Audit log

What this page is for

The audit log is the system-of-record for “what happened?”. Every meaningful event — every tool call an agent made, every time a user signed in or changed a setting, every approval decision, every skill installation — is written to the log with enough detail to reconstruct the action later. Use it for:

• Compliance — proving that only authorised people touched certain data
• Debugging — understanding why something happened or didn’t happen
• Forensics — investigating a suspicious session or a cost spike
• Transparency — giving users visibility into what agents did on their behalf

Layout

The Audit Log page at /admin/audit is a searchable, filterable event stream. Each row shows:

• Timestamp — UTC by default, toggleable to local
• Actor — the user or agent that performed the action
• Action — a short verb (tool_call, user_signin, skill_installed, config_changed, project_created, etc.)
• Target — what the action affected (session id, project id, agent id, etc.)
• Summary — a short description with truncated arguments

Click any row to see the full event: the complete arguments, the result, the IP address (for user actions), and cross-references to related events.

Common tasks

Search the audit log

Use the search box at the top of the page. It runs across actor, action, target, and summary fields. Try queries like:

• skill_installed — every skill installation
• user_signin — every sign-in across every user
• project_deleted — every project deletion (usually rare, always worth checking)
• the name of a specific agent or user

Use quotes for phrase matching. Use the filter chips below the search box to narrow by time range, actor type, or action category.

Filter by time range

The time-range picker supports presets (last hour, last day, last week, last month, custom). Audit entries outside the range are hidden from the list but not deleted.

Filter by actor

Click the actor filter and pick a user or agent. The list narrows to events caused by that actor. Useful when you’re investigating “what did this user do?” or “what tool calls has this agent made today?”.

Export for compliance

Click Export in the page header. Pick the format:

• JSON — the full structured data, suitable for loading into another system
• CSV — flat tabular data, suitable for spreadsheets and basic analysis
• NDJSON — newline-delimited JSON, suitable for streaming into a log aggregator

Exports respect the current filters. If you’re looking at last month’s entries for a specific user, the export contains just those entries, not the whole log.

Subscribe to audit events

If you want audit events forwarded to an external system (SIEM, log aggregator, Slack channel, email), configure a webhook from Config → Audit export. Events stream out in real time as they’re written. This is a one-way fire-and-forget integration — Exolvra keeps its own copy regardless.

What gets logged

The audit log captures:

• User actions — sign-in, sign-out, password change, profile edit, role change, 2FA enable/disable
• Agent tool calls — every tool invocation, with truncated arguments and a truncated result (full details are in the tool traces, which are a separate view)
• Status changes — issue transitions, approval decisions, skill approvals
• Configuration changes — budget limit updates, provider key changes, cloud mode toggles, channel enable/disable
• Lifecycle events — user created, user deleted, project created, project deleted, agent created, agent deleted
• Security events — failed login attempts, forbidden requests, key revocations

It does not capture:

• Every internal API call the platform makes to itself (that’s noise, not audit material)
• User message content in chat sessions (those live in session history)
• Full tool results (audit keeps truncated versions; full payloads are in traces)
• Ephemeral data that doesn’t affect durable state

Retention

Audit log retention is configurable per tier:

• Free — 7 days rolling
• Pro — 30 days rolling
• Team — 90 days rolling
• Enterprise — configurable (up to unlimited) with optional cold storage

Old entries are dropped when the retention window moves forward. If you need compliance-grade retention beyond your tier, use the export flow to stream events to an external system you control.

Immutability

Audit entries are append-only. Nobody — not even Owner or Admin — can edit or delete individual entries. The only way to remove entries from the log is for the retention window to age them out.

This is intentional. An audit log you can edit is not an audit log. When the retention window drops old entries, they’re gone; they can’t be recovered. Export regularly if you need long-term records.

Common pitfalls

Treating the audit log as a debugging tool for agent output. The audit log records that an agent made a tool call, not what the result was in detail. For deep debugging of an agent’s reasoning and output, use the Traces view on a specific session.

Not exporting regularly in high-compliance environments. If your tier has 7-day retention but your compliance requirement is 7-year retention, the gap is on you — configure an export webhook or a scheduled export runbook and stream events out to a system that holds them long-term.

Confusing audit log entries with session transcripts. The audit log is flat event data. Session transcripts are conversational dialogue. They’re different views of the same underlying work; the audit log is for accountability, sessions are for user experience.

Where to go next

• Approvals — audit log captures approval decisions as events
• Users & teams — user lifecycle events are logged here
• Admin overview — the broader admin setup