Heroku Audit Trail Log Ingestion via API Polling
This guide explains how to configure RunReveal to poll Heroku Enterprise audit trail events (e.g., app creation, destruction, add-on management, collaborator changes, team membership updates) using the Heroku Platform API.
Prerequisites
- Heroku Enterprise account access
You need a Heroku Enterprise organization with audit trail capabilities. - Heroku API token with organization access
Token must have read permissions for your enterprise organization’s audit trail. - RunReveal account with permissions to add sources and view logs (admin/editor)
Ability to add sources and view logs.
Step 1: Create Heroku Source in RunReveal
- Navigate to Sources in RunReveal
- Look for *Heroku source tile
- Provide a descriptive Source Name (e.g., “Heroku” or “Heroku Audit Prod”)
- Add your Heroku Enterprise Name and generated API Token to the tile from the steps below.
Step 2: Obtain Your Enterprise Account Name
The Enterprise Account Name is your Heroku Enterprise organization identifier.
Finding Your Enterprise Account Name:
Method 1: Heroku Dashboard
- Log into the Heroku Dashboard
- Navigate to your Enterprise account (top-left dropdown)
- The Enterprise Account Name is displayed in the organization selector
- Format:
your-company-name
(lowercase, hyphenated)
Method 2: Heroku CLI
# Install Heroku CLI if not already installed
npm install -g heroku
# Login to your account
heroku login
# List organizations you have access to
heroku orgs
# Example output:
# your-company-name (enterprise)
Method 3: API Request
# Using your API token (see Step 3 below)
curl -n https://api.heroku.com/enterprises \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Accept: application/vnd.heroku+json; version=3"
Step 3: Generate Heroku API Token
You need a Heroku API token with audit trail access permissions.
Creating a Heroku API Token:
Method 1: Heroku Dashboard
- Log into Heroku Dashboard
- Click your profile picture (top-right)
- Select “Account Settings”
- Navigate to “Applications” tab
- Scroll to “Authorizations” section
- Click “Create Authorization”
- Fill in the form:
- Description:
RunReveal Audit Trail Integration
- Scope: Select “read” (minimum required)
- Description:
- Click “Create”
- Copy the token immediately - it won’t be shown again
Method 2: Heroku CLI
# Login to Heroku
heroku login
# Create a new authorization
heroku authorizations:create --description "RunReveal Audit Trail"
# Example output:
# Client: <client-id>
# ID: <auth-id>
# Description: RunReveal Audit Trail
# Scope: global
# Token: <your-api-token>
Required Permissions
Your API token must have access to:
- Organization audit events:
read
scope - Enterprise account access: Must be a member of the enterprise organization
Audit Event Types to Monitor:
RunReveal will automatically poll for all available audit trail events including:
app-create
/app-destroy
(application lifecycle)addon-attach
/addon-detach
(add-on management)collaborator-add
/collaborator-remove
(access changes)team-invite
/team-remove
(team membership)domain-create
/domain-delete
(domain management)config-add
/config-remove
(configuration changes)
Step 4: Validate Data Collection
- Return to RunReveal and open your source tile for Heroku page
- Confirm that events are being collected (initial polling may take 5 minutes)
- Search in Explorer or use Native AI Chat to inspect recent Heroku audit events
- Look for the
heroku_logs
table with your source ID filter
Note: RunReveal polls for new Heroku audit events every 5 minutes. Historical audit events are available based on your Heroku Enterprise plan retention period.
Security Best Practices
API Token Management
- Least privilege: Use read-only scope when possible
- Rotation: Rotate tokens regularly (quarterly recommended)
- Storage: Store tokens securely (password manager, secrets management)
- Monitoring: Monitor token usage through Heroku audit logs
Access Control
- Use a service account rather than personal account for production integrations
- Ensure the account has minimal required permissions:
- Enterprise organization member
- Audit trail read access
- Document who has access to these credentials
Troubleshooting
-
“Invalid Enterprise Account Name”
- Verify the exact spelling and format (lowercase, hyphenated)
- Ensure you have access to the enterprise organization
- Check that it’s an Enterprise account, not Team or Individual
-
“Authentication Failed”
- Verify API token is correct and hasn’t expired
- Ensure the token has proper scope (read access minimum)
- Confirm the user account is a member of the enterprise organization
-
“No Audit Events Found”
- Enterprise audit trails may take a few minutes to populate
- Verify your enterprise account has recent activity
- Check Heroku’s status page for any API issues
-
Rate Limiting Issues
- RunReveal automatically handles rate limits with exponential backoff
- If you see repeated rate limit errors, check your Heroku API usage
Testing Your Configuration
Validate your credentials before saving in RunReveal:
# Test API token and enterprise access
curl -n https://api.heroku.com/enterprises/YOUR_ENTERPRISE_NAME/audit-trail/events \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Accept: application/vnd.heroku+json; version=3"
# Should return recent audit events JSON