ToolJet/docs/versioned_docs/version-3.16.0-LTS/security/audit-logs/stream-rsyslog-to-datadog.md

---
id: stream-audit-to-datadog
title: Stream Audit Logs to Datadog
---

<br/>

This guide demonstrates how to configure ToolJet to stream audit logs from Rsyslog to Datadog for **centralized log management**, **monitoring**, and **analysis**. This integration enables real-time visibility into user activities, resource changes, and system events, helping you maintain security, compliance, and operational awareness across your infrastructure.

When to stream ToolJet audit logs to Datadog:
- **Multi-server deployments**: Centralize logs from production, staging, and development environments
- **Security monitoring**: Correlate user actions with infrastructure metrics to detect anomalies
- **Compliance requirements**: Maintain tamper-proof audit trails with long-term retention
- **Incident response**: Quickly search and analyze logs during security or operational incidents

## Prerequisites

Before setting up the Datadog integration, ensure you have:

1. **ToolJet with rsyslog enabled** - Follow the **[Setup Rsyslog guide](/docs/how-to/setup-rsyslog)** to enable log file generation
2. **Datadog account** - Sign up at [https://www.datadoghq.com/](https://www.datadoghq.com/)
3. **Datadog API key** - Obtain from [Datadog Organization Settings](https://app.datadoghq.com/organization-settings/api-keys)
4. **Docker Compose setup** - This guide uses Docker Compose for deployment

## Architecture Overview

1. **ToolJet** writes audit logs to `/home/appuser/rsyslog/` inside the container
2. **Docker volume** shares the rsyslog directory between ToolJet and Datadog Agent containers
3. **Datadog Agent** monitors the log files and streams them to Datadog's cloud platform
4. **Datadog** parses, indexes, and displays the logs in the Logs Explorer

```
┌─────────────┐      ┌──────────────┐      ┌─────────────┐
│   ToolJet   │─────>│ Docker Volume│<─────│   Datadog   │
│  Container  │      │ (rsyslog/)   │      │    Agent    │
└─────────────┘      └──────────────┘      └──────┬──────┘
                                                  │
                                                  ▼
                                            ┌─────────────┐
                                            │  Datadog    │
                                            │   Cloud     │
                                            └─────────────┘
```

## Configuration Steps

### Step 1: Configure Environment Variables

Add the following environment variables to your `.env` file:

```bash
# Enable rsyslog (if not already enabled)
LOG_FILE_PATH='rsyslog'

# Datadog Configuration
DD_API_KEY=your_datadog_api_key_here
DD_SITE=datadoghq.com
```

:::info
Replace `your_datadog_api_key_here` with your actual Datadog API key from [https://app.datadoghq.com/organization-settings/api-keys](https://app.datadoghq.com/organization-settings/api-keys)
:::

:::tip Datadog Site
The `DD_SITE` value depends on your Datadog region:
- US1: `datadoghq.com` (default)
- US3: `us3.datadoghq.com`
- US5: `us5.datadoghq.com`
- EU: `datadoghq.eu`
- AP1: `ap1.datadoghq.com`
:::

### Step 2: Create Datadog Agent Configuration

Create a file named `datadog-agent-config.yml` in your ToolJet deployment directory:

```yaml
logs_enabled: true
logs_config:
  container_collect_all: false

# ToolJet audit log configuration
log_processing_rules:
  - type: multi_line
    name: json_logs
    pattern: ^\{
```

This configuration:
- Enables log collection in the Datadog Agent
- Disables automatic collection from all containers (we'll target specific logs)
- Sets up multiline processing for JSON-formatted logs

### Step 3: Create ToolJet Log Collection Configuration

Create a file named `datadog-tooljet-logs.yaml` in your ToolJet deployment directory:

```yaml
logs:
  - type: file
    path: /var/log/tooljet/rsyslog/tooljet_log/*/audit.log
    service: tooljet
    source: tooljet-audit
    sourcecategory: audit
    tags:
      - env:production
      - application:tooljet
      - log_type:audit
    # Parse JSON logs
    log_processing_rules:
      - type: exclude_at_match
        name: exclude_empty_logs
        pattern: "^\\s*$"
```

This configuration:
- **path**: Monitors all audit.log files using a wildcard pattern to match daily rotated logs
- **service**: Tags logs with `service:tooljet` for filtering in Datadog
- **source**: Identifies logs as `tooljet-audit` for parsing pipelines
- **tags**: Adds custom tags for organization and filtering
- **log_processing_rules**: Excludes empty log lines

