# Exporting Audit Logs

In addition to [viewing audit logs in the OX platform](https://docs.ox.security/admin-settings/audit-logs), you can export audit logs to an external Amazon S3 bucket. Audit logs are written to the S3 bucket using a structured folder hierarchy that is created automatically by OX.

Audit log export is typically used when you need to perform the following:

* **Centralized logging:** Consume audit logs using existing log processing pipelines.
* **Compliance and retention:** Store audit logs in customer-managed, long-term storage.
* **Automation:** Enable automated analysis outside the OX platform.

## How audit log export works

Audit logs are exported as JSON files to a customer-managed S3 bucket.

Each export includes all audit log events generated since the previous export.

If no user or system activity occurred during the export window, the exported file still contains a system-generated event indicating that the export ran successfully.

Audit log export uses an AWS role-based connector. During the setup, OX generates a unique external ID and uses an AWS IAM role, which is created in AWS with permission to write to the specified S3 bucket. The role ARN and external ID are used together to securely authenticate export operations.

## Prerequisites

* OX admin permissions
* AWS admin account with permissions to add an IAM role

## Step 1: Generating an AWS IAM role \[AWS]

1. In OX, go to **Connectors**, and search for **S3 Audit Log Exporter**.

<figure><img src="https://884876233-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdK3XMLdV8zRg847RmGmZ%2Fuploads%2Fgit-blob-706db175b663b7c784121ddfb3b292f2d082db9c%2FS3%20Audit%20Logs%20Exporter%20%20connector_icon.png?alt=media" alt="" width="110"><figcaption></figcaption></figure>

2. Select **CLOUD FORMATION ASSUME ROLE**.

<figure><img src="https://884876233-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdK3XMLdV8zRg847RmGmZ%2Fuploads%2Fgit-blob-4bc414e0c6a2304322d92289457c5ba7632e9d5e%2FS3%20Audit%20Logs%20Exporter%20%20connector_connecting%20to%20AWS.png?alt=media" alt="" width="541"><figcaption></figcaption></figure>

You are redirected to the **Quick create stack** page.

<figure><img src="https://884876233-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdK3XMLdV8zRg847RmGmZ%2Fuploads%2Fgit-blob-9dc6bba8dca8417b48eeb28a39eabde8b87811da%2FAWS_create_stack_per_Ox_cloudformation.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

3. In the **Quick create stack** page, set the following parameters:

<table><thead><tr><th width="194.83331298828125">Setting</th><th>Description</th></tr></thead><tbody><tr><td>Stack name</td><td>Provide a unique stack name.</td></tr><tr><td>S3 Bucket Name</td><td>The Amazon S3 bucket where audit logs are exported: <strong>Amazon S3 > Buckets > your S3 bucket name</strong>.</td></tr><tr><td>S3 bucket prefix</td><td>Optional, folder inside the bucket where audit logs are stored. This allows working with separate folders, and is useful if you want to grant permissions to a specific folder only.</td></tr></tbody></table>

4. Select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**.
5. Select **Create stack**. The new stack appears in **Outputs**.

<figure><img src="https://884876233-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdK3XMLdV8zRg847RmGmZ%2Fuploads%2Fgit-blob-e7e254159aee2a945ad71bcc50a6613657f729c1%2Farn_role_created.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

6. Save the value **RoleArn** in a safe location for later use in OX.

## Step 2: Connecting to S3 Audit Logs Exporter \[OX]

1. In OX, go to **Connectors > S3 Audit Log Exporter**.

<figure><img src="https://884876233-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdK3XMLdV8zRg847RmGmZ%2Fuploads%2Fgit-blob-0dd7eb5afa3a9c1b07f33ab4293d089f95410626%2FS3%20Audit%20Logs%20Exporter%20%20connector.png?alt=media" alt="" width="538"><figcaption></figcaption></figure>

<table><thead><tr><th width="194.83331298828125">Setting</th><th>Description</th></tr></thead><tbody><tr><td>AWS External ID</td><td>A unique ID automatically provided by OX.</td></tr><tr><td>AWS Role ARN</td><td>The <strong>RoleArn</strong> value you saved in <a href="#step-1-generating-an-aws-iam-role-aws">Step 1</a>.</td></tr></tbody></table>

2. Select **CONNECT**.

## Step 3: Configure Audit Log Export Settings \[OX]

1. Go to **Settings > Audit Logs**.

<figure><img src="https://884876233-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdK3XMLdV8zRg847RmGmZ%2Fuploads%2Fgit-blob-93340dab7e3c81092edd8a6f761d76f308ed05f2%2Faudit_logs_export_settings.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

<table><thead><tr><th width="168.16668701171875">Setting</th><th>Description</th></tr></thead><tbody><tr><td>S3 Bucket Name</td><td>The Amazon S3 bucket where audit logs are exported: <strong>Amazon S3 > Buckets > your S3 bucket name</strong>.</td></tr><tr><td>S3 region</td><td>The AWS region where the bucket is located. Check in the <strong>S3 bucket</strong>, in the <strong>Properties</strong> tab.<br><img src="https://884876233-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdK3XMLdV8zRg847RmGmZ%2Fuploads%2Fgit-blob-99e8f1fbcec3ea7b7a4385508741c79f5b0b19ce%2Fimage.png?alt=media" alt=""></td></tr><tr><td>S3 bucket prefix (optional)</td><td>Defines the folder in the bucket where audit logs are written. If a prefix is specified, OX stores the exported logs under that folder; if it is left empty, logs can be written anywhere in the bucket based on the permissions granted to the role. When a prefix is provided, OX creates the folder and automatically generates the internal subfolder structure used to store the audit log files.</td></tr><tr><td>Export Frequency</td><td><p>Determines how often audit logs are written to the S3 bucket and can be set from 1 to 24 hours.</p><p>The first export runs at the beginning of the next full hour after configuration is saved, and each export includes all audit log events generated since the previous export.</p><p>If no activity occurs during the interval, the exported file still contains a system entry confirming that the export completed successfully.<br>Default: 1 hour.</p></td></tr></tbody></table>

2. Select **VERIFY CONNECTIVITY** and then select **SAVE**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ox.security/admin-settings/audit-logs/exporting-audit-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.