> ## Documentation Index
> Fetch the complete documentation index at: https://docs.domino.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Workspace File Access events

Workspace File Access events capture file-level access activity inside Domino Workspaces. Domino tracks these events only for Domino Datasets and NetApp Volumes. Domino records Workspace lifecycle actions as [system events](/6.3/platform-capabilities/features/governance/audit-trail/view-unified-audit-trail).

Domino records these file operations:

* Read

* Write

* Create

* Delete

* Rename

## How Workspace File Access auditing works

Domino monitors file system activity inside active Workspaces and records relevant events.

<img src="https://mintcdn.com/dominodatalab-e871cec4/smP26ixb6WHD0bEi/images/admin-general/workspace-audit-trail.png?fit=max&auto=format&n=smP26ixb6WHD0bEi&q=85&s=c72655bbd8a71389d6755b2d22f0bc4c" alt="Workspace audit trail diagram" width="1081" height="586" data-path="images/admin-general/workspace-audit-trail.png" />

### File system monitoring

A Falco daemon runs alongside each workspace pod and observes file system calls. Falco monitors at the kernel level, so it captures file access consistently. This works regardless of access method: code execution, terminals, notebooks, or IDE tooling.

### Deduplication

Domino deduplicates events to reduce noise and storage overhead. The system records repeated access to the same file by the same user as a single event. This deduplication uses a configurable time window. The process reduces event volumes while preserving meaningful access records. [Advanced configuration](/6.3/platform-capabilities/features/governance/audit-trail/workspace-file-access-events/use-workspace-file-audit-app#advanced-configuration) has details on how to adjust deduplication settings.

### Event processing and storage

The system periodically processes staged events and writes them to object storage. The pipeline:

1. Cleans and deduplicates raw JSON events

2. Converts JSON to Parquet format for optimized querying

3. Archives events for long-term retention (up to 30 years)

### Processing delay

Domino processes events asynchronously in scheduled batches, not in real time. The system captures and stages file system events continuously. It then processes and writes them to object storage during each run (default: every 60 minutes).

Expect a delay between when a file access event occurs and when it appears in object storage, APIs, or the Workspace File Audit App.

You can configure processing frequency with `com.cerebro.domino.workspaceFileAudit.eventProcessingInMinutes`. The default is 60 minutes (minimum 60, maximum 360).

### Query and access

You can access events through:

* The Workspace Audit App

* The Audit Trail API

* Direct object storage queries

### Storage and retention

Storage location and retention depend on your deployment type:

| Deployment type                       | Storage location              | Who manages | Retention            |
| ------------------------------------- | ----------------------------- | ----------- | -------------------- |
| Customer-managed                      | Customer-owned object storage | Customer    | Customer sets policy |
| Domino Cloud                          | Domino-owned object storage   | Domino      | 30 years             |
| Domino Cloud for Life Sciences (DCLS) | Customer-owned S3             | Domino      | 30 years             |

### Performance considerations

Enabling Workspace File Access events adds processing overhead to active workspaces. Based on Domino performance testing, enabling file access auditing typically adds:

* \~ 15 percent CPU usage

* \~ 10 percent memory usage

Workloads with heavy workspace usage or high file I/O may see higher overhead. Plan for larger hardware tiers if you enable this feature.

**How hardware sizing is determined**

These estimates come from Domino scale and performance testing of the full audit pipeline, including kernel level event capture, event ingestion, and audit record processing. Customers should plan for slightly larger hardware tiers when this feature is enabled.

### Monitoring and alerting

<Warning>
  Configure Grafana alert notifications before enabling Workspace File Access auditing. Domino installs built-in Grafana alert rules that monitor the Workspace Audit pipeline. Administrators must configure Grafana contact points and notification policies (for example email or Slack) in order to receive alerts.
</Warning>

Domino monitors the health of the Workspace Audit pipeline using built-in Grafana alert rules.

Two components are critical for audit data integrity:

* **Falco**: Captures file system events

* **Workspace Audit service**: Processes and stores events

The following conditions are monitored by built-in Grafana alerts:

* **Falco pipeline overload**: Falco or Falcosidekick can’t forward events fast enough and may begin dropping audit events.

* **Workspace Audit service processing failures**: The Workspace Audit service encounters repeated failures while processing captured file access events.

#### If a Grafana alert triggers

An alert means audit events may be delayed or dropped. To resolve:

* Increase CPU or memory for affected workspaces or services

* Restart or recover the affected audit components

* Verify event flow returns to normal

Normal audit capture resumes after the alert clears.

[Standard Grafana Alerts](/6.3/admin/operations/monitoring/grafana/alerts) in the Admin Guide has details on the Workspace File Audit alert rules that are installed with Domino.

## Next steps

* [Enable Workspace File Audits](/6.3/platform-capabilities/features/governance/audit-trail/workspace-file-access-events/enable-workspace-file-audits): Configure file-level access auditing

* [System events](/6.3/platform-capabilities/features/governance/audit-trail/view-unified-audit-trail): View and export user and administrative actions