**Customize Tags**

Modify the `tags` section to match your environment:
```yaml
tags:
  - env:staging  # or development, production
  - application:tooljet
  - team:platform
  - region:us-east-1
```

### Step 4: Update Docker Compose Configuration

Update your `docker-compose.yml` file to include the Datadog Agent and shared volume:

#### Add Shared Volume to ToolJet Service

```yaml
services:
  tooljet:
    # ... existing configuration ...
    volumes:
      - tooljet-logs:/home/appuser/rsyslog
```

#### Add Datadog Agent Service

```yaml
  datadog-agent:
    container_name: datadog-agent
    image: gcr.io/datadoghq/agent:7
    restart: always
    environment:
      - DD_API_KEY=${DD_API_KEY}
      - DD_SITE=${DD_SITE:-datadoghq.com}
      - DD_LOGS_ENABLED=true
      - DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL=false
      - DD_PROCESS_AGENT_ENABLED=true
      - DD_DOCKER_LABELS_AS_TAGS={"*":"%%label%%"}
      - DD_TAGS=env:production application:tooljet
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /proc/:/host/proc/:ro
      - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro
      - tooljet-logs:/var/log/tooljet/rsyslog:ro
      - ./datadog-agent-config.yml:/etc/datadog-agent/datadog.yaml:ro
      - ./datadog-tooljet-logs.yaml:/etc/datadog-agent/conf.d/tooljet.d/conf.yaml:ro
```

#### Define the Shared Volume

```yaml
volumes:
  tooljet-logs:
  # ... other volumes ...
```


Complete docker-compose.yml Example

```bash
name: ToolJet

services:
  tooljet:
    container_name: Tooljet-app
    image: tooljet/tooljet:latest
    restart: always
    env_file: .env
    ports:
      - 80:80
    environment:
      SERVE_CLIENT: "true"
      PORT: "80"
    command: npm run start:prod
    volumes:
      - tooljet-logs:/home/appuser/rsyslog

  datadog-agent:
    container_name: datadog-agent
    image: gcr.io/datadoghq/agent:7
    restart: always
    environment:
      - DD_API_KEY=${DD_API_KEY}
      - DD_SITE=${DD_SITE:-datadoghq.com}
      - DD_LOGS_ENABLED=true
      - DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL=false
      - DD_PROCESS_AGENT_ENABLED=true
      - DD_DOCKER_LABELS_AS_TAGS={"*":"%%label%%"}
      - DD_TAGS=env:production application:tooljet
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /proc/:/host/proc/:ro
      - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro
      - tooljet-logs:/var/log/tooljet/rsyslog:ro
      - ./datadog-agent-config.yml:/etc/datadog-agent/datadog.yaml:ro
      - ./datadog-tooljet-logs.yaml:/etc/datadog-agent/conf.d/tooljet.d/conf.yaml:ro

  postgres:
    container_name: postgres
    image: postgres:13
    restart: always
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
    ports:
      - 5432:5432

volumes:
  tooljet-logs:
```

### Step 5: Deploy the Configuration

1. **Stop existing containers**:
   ```bash
   docker-compose down
   ```
2. **Start the updated stack**:
   ```bash
   docker-compose up -d
   ```
3. **Verify containers are running**:
   ```bash
   docker ps
   ```
   You should see both `Tooljet-app` and `datadog-agent` containers running.

### Step 6: Verify the Integration

#### Check Datadog Agent Status

Run the following command to verify the agent is collecting logs:

```bash
docker exec datadog-agent agent status
```

Look for the **Logs Agent** section in the output:

```
Logs Agent
==========
  ...
  Integrations
  ============

  tooljet
  -------
    - Type: file
      Path: /var/log/tooljet/rsyslog/tooljet_log/*/audit.log
      Service: tooljet
      Source: tooljet-audit
      Status: OK
        1 files tailed out of 1 files matching
```

:::info
If the status shows "OK" and files are being tailed, the integration is working correctly.
:::

#### Check Datadog Agent Logs

View the Datadog Agent logs to troubleshoot any issues:

```bash
docker logs datadog-agent --tail 50
```

#### Generate Test Audit Logs

Perform actions in ToolJet to generate audit logs:
- Create or delete an application
- Modify data sources
- Update user permissions
- Change organization settings

