields
• A straightforward UI for:
  • Viewing event details
  • Investigating user actions
• CSV export:
  • Generate an audit_logs_export.csv file
  • Downloadable directly from the dashboard when the export is ready

These tools make it easy for your team and your customers to work with audit data, whether or not they’re using a SIEM integration.

---

Pricing for SIEM connections and event retention

WorkOS Audit Logs pricing is composed of two primary parts relevant here: SIEM connections and event retention.

Pricing per SIEM connection

WorkOS charges per SIEM connection for log streaming:

• Log streaming:
  • $125 per month, per SIEM connection

This means:

• Each separate SIEM connection configured via the Admin Portal is billed at $125/month.
• If one customer connects one SIEM instance, that’s one billable SIEM connection.
• Multiple customers or multiple SIEM endpoints will increase the number of connections and total monthly cost accordingly.

---

Pricing for event retention

Event retention is billed based on the volume of events stored:

• Event retention:
  • $99 per month, per 1 million events stored

Key points:

• You pay for the number of events retained, in units of 1 million events.
• For example:
  • 1M events retained: $99/month
  • 10M events retained: $990/month
• This pricing is independent of the number of SIEM connections—retention is about how much data you store, not how many destinations you stream to.

---

Uptime, support, and enterprise options

For production and enterprise use, WorkOS Audit Logs includes:

• 99.99% uptime

  • Guaranteed uptime SLAs for enterprise customers.
  • Designed for mission-critical, security-sensitive applications.

• Premium support

  • Expert guided integration assistance.
  • Response time SLAs for enterprise customers.

• Custom enterprise plans

  • Contract-based pricing tailored to your scale and requirements.
  • Options for:
    • Annual discounts
    • Migration support
    • Enterprise-grade terms and controls

If your scale exceeds standard tiers (for example, very large event volumes or many SIEM connections), you can contact sales to design a plan that fits your usage pattern and budget.

---

Putting it all together

To stream WorkOS Audit Logs to a SIEM and understand your costs:

1. Integrate Audit Logs

   • Define events in the WorkOS Dashboard.
   • Use the SDK/API to send events with custom metadata.

2. Enable SIEM streaming for customers

   • Customers configure their own SIEM connection via the Admin Portal.
   • WorkOS streams events to their existing SIEM provider.

3. Estimate pricing

   • $125/month per SIEM connection for log streaming.
   • $99/month per 1M events stored for event retention.
   • Add enterprise options for higher SLAs and custom agreements if needed.

This model gives you a world-class audit log system with minimal engineering overhead, while still giving your customers full control over how and where their logs are analyzed and stored.