Continuously Export Audit Logs
Continuously export audit logs from Mondoo to Google Cloud Storage in OCSF format for long-term retention, SIEM ingestion, or compliance evidence.
Mondoo can continuously export your audit logs to Google Cloud Storage (GCS) in OCSF (Open Cybersecurity Schema Framework) v1.5.0 format. Once configured, exports run automatically on a recurring schedule, delivering new audit events as JSONL files to a GCS bucket.
Common reasons to set up a continuous audit log export:
- SIEM and security analytics. Feed Mondoo audit events into Splunk, Chronicle, Elastic, or another SIEM that ingests OCSF-formatted data from GCS.
- Compliance evidence. Maintain an immutable record of administrative events in your own storage for audit readiness.
- Long-term retention. Keep audit history beyond Mondoo's built-in retention window.
- Correlation. Join Mondoo events with logs from other systems in a central data lake.
How it works
You create an audit log export integration scoped to a platform, organization, or space:
| Scope | What is exported |
|---|---|
| Platform | All audit events across every organization and space |
| Organization | Audit events for the organization and all spaces within it |
| Space | Audit events for that space only |
After creation, Mondoo runs the export on a recurring interval (default: every 60 minutes, minimum: every 5 minutes). Each run picks up only events that are new since the last successful export, using an internal watermark to track progress. Files are written as JSONL (one OCSF event per line) with deterministic, non-overlapping filenames so that retries are safe and idempotent.
On the very first run you can optionally include all historical audit logs. If you don't enable this option, the export starts from the current point in time and only captures new events going forward.
Requirements
- A Google Cloud project with a GCS bucket. See the Google Cloud Storage documentation for setup.
- A GCP service account with the Storage Object Creator role (
roles/storage.objectCreator) on the target bucket. - One of the following authentication methods:
- Workload Identity Federation (WIF) (recommended because it requires no stored credentials), or
- A service account key (JSON).
- Owner access to the Mondoo organization (or platform, depending on the scope you want).
Set up GCP authentication
Mondoo supports two ways to authenticate with GCP. Choose one:
-
Workload Identity Federation (WIF) eliminates the need to store and rotate service account keys. Mondoo authenticates to GCP using short-lived OIDC tokens that GCP validates and exchanges for temporary credentials. This is the recommended approach.
-
Service account key uses a static JSON key file. This is simpler to set up but requires you to securely store and regularly rotate the key.
Workload Identity Federation (recommended)
The GCP-side WIF setup (creating a service account, Workload Identity Pool, and OIDC provider for Mondoo) is the same as for other Mondoo GCS-based integrations. Follow Steps 1 through 4 in the Export Data to Google BigQuery guide, with these differences:
- In Step 1, grant the service account the Storage Object Creator role (
roles/storage.objectCreator) instead of the BigQuery roles. - You do not need a BigQuery dataset. Skip any BigQuery-specific instructions.
After completing Steps 1–4 you should have:
- A GCP service account email (for example,
mondoo-audit-export@PROJECT_ID.iam.gserviceaccount.com) - A WIF audience URL (for example,
https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID)
You'll use both values when creating the integration in Mondoo.
After creating the integration (next section), you must also complete Steps 6 and 7 from the BigQuery guide. Copy the computed WIF subject from the Mondoo response and authorize it to impersonate the GCP service account. The integration will not work until this binding is in place.
Service account key
-
Create a GCP service account and grant it the Storage Object Creator role (
roles/storage.objectCreator) on the target bucket. For instructions, read Creating and managing service accounts in the Google documentation. -
Create a JSON key for the service account. For instructions, read Create and manage service account keys in the Google documentation. Save the JSON file. You'll need it when creating the integration.
Create the integration
This integration is not available in the Mondoo App UI. Use the GraphQL API or Terraform provider to create it.
Use the mondoo_integration_audit_log_export resource from the Mondoo Terraform provider.
With WIF:
resource "mondoo_integration_audit_log_export" "example" {
org_id = "your-mondoo-org-id"
name = "Audit Log Export to GCS"
bucket = "my-audit-log-bucket"
include_historical = false
wif_audience = "https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID"
wif_service_account_email = "mondoo-audit-export@PROJECT_ID.iam.gserviceaccount.com"
}With a service account key:
resource "mondoo_integration_audit_log_export" "example" {
org_id = "your-mondoo-org-id"
name = "Audit Log Export to GCS"
bucket = "my-audit-log-bucket"
include_historical = false
service_account_json = file("path/to/service-account-key.json")
}For a complete example that provisions the GCS bucket, service account, WIF binding, and the Mondoo integration together, see the Terraform provider documentation.
Platform-level export: Use scope_mrn instead of org_id:
resource "mondoo_integration_audit_log_export" "platform" {
scope_mrn = "//platform.api.mondoo.app"
name = "Platform Audit Log Export"
bucket = "my-audit-log-bucket"
# ... authentication fields
}Use the createClientIntegration mutation. You need an API token with Owner access to the target scope.
EU region
Replace https://api.mondoo.com/query with https://eu.api.mondoo.com/query if your organization
is in the EU region.