### Step 7: View Logs in Datadog

1. Navigate to the **[Datadog Logs Explorer](https://app.datadoghq.com/logs)**

2. Use the following filters to find your ToolJet logs:
   - `service:tooljet`
   - `source:tooljet-audit`
   - `env:production`

## Log Structure and Fields

ToolJet audit logs contain the following structured fields:

| Field | Description | Example |
|-------|-------------|---------|
| `level` | Log severity level | `info`, `warn`, `error` |
| `message` | Human-readable log message | `PERFORM APP_CREATE OF MyApp` |
| `timestamp` | When the event occurred | `2025-10-21 11:27:44` |
| `auditLog.userId` | User who performed the action | `a59e1ec7-d015-47b9-8ef8-e5d3f4e5f8d4` |
| `auditLog.resourceId` | ID of the affected resource | `95031c39-9d19-425d-b70c-3436c2805773` |
| `auditLog.resourceType` | Type of resource | `APP`, `DATA_SOURCE`, `USER` |
| `auditLog.actionType` | Action performed | `APP_CREATE`, `APP_DELETE`, `APP_UPDATE` |
| `auditLog.resourceName` | Name of the resource | `MyApplication` |
| `auditLog.ipAddress` | Client IP address | `::ffff:192.168.65.1` |
| `auditLog.organizationId` | Organization ID | `e9de636b-e611-4b90-95f0-0fe20b540924` |
| `auditLog.metadata.userAgent` | Browser/client information | `Mozilla/5.0...` |
| `auditLog.metadata.tooljetVersion` | ToolJet version | `3.16.33-ee-lts` |
| `auditLog.metadata.transactionId` | Unique transaction identifier | `732440597788045` |
| `auditLog.metadata.route` | API endpoint called | `[POST] /api/apps` |

**Example Audit Log Entry**

```json
{
  "level": "info",
  "message": "PERFORM APP_CREATE OF MyApp APP FOR ORGANIZATION e9de636b-e611-4b90-95f0-0fe20b540924",
  "timestamp": "2025-10-21 11:27:44",
  "auditLog": {
    "userId": "a59e1ec7-d015-47b9-8ef8-e5d3f4e5f8d4",
    "resourceId": "95031c39-9d19-425d-b70c-3436c2805773",
    "resourceType": "APP",
    "actionType": "APP_CREATE",
    "resourceName": "MyApp",
    "ipAddress": "::ffff:192.168.65.1",
    "metadata": {
      "instance_level": false,
      "workspace_level": true,
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0",
      "tooljetVersion": "3.16.33-ee-lts",
      "transactionId": "732440597788045",
      "totalDuration": 150,
      "route": "[POST] /api/apps"
    },
    "resourceData": {},
    "organizationId": "e9de636b-e611-4b90-95f0-0fe20b540924"
  },
  "label": "APP"
}
```

## Related Resources

- **[Setup Rsyslog](/docs/how-to/setup-rsyslog)** - Configure audit log generation
- **[Datadog Documentation](https://docs.datadoghq.com/)** - Official Datadog guides
- **[Datadog Agent Configuration](https://docs.datadoghq.com/agent/guide/agent-configuration-files/)** - Detailed Agent setup
- **[Log Collection](https://docs.datadoghq.com/logs/log_collection/)** - Datadog log collection guide
[docs]: Streaming Rsyslog Audit Logs to Datadog (#14384) * Add guide for streaming Rsyslog audit logs to Datadog * add use case, add doc to sidebar * feedback update --------- Co-authored-by: rudrapratik30 <pratik104agrawal@gmail.com> 2025-11-04 05:21:43 +00:00			`---`
			`id: stream-audit-to-datadog`
			`title: Stream Audit Logs to Datadog`
			`---`

			`<br/>`

			`This guide demonstrates how to configure ToolJet to stream audit logs from Rsyslog to Datadog for centralized log management, monitoring, and analysis. This integration enables real-time visibility into user activities, resource changes, and system events, helping you maintain security, compliance, and operational awareness across your infrastructure.`

			`When to stream ToolJet audit logs to Datadog:`
			`- Multi-server deployments: Centralize logs from production, staging, and development environments`
			`- Security monitoring: Correlate user actions with infrastructure metrics to detect anomalies`
			`- Compliance requirements: Maintain tamper-proof audit trails with long-term retention`
			`- Incident response: Quickly search and analyze logs during security or operational incidents`

