Audit Log
Immutable record of every action — who did what, when, and why. Exportable for audits, regulators, ethics committees, and court proceedings.
What’s logged
Everything that affects data or policy. The full list:
Authentication & sessions
- Login, logout, session creation, session revocation
- MFA challenges and outcomes
- SSO redirects and assertions
- API key creation, rotation, revocation
- Failed auth attempts (rate-limited)
Reads
- Document previews
- Search queries and their results
- Agent queries and responses
- API calls with their endpoints
Writes
- Document ingestion (with source provenance)
- Agent prompt changes (with before/after diff)
- Workflow changes (with before/after diff)
- Permission changes
- Dictionary and rule changes (for StellarGate)
Reviews & approvals
- Every HITL decision (approve / modify / reject) with reasoning
- Every comment with its author and timestamp
- Every workflow-gate approval
Admin actions
- User additions, role changes, deletions
- Group changes
- Integration configuration changes
- Billing actions
LLM interactions
- Every external LLM call — target provider, model, token counts, duration
- StellarGate anonymization mappings (resolution events, not the mappings themselves)
What’s not logged
For privacy reasons, some things are deliberately excluded:
- Raw content of documents (they’re already in the knowledge base — no duplication in audit log)
- PII values inside anonymization mappings (access to mappings is separately audited)
- Full prompt / completion bodies (configurable — off by default for privacy)
You can enable full-content logging per Base if your compliance framework requires it. Storage footprint increases significantly.
Log structure
Each audit event is a structured, machine-readable record — actor, action, target, outcome, timestamps, and the context needed to trace one request end-to-end. Records are easy to filter and export to any SIEM.
Immutability
Audit records are write-once. No edit, no delete — including by admins. Retention is configurable (default 7 years for paid plans), after which records are automatically purged. Before purge, you can export to long-term archive.
Storage
Audit records are stored separately from application data, in append-only storage with integrity checks. Write rate is guaranteed not to impact application latency — if the audit pipeline is backed up, it queues; application writes never block.
Search & filter
The admin UI lets you filter by:
- Actor (user, group, agent)
- Resource (Base, collection, document)
- Action type
- Time range
- Outcome (success / failure)
- Correlation ID (trace a single request through the system)
Export
Three options:
Manual (UI / API)
Filter, preview, download as CSV / JSON. For ad-hoc investigations.
Continuous (SIEM integration)
Stream events to Splunk, Elastic, Datadog, Sumo Logic, Azure Sentinel, AWS Security Hub. Events flow in near-real-time (typical delay < 5 seconds).
Scheduled export
Automated export on a schedule (daily / weekly / monthly) to an S3 bucket or SFTP server of your choice. Signed manifest included for integrity verification.
Compliance use cases
GDPR subject access request
Filter the audit log by actor = subject_id or by documents referencing the subject. Produces the “record of processing” required by Article 30.
SOC 2 / ISO 27001 audit
Auditor gets read-only access to the audit log filtered to the scope period. No access to underlying data — only the metadata.
Legal discovery
For litigation support, the correlation ID lets you reconstruct exactly how a specific decision was made — who accessed what, when, and in what order.
Internal investigation
Suspicious activity review. Filter by user, by unusual access patterns, by failed-authorization events.
Tamper evidence
Each append-only segment is cryptographically chained — altering a past record breaks the chain and is detectable on the next integrity check. Integrity checks run automatically daily and on-demand.