Audit Logs¶
The Audit page provides a searchable, filterable view of all agent actions logged in your tenant. Audit logs form the compliance backbone of AegisAI — tamper-evident, exportable, and correlated with anomalies and policy decisions.
Audit Table¶
| Column | Description |
|---|---|
| Timestamp | When the action occurred (UTC) |
| Agent | Agent that performed the action |
| Action | Operation type (e.g., read_data, delete_record) |
| Resource | Target resource identifier |
| Risk Score | 0.0–1.0 if assessed |
| Approved | Whether the action was approved (HITL or policy) |
| Signature | HMAC signature (when signing enabled) |
Filtering¶
Filter audit logs by:
- Agent — select from registered agents
- Action — free-text action name
- Date range — start and end timestamps
- Risk threshold — minimum risk score
Filters are applied server-side via query parameters on GET /api/v1/audit.
Logging Actions¶
Agents log actions via the API or SDK:
curl -X POST http://localhost:8000/api/v1/audit/log \
-H "X-API-Key: <your-api-key>" \
-H "Content-Type: application/json" \
-d '{
"agent_id": "<uuid>",
"action": "query_database",
"resource": "customer_records",
"input": {"query": "SELECT name FROM customers LIMIT 10"},
"output": {"rows": 10},
"reasoning": ["User requested customer list", "Applied row limit"],
"risk_score": 0.2,
"is_approved": true
}'
SDK Observer Pattern¶
async with client.observe("read_data", "customer_pii") as obs:
obs.set_input({"fields": ["email", "name"]})
result = await fetch_customer_data()
obs.set_output({"records": len(result)})
# Automatically checks policy and logs audit entry
Audit Signing¶
When AUDIT_SIGNING_ENABLED=true, each log entry receives an HMAC-SHA256 signature for integrity verification. Signatures are displayed in the audit table and included in exports.
Export¶
Export audit logs for compliance archives or external SIEM integration.
Synchronous Export¶
# CSV
curl "http://localhost:8000/api/v1/audit/export/csv?limit=1000" \
-H "X-API-Key: <your-api-key>" \
-o audit_export.csv
# JSON
curl "http://localhost:8000/api/v1/audit/export/json?limit=1000" \
-H "X-API-Key: <your-api-key>" \
-o audit_export.json
Async Export (Large Datasets)¶
For exports exceeding synchronous limits:
# Start export job
curl -X POST "http://localhost:8000/api/v1/audit/export/async?limit=50000" \
-H "X-API-Key: <your-api-key>"
# Check status
curl "http://localhost:8000/api/v1/audit/export/status/<job_id>" \
-H "X-API-Key: <your-api-key>"
# Download result
curl "http://localhost:8000/api/v1/audit/export/download/<job_id>" \
-H "X-API-Key: <your-api-key>" \
-o audit_export.jsonl
| Status | Meaning |
|---|---|
pending |
Job queued |
processing |
Export in progress |
completed |
Ready for download |
failed |
Export failed (check error message) |
Permissions¶
| Role | Read | Export |
|---|---|---|
| Viewer | ✅ | ❌ |
| Developer | ✅ | ❌ |
| Security Analyst | ✅ | ✅ |
| Admin | ✅ | ✅ |
| Super Admin | ✅ | ✅ |
Retention¶
Audit logs are stored in PostgreSQL with no automatic purge by default. Configure retention policies at the infrastructure level (see Backup).
Related Documentation¶
- Anomalies — anomalies linked to audit events
- Policies — policy violations appear in audit context
- API Reference — full audit endpoints