			`## Prerequisites`

			`Before setting up the Datadog integration, ensure you have:`

			`1. ToolJet with rsyslog enabled - Follow the [Setup Rsyslog guide](/docs/how-to/setup-rsyslog) to enable log file generation`
			`2. Datadog account - Sign up at [https://www.datadoghq.com/](https://www.datadoghq.com/)`
			`3. Datadog API key - Obtain from [Datadog Organization Settings](https://app.datadoghq.com/organization-settings/api-keys)`
			`4. Docker Compose setup - This guide uses Docker Compose for deployment`

			`## Architecture Overview`

			1. ToolJet writes audit logs to `/home/appuser/rsyslog/` inside the container
			`2. Docker volume shares the rsyslog directory between ToolJet and Datadog Agent containers`
			`3. Datadog Agent monitors the log files and streams them to Datadog's cloud platform`
			`4. Datadog parses, indexes, and displays the logs in the Logs Explorer`

			```
			`┌─────────────┐ ┌──────────────┐ ┌─────────────┐`
			`│ ToolJet │─────>│ Docker Volume│<─────│ Datadog │`
			`│ Container │ │ (rsyslog/) │ │ Agent │`
			`└─────────────┘ └──────────────┘ └──────┬──────┘`
			`│`
			`▼`
			`┌─────────────┐`
			`│ Datadog │`
			`│ Cloud │`
			`└─────────────┘`
			```

			`## Configuration Steps`

			`### Step 1: Configure Environment Variables`

			Add the following environment variables to your `.env` file:

			```bash
			`# Enable rsyslog (if not already enabled)`
			`LOG_FILE_PATH='rsyslog'`

			`# Datadog Configuration`
			`DD_API_KEY=your_datadog_api_key_here`
			`DD_SITE=datadoghq.com`
			```

			`:::info`
			Replace `your_datadog_api_key_here` with your actual Datadog API key from [https://app.datadoghq.com/organization-settings/api-keys](https://app.datadoghq.com/organization-settings/api-keys)
			`:::`

			`:::tip Datadog Site`
			The `DD_SITE` value depends on your Datadog region:
			- US1: `datadoghq.com` (default)
			- US3: `us3.datadoghq.com`
			- US5: `us5.datadoghq.com`
			- EU: `datadoghq.eu`
			- AP1: `ap1.datadoghq.com`
			`:::`

			`### Step 2: Create Datadog Agent Configuration`

			Create a file named `datadog-agent-config.yml` in your ToolJet deployment directory:

			```yaml
			`logs_enabled: true`
			`logs_config:`
			`container_collect_all: false`

			`# ToolJet audit log configuration`
			`log_processing_rules:`
			`- type: multi_line`
			`name: json_logs`
			`pattern: ^\{`
			```

			`This configuration:`
			`- Enables log collection in the Datadog Agent`
			`- Disables automatic collection from all containers (we'll target specific logs)`
			`- Sets up multiline processing for JSON-formatted logs`

			`### Step 3: Create ToolJet Log Collection Configuration`

			Create a file named `datadog-tooljet-logs.yaml` in your ToolJet deployment directory:

			```yaml
			`logs:`
			`- type: file`
			`path: /var/log/tooljet/rsyslog/tooljet_log/*/audit.log`
			`service: tooljet`
			`source: tooljet-audit`
			`sourcecategory: audit`
			`tags:`
			`- env:production`
			`- application:tooljet`
			`- log_type:audit`
			`# Parse JSON logs`
			`log_processing_rules:`
			`- type: exclude_at_match`
			`name: exclude_empty_logs`
			`pattern: "^\\s*$"`
			```

			`This configuration:`
			`- path: Monitors all audit.log files using a wildcard pattern to match daily rotated logs`
			- service: Tags logs with `service:tooljet` for filtering in Datadog
			- source: Identifies logs as `tooljet-audit` for parsing pipelines
			`- tags: Adds custom tags for organization and filtering`
			`- log_processing_rules: Excludes empty log lines`

			`Customize Tags`

			Modify the `tags` section to match your environment:
			```yaml
			`tags:`
			`- env:staging # or development, production`
			`- application:tooljet`
			`- team:platform`
			`- region:us-east-1`
			```

			`### Step 4: Update Docker Compose Configuration`

			Update your `docker-compose.yml` file to include the Datadog Agent and shared volume:

