Audit Logs
Comprehensive activity logging for security, compliance, and debugging.
What's Logged
Every significant action is recorded:
| Category | Examples |
|---|---|
| Authentication | Login, logout, MFA events, failed attempts |
| Authorization | Permission changes, role updates |
| Agents | Create, update, delete, execute |
| Conversations | Start, message, end, delete |
| Users | Invite, update, remove |
| Teams | Create, update, membership changes |
| Integrations | Connect, disconnect, tool execution |
| API Keys | Create, rotate, revoke |
| Settings | Configuration changes |
Audit Cockpit
The Audit Cockpit is a dedicated investigation interface that merges all agent activity -- LLM calls, tool executions, handoffs, tasks, approvals, and configuration changes -- into a single, real-time event stream. It is designed for security teams, compliance officers, and platform administrators who need to understand exactly what happened, when, and why.
The cockpit provides four viewing lenses. Timeline shows a chronological event stream grouped by agent execution blocks. Graph visualizes agent-to-agent interactions (handoffs and message exchanges) as a network diagram. Changes surfaces configuration modifications with before/after diffs. Human Activity isolates human-initiated actions like logins, approvals, and settings changes.
Built-in anomaly detection flags unusual patterns automatically -- frequency spikes (an agent making far more tool calls than normal) and novel tool usage (an agent calling a tool it has never used before). For compliance evidence, the cockpit can export a full audit report as a tamper-proof PDF with a SHA-256 content hash, suitable for regulatory submissions and internal audit reviews.
Inline Audit Trail
Every entity card in the dashboard (workspaces, teams, agents, workflows, schedules, tasks, conversations, webhooks, integrations, authorization resources, and more) includes a clock icon that opens the full audit trail for that resource in a right-side drawer.
This provides instant access to:
- Who created, modified, or deleted the resource (user, API key, SCIM, system, or agent)
- What changed -- with before/after diffs for configuration changes
- When each action occurred, with relative timestamps
The inline audit trail is gated by the audit:read permission (available to all roles including viewer).
Log Entry Structure
Each audit log entry captures:
| Field | Description |
|---|---|
| ID | Unique log identifier |
| Tenant ID | Which organization |
| User ID / User Name | Who performed the action |
| IP Address | Source IP |
| User Agent | Client information |
| Action | What was done (e.g., agent.create) |
| Severity | info, warning, or critical |
| Resource Type / ID | What was affected |
| Description | Human-readable summary |
| Metadata | Additional context |
| Timestamp | When it happened |
Action Types
Authentication Actions
| Action | Description |
|---|---|
| auth.login | User logged in |
| auth.logout | User logged out |
| auth.login_failed | Failed login attempt |
| auth.mfa_enabled | MFA was enabled |
| auth.mfa_verified | MFA code verified |
| auth.password_changed | Password was changed |
| auth.password_reset | Password reset requested |
| auth.session_revoked | Session was terminated |
Agent Actions
| Action | Description |
|---|---|
| agent.create | Agent created |
| agent.update | Agent configuration changed |
| agent.delete | Agent deleted |
| agent.chat | Chat message sent to agent |
| agent.tool_executed | Agent executed a tool |
User, Team, Integration, and API Key Actions
User actions (invite, join, update, role change, delete), team actions (create, update, delete, member changes), integration actions (connect, disconnect, tool execution, token refresh), and API key actions (create, rotate, revoke) are all captured with full attribution.
Severity Levels
| Level | Description | Examples |
|---|---|---|
| Info | Normal operations | Login, create agent |
| Warning | Potentially concerning | Failed login, permission denied |
| Critical | Security-relevant | User deleted, bulk operation |
SOX Compliance Features
Tamper-Proof Hash Chain
Every audit log entry includes a cryptographic hash that chains to the previous entry, creating an immutable, verifiable audit trail. You can verify hash chain integrity at any time to confirm no entries have been tampered with.
Immutable Logs
Logs can be configured to become immutable after a specified time period (e.g., 24 hours). Once immutable, entries cannot be modified or deleted.
Segregation of Duties (SoD) Alerts
Detect when the same user performs conflicting actions that should require separate individuals (e.g., requesting and approving the same operation). MeetLoyd provides common SoD conflict presets:
- Same user requests and approves an action
- Same user creates and deletes an agent
- Same user invites and removes a team member
- Same user creates and revokes an API key
- Same user modifies settings and exports audit logs
User Timezone Tracking
Each audit log entry captures the actor's timezone for accurate time-based compliance analysis.
Security Alerts
Configure alerts for suspicious activity. Alerts trigger when a specific action pattern occurs more than a threshold number of times within a time window.
Schedule-Based Alerts
For SOX compliance, alerts can be configured to trigger only during or outside specific hours. This is essential for monitoring after-hours access.
| Field | Description |
|---|---|
| Mode | Always (24/7), Include (only during hours), or Exclude (only outside hours) |
| Start/End | Time range in HH:MM format |
| Days of Week | Which days the window applies to (0=Sun through 6=Sat) |
| Use User Timezone | Evaluate in acting user's local timezone (recommended for SOX) |
| Timezone | IANA timezone fallback |
Set "Use User Timezone" to true. This ensures that "after-hours" is evaluated based on each user's local timezone -- a NY user logging in at 8pm NY time triggers the alert, just as a Tokyo user logging in at 8pm Tokyo time would. More accurate than using a fixed timezone for global organizations.
SIEM Integration
Export logs to your security information and event management system. See SIEM Integration for details.
Supported Formats
| Format | Use Case |
|---|---|
| JSON | Default, universal |
| CEF (Common Event Format) | ArcSight, Splunk |
| LEEF (Log Event Extended Format) | IBM QRadar |
Supported Platforms
| Platform | Method |
|---|---|
| Splunk | Webhook/S3 |
| Datadog | Webhook |
| Elastic | Webhook |
| Azure Sentinel | Webhook |
| IBM QRadar | Webhook |
Separate Audit Database
For organizations with high audit log volume, MeetLoyd supports routing all audit operations to a dedicated PostgreSQL database. This prevents audit write load from impacting your primary application database. If the audit database connection fails at startup, MeetLoyd gracefully falls back to the primary database.
Retention
| Plan | Visible Retention | Stored Retention |
|---|---|---|
| Starter | 30 days | 90 days |
| Growth | 90 days | 180 days |
| Enterprise | Unlimited | Unlimited + SIEM |
- Regular reviews -- Schedule weekly reviews of warning and critical events
- Set up alerts -- Don't just log; alert on suspicious patterns like bulk data access or after-hours admin activity
- Integrate with SIEM -- For enterprise, send logs to your security team's existing tools
- Archive for compliance -- Keep critical logs for the duration required by your regulatory framework (7 years for SOX/HIPAA)
Next: Explore the Store for pre-built agent templates.