Multi-agent DAG orchestration, purpose-built for enterprise engineering teams Learn more →

Audit log

Last updated 2026-05-21·8 min read

The audit log is the system of record for everything that happens in a workspace. It is append-only, tamper-evident, and queryable. This guide covers what is recorded, how the log proves it has not been altered, and how to export it.

What is recorded

Every significant action becomes an audit event: agent tool calls, policy verdicts, approvals and rejections, run state transitions, member logins, role changes, and configuration edits. There is no sampling, the log is complete. If an action changed state, there is an event for it.

Anatomy of an event

An audit event is an immutable, structured record:

json
{
  "id":        "evt_8f3a21",
  "seq":       104821,
  "event":     "tool.call",
  "actor":     "agent_sre",
  "run_id":    "run_a1b2c3d4",
  "payload": {
    "tool":   "aws.ecs.updateService",
    "env":    "production",
    "verdict": "allow"
  },
  "timestamp":  "2026-05-21T09:04:12Z",
  "prev_hash":  "b1946ac9...",
  "hash":       "3a7bd3e2..."
}
FieldDescription
seqMonotonic sequence number, gaps would indicate tampering.
eventEvent type, e.g. tool.call, run.approved, member.login.
actorThe agent, member, or service account responsible.
prev_hashHash of the previous event, links the chain.
hashHash of this event including prev_hash.

The hash chain

Each event includes a cryptographic hash of its own contents and the hash of the event before it. The events form a chain: altering or removing any event breaks every hash after it. Cendriix cannot silently rewrite history, and neither can anyone with database access, verification re-computes the chain and reports the exact event where it diverges.

bash
# Verify the integrity of the hash chain
cendriix audit verify --since 2026-05-01

# => chain intact: 14,206 events, no breaks
Tamper-evident, not tamper-proofThe hash chain proves whether the log was altered. It does not prevent alteration, it guarantees you can detect it. Pair it with export streaming to an external sink for an independent copy.

Querying the log

Query the log from the dashboard, the CLI, or the API. Filter by time range, actor, event type, or run.

bash
# Every production deploy approved by a person last month
cendriix audit query \
  --since 2026-04-01 --until 2026-04-30 \
  --event run.approved

# Everything a single service account did
cendriix audit query --actor ci-pipeline

Export & streaming

Audit events export to CSV, JSON, or NDJSON for offline analysis. For continuous compliance, stream events in real time to an external sink, an S3 bucket, a Splunk HTTP collector, or any SIEM that accepts NDJSON over HTTPS. The external copy is independent of Cendriix and survives even if a workspace is deleted.

bash
# One-off export
cendriix audit export --format ndjson --output ./audit.ndjson

# Configure a continuous stream to S3
cendriix audit stream add \
  --sink s3 --bucket acme-compliance-logs --region us-east-1

Retention

Retention is configurable per workspace. The default is 90 days. Workspaces on the Enterprise plan with compliance mode enabled can extend retention up to seven years. Audit events are never editable and never deleted before their retention window elapses, regardless of role, not even an owner can remove an event early.

Next steps