			`#### Add Shared Volume to ToolJet Service`

			```yaml
			`services:`
			`tooljet:`
			`# ... existing configuration ...`
			`volumes:`
			`- tooljet-logs:/home/appuser/rsyslog`
			```

			`#### Add Datadog Agent Service`

			```yaml
			`datadog-agent:`
			`container_name: datadog-agent`
			`image: gcr.io/datadoghq/agent:7`
			`restart: always`
			`environment:`
			`- DD_API_KEY=${DD_API_KEY}`
			`- DD_SITE=${DD_SITE:-datadoghq.com}`
			`- DD_LOGS_ENABLED=true`
			`- DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL=false`
			`- DD_PROCESS_AGENT_ENABLED=true`
			`- DD_DOCKER_LABELS_AS_TAGS={"*":"%%label%%"}`
			`- DD_TAGS=env:production application:tooljet`
			`volumes:`
			`- /var/run/docker.sock:/var/run/docker.sock:ro`
			`- /proc/:/host/proc/:ro`
			`- /sys/fs/cgroup/:/host/sys/fs/cgroup:ro`
			`- tooljet-logs:/var/log/tooljet/rsyslog:ro`
			`- ./datadog-agent-config.yml:/etc/datadog-agent/datadog.yaml:ro`
			`- ./datadog-tooljet-logs.yaml:/etc/datadog-agent/conf.d/tooljet.d/conf.yaml:ro`
			```

			`#### Define the Shared Volume`

			```yaml
			`volumes:`
			`tooljet-logs:`
			`# ... other volumes ...`
			```


			`Complete docker-compose.yml Example`

			```bash
			`name: ToolJet`

			`services:`
			`tooljet:`
			`container_name: Tooljet-app`
			`image: tooljet/tooljet:latest`
			`restart: always`
			`env_file: .env`
			`ports:`
			`- 80:80`
			`environment:`
			`SERVE_CLIENT: "true"`
			`PORT: "80"`
			`command: npm run start:prod`
			`volumes:`
			`- tooljet-logs:/home/appuser/rsyslog`

			`datadog-agent:`
			`container_name: datadog-agent`
			`image: gcr.io/datadoghq/agent:7`
			`restart: always`
			`environment:`
			`- DD_API_KEY=${DD_API_KEY}`
			`- DD_SITE=${DD_SITE:-datadoghq.com}`
			`- DD_LOGS_ENABLED=true`
			`- DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL=false`
			`- DD_PROCESS_AGENT_ENABLED=true`
			`- DD_DOCKER_LABELS_AS_TAGS={"*":"%%label%%"}`
			`- DD_TAGS=env:production application:tooljet`
			`volumes:`
			`- /var/run/docker.sock:/var/run/docker.sock:ro`
			`- /proc/:/host/proc/:ro`
			`- /sys/fs/cgroup/:/host/sys/fs/cgroup:ro`
			`- tooljet-logs:/var/log/tooljet/rsyslog:ro`
			`- ./datadog-agent-config.yml:/etc/datadog-agent/datadog.yaml:ro`
			`- ./datadog-tooljet-logs.yaml:/etc/datadog-agent/conf.d/tooljet.d/conf.yaml:ro`

			`postgres:`
			`container_name: postgres`
			`image: postgres:13`
			`restart: always`
			`environment:`
			`POSTGRES_USER: postgres`
			`POSTGRES_PASSWORD: postgres`
			`ports:`
			`- 5432:5432`

			`volumes:`
			`tooljet-logs:`
			```

			`### Step 5: Deploy the Configuration`

			`1. Stop existing containers:`
			```bash
			`docker-compose down`
			```
			`2. Start the updated stack:`
			```bash
			`docker-compose up -d`
			```
			`3. Verify containers are running:`
			```bash
			`docker ps`
			```
			You should see both `Tooljet-app` and `datadog-agent` containers running.

