Audit Log
Immutable, append-only records of every significant action — tool calls, approvals, policy evaluations, and auth events. Structured JSON, indexed in OpenSearch.
Event structure
{
"id": "evt_a1b2c3d4",
"timestamp": "2026-05-24T14:30:00.000Z",
"runId": "run_x1y2z3",
"actor": { "type": "agent", "id": "agent_dev" },
"action": "tool_call",
"resource": { "type": "mcp_tool", "name": "github.pulls.create" },
"result": "success",
"cost": { "tokens": 1250, "usd": 0.0037 }
}Event types
| Type | Description |
|---|---|
run.created | New run triggered |
run.completed / run.failed | Run finished |
tool_call | Agent invoked an MCP tool |
approval.requested / .granted / .rejected | Approval gate activity |
policy.evaluated / policy.blocked | Guardrail evaluation |
auth.login | User authenticated |
Querying
# CLI
cendriix audit --run run_a1b2c3d4 --from 7d --format json
# API
curl "https://api.cendriix.ai/v1/audit/logs?from=2026-05-01T00:00:00Z" \
-H "Authorization: Bearer <jwt>"Retention
| Plan | Default | Max |
|---|---|---|
| Starter | 30 days | 90 days |
| Growth | 90 days | 1 year |
| Enterprise | 1 year | 7 years |
Export to S3, Splunk, or any SIEM via the API.
See also: CLI: cendriix audit, API: GET /audit/logs, RBAC & SSO
Last updated on