- Read
- Write
- Create
- Delete
- Rename
How Workspace File Access auditing works
Domino monitors file system activity inside active Workspaces and records relevant events.
File system monitoring
A Falco daemon runs alongside each workspace pod and observes file system calls. Falco monitors at the kernel level, so it captures file access consistently. This works regardless of access method: code execution, terminals, notebooks, or IDE tooling.Deduplication
Domino deduplicates events to reduce noise and storage overhead. The system records repeated access to the same file by the same user as a single event. This deduplication uses a configurable time window. The process reduces event volumes while preserving meaningful access records. Advanced configuration has details on how to adjust deduplication settings.Event processing and storage
The system periodically processes staged events and writes them to object storage. The pipeline:- Cleans and deduplicates raw JSON events
- Converts JSON to Parquet format for optimized querying
- Archives events for long-term retention (up to 30 years)
Processing delay
Domino processes events asynchronously in scheduled batches, not in real time. The system captures and stages file system events continuously. It then processes and writes them to object storage during each run (default: every 60 minutes). Expect a delay between when a file access event occurs and when it appears in object storage, APIs, or the Workspace File Audit App. You can configure processing frequency withcom.cerebro.domino.workspaceFileAudit.eventProcessingInMinutes. The default is 60 minutes (minimum 60, maximum 360).
Query and access
You can access events through:- The Workspace Audit App
- The Audit Trail API
- Direct object storage queries
Storage and retention
Storage location and retention depend on your deployment type:| Deployment type | Storage location | Who manages | Retention |
|---|---|---|---|
| Customer-managed | Customer-owned object storage | Customer | Customer sets policy |
| Domino Cloud | Domino-owned object storage | Domino | 30 years |
| Domino Cloud for Life Sciences (DCLS) | Customer-owned S3 | Domino | 30 years |
Performance considerations
Enabling Workspace File Access events adds processing overhead to active workspaces. Based on Domino performance testing, enabling file access auditing typically adds:- ~ 15 percent CPU usage
- ~ 10 percent memory usage
Monitoring and alerting
In cloud deployments, Domino’s platform team monitors the Workspace Audit pipeline and manages all underlying audit infrastructure alerts on your behalf. To monitor the health and activity of your own workloads, go to/grafana-workload.
If you suspect audit events are delayed or dropped
Contact Domino Support. Provide the approximate time the issue began and any relevant workspace details. Normal audit capture resumes after Domino resolves the issue.Next steps
- Enable Workspace File Audits: Configure file-level access auditing
- System events: View and export user and administrative actions