Audit log
The audit log is the system of record for everything that happens in a workspace. It is append-only, tamper-evident, and queryable. This guide covers what is recorded, how the log proves it has not been altered, and how to export it.
What is recorded
Every significant action becomes an audit event: agent tool calls, policy verdicts, approvals and rejections, run state transitions, member logins, role changes, and configuration edits. There is no sampling, the log is complete. If an action changed state, there is an event for it.
Anatomy of an event
An audit event is an immutable, structured record:
{
"id": "evt_8f3a21",
"seq": 104821,
"event": "tool.call",
"actor": "agent_sre",
"run_id": "run_a1b2c3d4",
"payload": {
"tool": "aws.ecs.updateService",
"env": "production",
"verdict": "allow"
},
"timestamp": "2026-05-21T09:04:12Z",
"prev_hash": "b1946ac9...",
"hash": "3a7bd3e2..."
}| Field | Description |
|---|---|
seq | Monotonic sequence number, gaps would indicate tampering. |
event | Event type, e.g. tool.call, run.approved, member.login. |
actor | The agent, member, or service account responsible. |
prev_hash | Hash of the previous event, links the chain. |
hash | Hash of this event including prev_hash. |
The hash chain
Each event includes a cryptographic hash of its own contents and the hash of the event before it. The events form a chain: altering or removing any event breaks every hash after it. Cendriix cannot silently rewrite history, and neither can anyone with database access, verification re-computes the chain and reports the exact event where it diverges.
# Verify the integrity of the hash chain
cendriix audit verify --since 2026-05-01
# => chain intact: 14,206 events, no breaksQuerying the log
Query the log from the dashboard, the CLI, or the API. Filter by time range, actor, event type, or run.
# Every production deploy approved by a person last month
cendriix audit query \
--since 2026-04-01 --until 2026-04-30 \
--event run.approved
# Everything a single service account did
cendriix audit query --actor ci-pipelineExport & streaming
Audit events export to CSV, JSON, or NDJSON for offline analysis. For continuous compliance, stream events in real time to an external sink, an S3 bucket, a Splunk HTTP collector, or any SIEM that accepts NDJSON over HTTPS. The external copy is independent of Cendriix and survives even if a workspace is deleted.
# One-off export
cendriix audit export --format ndjson --output ./audit.ndjson
# Configure a continuous stream to S3
cendriix audit stream add \
--sink s3 --bucket acme-compliance-logs --region us-east-1Retention
Retention is configurable per workspace. The default is 90 days. Workspaces on the Enterprise plan with compliance mode enabled can extend retention up to seven years. Audit events are never editable and never deleted before their retention window elapses, regardless of role, not even an owner can remove an event early.