With WIF:
mutation {
createClientIntegration(
input: {
scopeMrn: "//captain.api.mondoo.app/organizations/YOUR_ORG_ID"
name: "Audit Log Export to GCS"
type: AUDIT_LOG_EXPORT
longLivedToken: false
configurationOptions: {
auditLogExportConfigurationOptions: {
bucket: "my-audit-log-bucket"
includeHistorical: false
wifAudience: "https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID"
wifServiceAccountEmail: "mondoo-audit-export@PROJECT_ID.iam.gserviceaccount.com"
}
}
}
) {
integration {
mrn
configurationOptions {
... on AuditLogExportConfigurationOptions {
bucket
format
intervalMinutes
wifSubject
wifAudience
}
}
}
}
}The response includes a computed wifSubject value. Use it to complete the WIF binding in GCP (see the authentication section above).
With a service account key:
mutation {
createClientIntegration(
input: {
scopeMrn: "//captain.api.mondoo.app/organizations/YOUR_ORG_ID"
name: "Audit Log Export to GCS"
type: AUDIT_LOG_EXPORT
longLivedToken: false
configurationOptions: {
auditLogExportConfigurationOptions: {
bucket: "my-audit-log-bucket"
includeHistorical: false
serviceAccountJson: "{...your service account JSON...}"
}
}
}
) {
integration {
mrn
configurationOptions {
... on AuditLogExportConfigurationOptions {
bucket
format
intervalMinutes
}
}
}
}
}Platform-level export: Use //platform.api.mondoo.app as the scopeMrn.
After creation, the first export runs immediately. If the integration status becomes active, the setup is working correctly. If it shows error, check the error message and verify your GCP authentication setup.
Manage the integration
You can manage an existing audit log export integration through the GraphQL API or Terraform:
- Check the status.
activemeans the integration is healthy and exporting on schedule.errormeans the last export failed. Check the error message for details. - Pause and resume. Pause the integration to temporarily stop exports without deleting the configuration. Resume it to pick up where it left off.
- Remove the integration. Delete the integration to stop all future exports. Mondoo does not delete data already written to your GCS bucket.
Exported data format
Exported files are written as JSONL (JSON Lines), with one OCSF event per line. Filenames follow the pattern:
{scope}-audit-logs-{fromID}-{toID}.jsonlFor example: org-abc123-audit-logs-500-1000.jsonl
Each event conforms to OCSF v1.5.0 and uses one of three event classes depending on the action:
| OCSF class | Class UID | Used for |
|---|---|---|
| Account Change | 3001 | Membership changes (adding/removing users to orgs or spaces) |
| Entity Management | 3004 | CRUD operations on service accounts, agents, spaces, orgs, and integrations |
| API Activity | 6003 | Policy assignments, scan triggers, and all other actions |
Example OCSF event
{
"category_uid": 3,
"class_uid": 3004,
"activity_id": 1,
"type_uid": 300401,
"severity_id": 1,
"time": 1719900000,
"message": "created service account",
"metadata": {
"product": {
"name": "Mondoo Platform",
"vendor_name": "Mondoo"
},
"version": "1.5.0"
},
"actor": {
"user": {
"email_addr": "jane@example.com",
"name": "Jane Doe"
}
},
"entity": {
"name": "my-service-account",
"type": "Service Account"
},
"api": {
"operation": "CreateServiceAccount",
"service": {
"name": "mondoo.agents.AgentManager"
}
},
"unmapped": {
"mondoo": {
"identity_mrn": "//captain.api.mondoo.app/users/abc123",
"resource_mrn": "//agents.api.mondoo.app/organizations/org-1/serviceaccounts/sa-1",
"scope_mrn": "//captain.api.mondoo.app/organizations/org-1"
}
}
}Mapped audit events
| Mondoo action | OCSF class | Activity |
|---|---|---|
| Add org/space membership | Account Change | Create |
| Remove org/space membership | Account Change | Delete |
| Create service account | Entity Management | Create |
| Delete service account | Entity Management | Delete |
| Register/unregister agent | Entity Management | Create/Delete |
| Create/update/delete space | Entity Management | Create/Update/Delete |
| Create/update/delete org | Entity Management | Create/Update/Delete |
| Create/update/delete integration | Entity Management | Create/Update/Delete |
| Assign/unassign policy | API Activity | Create/Delete |
| Set policy bundle | API Activity | Update |
| Trigger scan | API Activity | Other |
| All other actions | API Activity | Other |
Limitations
- Destination: Only Google Cloud Storage (GCS) is supported. Other object stores (S3, Azure Blob) are not currently available.
- Format: Only OCSF v1.5.0 (JSONL) is supported. CSV and other formats are not available.
- Export interval: Minimum 5 minutes, default 60 minutes. The interval is set at creation time and cannot be changed after the fact.
- Authentication: Provide either a service account key or WIF credentials, not both.
- Scope: Each integration exports from a single scope (platform, organization, or space). To export from multiple organizations independently, create one integration per organization.
- Include historical: This setting only affects the first export run. Once the export has started, it always exports incrementally from the last watermark.
- No UI: This integration must be created via the GraphQL API or Terraform provider.
See also
- View audit logs in the Mondoo App or via the GraphQL API
- Workload Identity Federation for Mondoo
- Export Data to Google BigQuery (WIF setup reference)
mondoo_integration_audit_log_exportTerraform resource- OCSF schema specification