# Audit Logs Collects and ingests audit logs from the MuleSoft Anypoint Platform, providing visibility into user, organization, and application actions across Anypoint products such as Core Services, Runtime Manager, API Manager, and Exchange. **Sync Type: Incremental** ## Requirements Before connecting Monad to MuleSoft Anypoint Platform, you need: 1. **Anypoint Control Plane** - The control plane your organization is hosted on (US, EU, or US Government Cloud) - This determines the base URL and the rate limit applied to the audit query endpoint 2. **Organization ID** - The Anypoint organization (business group) ID whose audit logs you want to collect 3. **Connected App (OAuth2 Client Credentials)** - A connected app configured for the **Client Credentials** grant type - Client ID and Client Secret - The app must be granted a scope/role that allows reading audit logs (e.g. **Audit Log Viewer** or **Organization Administrator**) ### Control Plane Mapping | Control Plane | Region Value | Base URL | | ------------- | ------------ | -------- | | United States | `us` | `https://anypoint.mulesoft.com` | | Europe | `eu` | `https://eu1.anypoint.mulesoft.com` | | US Government Cloud | `gov` | `https://gov.anypoint.mulesoft.com` | ### Finding Your Organization ID 1. Log in to Anypoint Platform as an administrator 2. Navigate to **Access Management** > **Organization** 3. Select your organization (business group) 4. Copy the **Organization ID** (a UUID) from the organization details ### Creating a Connected App 1. Log in to Anypoint Platform as an administrator 2. Navigate to **Access Management** > **Connected Apps** 3. Click **Create app** 4. Enter a name (e.g. "Monad Audit Logs") 5. Select **App acts on its own behalf (client credentials)** 6. Click **Add scopes** and grant a scope that permits reading audit logs (for example **Audit Log Viewer**, or **Organization Administrator** scoped to the relevant organization) 7. Click **Save** 8. Copy and securely store the **Client ID** and **Client Secret** Monad exchanges these credentials for a bearer token via the `client_credentials` grant against `/accounts/api/v2/oauth2/token`, then queries `/audit/v2/organizations/{organizationId}/query`. ## Configuration The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below. #### Settings | Setting | Type | Required | Description | | ------- | ---- | -------- | ----------- | | Control Plane | string | Yes | The Anypoint Platform control plane to connect to. Determines the base URL and the audit query rate limit. Options: `us` (United States), `eu` (Europe), `gov` (US Government Cloud). Defaults to `us`. | | Organization ID | string | Yes | The Anypoint organization (business group) ID whose audit logs are queried. Found in **Access Management** > **Organization**. | | Backfill Start Time | string | No | The date to start fetching audit logs from, in RFC3339 format (e.g. `2024-01-01T00:00:00Z`). If not specified, the connector fetches logs from the time it is created on a pipeline. | | Use Synthetic Data | boolean | No | Generates demo audit logs for testing without connecting to MuleSoft. Useful for validating configuration without credentials. | #### Secrets | Secret | Type | Required | Description | | ------ | ---- | -------- | ----------- | | Client ID | string | Yes | OAuth2 Client ID from your Anypoint connected app (client credentials grant). | | Client Secret | string | Yes | OAuth2 Client Secret from your Anypoint connected app (client credentials grant). | ## Rate Limits The Anypoint Audit Log Query endpoint is rate limited per IP, and the limit depends on the control plane. If a client exceeds the limit, the endpoint returns a `503 Service Unavailable` status until the minute expires. | Control Plane | Allowed Requests per Minute per IP | | ------------- | ---------------------------------- | | US | 700 | | EU | 40 | | US Government Cloud | 40 | The connector automatically paces its requests below the limit for the selected control plane and implements retry logic with backoff to handle throttling responses gracefully. See the [Audit Log Query rate-limit policy](https://docs.mulesoft.com/access-management/audit-logging#rate-limit-policy-for-audit-log-query-endpoint) for details. ## Troubleshooting ### Common Issues #### 1. Authentication Failures (401 Unauthorized / invalid_client) **Symptoms**: Error message "invalid_client" or 401 Unauthorized when attempting to connect. **Causes**: - Client ID or Client Secret is incorrect - The connected app was deleted or its secret was rotated - Credentials contain extra whitespace **Solutions**: - Double-check that the Client ID and Client Secret are correct and copied without leading/trailing spaces - Verify the connected app still exists in **Access Management** > **Connected Apps** - Rotate the Client Secret if it may have been compromised, and update Monad with the new value #### 2. Permission Denied (403 Forbidden) **Symptoms**: The connection authenticates but audit queries are rejected as forbidden. **Causes**: - The connected app does not have a scope/role permitting audit log access - The app is not authorized for the specified organization **Solutions**: - In **Access Management** > **Connected Apps**, edit the app and add a scope such as **Audit Log Viewer** (or **Organization Administrator**) for the relevant organization - Confirm the **Organization ID** matches an organization the app is scoped to #### 3. Wrong Control Plane **Symptoms**: Authentication or query failures even though the credentials are valid. **Causes**: - The selected control plane does not match where your Anypoint organization is hosted **Solutions**: - Confirm whether your organization is on the US, EU, or US Government Cloud control plane and select the matching **Control Plane** value - Cross-reference the base URL you use to log in to Anypoint with the Control Plane Mapping table above #### 4. No Audit Logs Appearing **Symptoms**: The connector runs successfully but no audit logs are collected. **Causes**: - No audit events occurred during the specified time window - `Backfill Start Time` is set to a recent time (logs are only generated as events occur) **Solutions**: - On the first sync without a `Backfill Start Time`, the connector fetches logs from now onward - To collect historical logs, set `Backfill Start Time` to an earlier date - Verify that audit events are actually occurring in your Anypoint organization #### 5. Invalid Backfill Start Time **Symptoms**: Validation error about the backfill time format. **Causes**: - Date not in RFC3339 format, invalid values, or a timestamp in the future **Solutions**: - Use RFC3339 format with timezone: `2024-01-01T00:00:00Z` (UTC) or `2024-01-01T00:00:00-05:00` (with offset) - Verify the date is valid and not in the future ## Related Articles - [Anypoint Audit Logging](https://docs.mulesoft.com/access-management/audit-logging) - [Audit Log Query API rate-limit policy](https://docs.mulesoft.com/access-management/audit-logging#rate-limit-policy-for-audit-log-query-endpoint) - [Connected Apps](https://docs.mulesoft.com/access-management/connected-apps-overview) - [Connected Apps — Client Credentials grant](https://docs.mulesoft.com/access-management/connected-apps-developers) ## Sample Record ```json { "action": "Create", "timestamp": 1782115598924, "userId": "70a1dc88-ed1d-4974-abe4-0ae7ea2a5f7b", "userName": "anudevs-monad", "clientId": null, "clientName": null, "clientIP": null, "payload": { "properties": { "id": "1512141a-3d0d-4c0e-b66a-7e4092e75b3b", "name": "Monad Inc", "domain": "monad-inc", "isRoot": true, "orgType": "anypoint", "ownerId": "70a1dc88-ed1d-4974-abe4-0ae7ea2a5f7b", "clientId": "fc1a0eb428d445d9bede9db200854ed7", "isMaster": true, "createdAt": "2026-06-22T08:06:37.926Z", "deletedAt": null, "updatedAt": "2026-06-22T08:06:37.926Z", "isFederated": false, "mfaRequired": "mandatory", "subscription": { "type": "Trial", "category": "Developer", "expiration": "2026-07-22T08:06:38.218Z", "justification": null }, "idprovider_id": "mulesoft", "ipAllowlistEnabled": false, "subOrganizationIds": [], "parentOrganizationIds": [], "tenantOrganizationIds": [] } }, "failed": false, "failedCause": null, "anypointTransactionId": "784d6b13-8f32-48bf-ba4a-56104fe8bca4", "platform": "CoreServices", "objects": [ { "objectType": "Organization", "objectId": "1512141a-3d0d-4c0e-b66a-7e4092e75b3b", "objectName": "Monad Inc", "parentId": null, "parentType": null, "environmentId": null, "environmentName": null } ] } ```