Looking for advice on BYOC Trunk Audit Log Gaps During Failover
We are observing a discrepancy in the security audit trail for our APAC region deployments. Specifically, when the primary BYOC trunk experiences a SIP 408 Request Timeout and the system triggers a failover to the secondary trunk, the initial SIP INVITE and subsequent 200 OK responses are missing from the Genesys Cloud audit logs for that specific call leg. The calls complete successfully via the secondary carrier, and the CDRs in the analytics reporting module show the correct routing path, but the granular SIP signaling events required for our compliance team’s traceability requirements are absent. We have verified that the secondary trunk is registered and healthy, and the outbound routing rules are configured with a 5-second failover threshold. The environment is running Genesys Cloud Release 23.21, and we are using the REST API v2 to pull the audit events. Is this a known limitation of the BYOC integration where signaling events are only logged on the primary trunk, or is there a specific configuration setting in the trunk profile or the architect flow that needs to be adjusted to ensure full SIP message logging across failover events? We need to ensure we can reconstruct the full call flow for any security incident that occurs during a carrier switch.
You might want to check at the BYOC trunk configuration settings. In Zendesk, audit gaps were rare, but Genesys Cloud requires explicit logging for failover events. Ensure “Log SIP messages” is enabled for both primary and secondary trunks. This maps directly to how we handled voice widget logging during our migration.
Make sure you verify that the SIP message logging is not only enabled at the trunk level but also that the specific SIP signaling events are being captured in the conversation_events stream for that region. While the suggestion above regarding the trunk configuration is a solid starting point, there is often a deeper layer of misconfiguration involving how the platform ingests these logs during failover sequences.
In multi-region deployments, particularly in APAC, the latency between the primary trunk timeout and the secondary trunk acceptance can cause the initial INVITE and the 200 OK to be treated as transient events. If the logging pipeline is not explicitly configured to capture sip:invite and sip:ok events with a high retention policy, these packets are frequently dropped before they hit the audit index. This is a common issue when scaling Premium Apps that rely on real-time webhook ingestion for compliance reporting.
You should check the audit:conversation event stream directly via the API for the specific timestamp range. Look for any gaps in the routing_queue or participant updates that coincide with the SIP 408. If the events are missing there, the issue is likely upstream in the carrier’s SIP proxy configuration rather than Genesys Cloud’s logging settings. Ensure your secondary trunk’s SIP domain is explicitly whitelisted in the logging scope.
Additionally, verify that your AppFoundry integration, if one is handling external logging, is not filtering out these events due to rate limiting or payload size constraints during the failover burst.
- BYOC trunk SIP logging settings
- Conversation event stream retention policies
- APAC region latency impacts on audit trails
- Multi-org OAuth permissions for audit logs
- Carrier SIP proxy configuration for failover
The audit gap is likely due to the sip_capture filter not being applied to the failover trunk group in the bulk export configuration. When the primary trunk times out, the platform routes the INVITE to the secondary, but the initial leg’s metadata often gets dropped if the export job isn’t explicitly configured to track cross-trunk handshakes.
{
"exportSettings": {
"channelType": "voice",
"includeSipTrace": true,
"trunkFilter": {
"group": "apac_failover_group",
"captureMode": "all_legs"
},
"metadataFields": [
"sip_sequence",
"trunk_id",
"failover_timestamp",
"original_trunk_id"
]
}
}
This configuration ensures that even if the primary trunk returns a 408, the subsequent INVITE on the secondary trunk is tagged with the original call context. Without captureMode: "all_legs", the system often treats the failover as a new, unrelated session, breaking the chain of custody for legal review.
We encountered this exact issue in the eu-west-2 region during a recent discovery request. The audit trail was fragmented because the default export job only captured the final successful leg. By forcing the inclusion of the original_trunk_id and enabling full SIP trace capture, we could reconstruct the complete signaling path. This is critical for maintaining compliance when carriers are involved in the failover logic.
Note that this increases the storage footprint for the export job, so adjust the S3 bucket lifecycle rules accordingly. The latency between the 408 and the new INVITE is usually under 200ms, but the log ingestion might show a slight delay. Verify the failover_timestamp field matches the SIP trace to ensure the timeline is accurate for any legal hold requirements.