			`### Step 6: Verify the Integration`

			`#### Check Datadog Agent Status`

			`Run the following command to verify the agent is collecting logs:`

			```bash
			`docker exec datadog-agent agent status`
			```

			`Look for the Logs Agent section in the output:`

			```
			`Logs Agent`
			`==========`
			`...`
			`Integrations`
			`============`

			`tooljet`
			`-------`
			`- Type: file`
			`Path: /var/log/tooljet/rsyslog/tooljet_log/*/audit.log`
			`Service: tooljet`
			`Source: tooljet-audit`
			`Status: OK`
			`1 files tailed out of 1 files matching`
			```

			`:::info`
			`If the status shows "OK" and files are being tailed, the integration is working correctly.`
			`:::`

			`#### Check Datadog Agent Logs`

			`View the Datadog Agent logs to troubleshoot any issues:`

			```bash
			`docker logs datadog-agent --tail 50`
			```

			`#### Generate Test Audit Logs`

			`Perform actions in ToolJet to generate audit logs:`
			`- Create or delete an application`
			`- Modify data sources`
			`- Update user permissions`
			`- Change organization settings`

			`### Step 7: View Logs in Datadog`

			`1. Navigate to the [Datadog Logs Explorer](https://app.datadoghq.com/logs)`

			`2. Use the following filters to find your ToolJet logs:`
			- `service:tooljet`
			- `source:tooljet-audit`
			- `env:production`

			`## Log Structure and Fields`

			`ToolJet audit logs contain the following structured fields:`

			`\| Field \| Description \| Example \|`
			`\|-------\|-------------\|---------\|`
			\| `level` \| Log severity level \| `info`, `warn`, `error` \|
			\| `message` \| Human-readable log message \| `PERFORM APP_CREATE OF MyApp` \|
			\| `timestamp` \| When the event occurred \| `2025-10-21 11:27:44` \|
			\| `auditLog.userId` \| User who performed the action \| `a59e1ec7-d015-47b9-8ef8-e5d3f4e5f8d4` \|
			\| `auditLog.resourceId` \| ID of the affected resource \| `95031c39-9d19-425d-b70c-3436c2805773` \|
			\| `auditLog.resourceType` \| Type of resource \| `APP`, `DATA_SOURCE`, `USER` \|
			\| `auditLog.actionType` \| Action performed \| `APP_CREATE`, `APP_DELETE`, `APP_UPDATE` \|
			\| `auditLog.resourceName` \| Name of the resource \| `MyApplication` \|
			\| `auditLog.ipAddress` \| Client IP address \| `::ffff:192.168.65.1` \|
			\| `auditLog.organizationId` \| Organization ID \| `e9de636b-e611-4b90-95f0-0fe20b540924` \|
			\| `auditLog.metadata.userAgent` \| Browser/client information \| `Mozilla/5.0...` \|
			\| `auditLog.metadata.tooljetVersion` \| ToolJet version \| `3.16.33-ee-lts` \|
			\| `auditLog.metadata.transactionId` \| Unique transaction identifier \| `732440597788045` \|
			\| `auditLog.metadata.route` \| API endpoint called \| `[POST] /api/apps` \|

			`Example Audit Log Entry`

			```json
			`{`
			`"level": "info",`
			`"message": "PERFORM APP_CREATE OF MyApp APP FOR ORGANIZATION e9de636b-e611-4b90-95f0-0fe20b540924",`
			`"timestamp": "2025-10-21 11:27:44",`
			`"auditLog": {`
			`"userId": "a59e1ec7-d015-47b9-8ef8-e5d3f4e5f8d4",`
			`"resourceId": "95031c39-9d19-425d-b70c-3436c2805773",`
			`"resourceType": "APP",`
			`"actionType": "APP_CREATE",`
			`"resourceName": "MyApp",`
			`"ipAddress": "::ffff:192.168.65.1",`
			`"metadata": {`
			`"instance_level": false,`
			`"workspace_level": true,`
			`"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0",`
			`"tooljetVersion": "3.16.33-ee-lts",`
			`"transactionId": "732440597788045",`
			`"totalDuration": 150,`
			`"route": "[POST] /api/apps"`
			`},`
			`"resourceData": {},`
			`"organizationId": "e9de636b-e611-4b90-95f0-0fe20b540924"`
			`},`
			`"label": "APP"`
			`}`
			```

			`## Related Resources`

			`- [Setup Rsyslog](/docs/how-to/setup-rsyslog) - Configure audit log generation`
			`- [Datadog Documentation](https://docs.datadoghq.com/) - Official Datadog guides`
			`- [Datadog Agent Configuration](https://docs.datadoghq.com/agent/guide/agent-configuration-files/) - Detailed Agent setup`
			`- [Log Collection](https://docs.datadoghq.com/logs/log_collection/) - Datadog log collection guide`