App Integration
Troubleshooting
Logs

Logs

Oso Cloud exposes logs for the following events:

  • Authorization requests and queries (read logs)
  • Requests to update authorization data (write logs)

You can use these logs to audit the most common authorization events. Read on for more information.

Audit reads: Authorization requests and queries

Read logs document all authorization requests and queries that are made by your application. They're available for inspection in the Logs page (opens in a new tab) of the Oso Cloud UI.

View of the logs page in Oso Cloud dashboard, indicating Bob can edit the document Foo

Free and Pro customers can view the last 24 hours of read logs. Growth customers can search at least 30 days of read logs in order to audit historical authorization requests.

Read logs can not currently be exported from Oso Cloud. If you're interested in this capability, please reach out to us (opens in a new tab).

Audit writes: Verify Oso Cloud Has Received Data

This feature is only available for Growth plan customers.

You may need to verify that your Oso Cloud environment's centralized authorization data store has received the data you expect it to have.

This might be particularly useful if your application has many moving parts before it even reaches your authorization logic. In those cases it may not be immediately obvious when data has been written to Oso Cloud, which in turn could make it harder to understand your authorization results.

To accomplish this, you can create a webhook that Oso Cloud can call whenever it receives a write; we call this feature Oso Cloud Webhook Integration. Currently, this feature is not self-service, and must be configured by an Oso Engineer, so reach out to us if you are interested.

Limitations

  • Ingesting data via Oso Sync will not cause Oso Cloud to send data to the webhook.
  • For insert operations, Oso Cloud will not report whether the data was already present or was inserted as a result of applying the operation.
  • For delete operations, Oso Cloud will not report the exact set of facts that were deleted as a result of applying the operation.
  • Oso Cloud will not indefinitely retry delivery to the webhook, so there is no guarantee of delivery. Due to this limitation, this feature isn't suitable for a compliance/archival use case.

We're working on features to address these use cases. If you'd like to learn more, contact us below.

Next Steps

Next, we'll show you how to use the explain tool to understand the authorization results that Oso Cloud returns.

Talk to an Oso engineer

Do you have questions about Oso's logging capabilities? If so, schedule a 1x1 with an Oso engineer. We're happy to help.

Get started with Oso Cloud →

The Explain Tool