Audit Trails

Every meaningful action on AgenFleet is recorded in an audit trail. This gives you visibility into what your agents did, when they did it, how much it cost, and who configured them — essential for operational oversight, compliance reporting, and incident investigation.

---

What’s logged

Agent activity

Every agent action is recorded:

Event	What’s captured
Session created	Timestamp, session ID, initiating user or job
Message sent	Timestamp, session ID, token count (not message content by default)
Tool called	Tool name, timestamp, success/failure, duration
Cron job executed	Job ID, run timestamp, tokens used, delivery status
Cron job delivery failed	Job ID, timestamp, failure reason

Configuration changes

All changes to agent configuration are logged:

Event	What’s captured
Agent created	Timestamp, creator, initial config snapshot
Agent config updated	Timestamp, actor, field changed, old value, new value
SOUL file updated	Timestamp, actor, file hash before/after
Cron job created/modified/deleted	Timestamp, actor, full job definition
Tool access changed	Timestamp, actor, tool name, granted/revoked
Budget limit changed	Timestamp, actor, old limit, new limit

Authentication and access

Event	What’s captured
User login	Timestamp, user ID, IP address, success/failure
User invited	Timestamp, inviting actor, invited email, role assigned
Role changed	Timestamp, actor, target user, old role, new role
User removed	Timestamp, actor, removed user

Note

By default, message content (the actual text of conversations) is not stored in the audit log — only metadata (token count, session ID, timestamp). Full message content is stored separately in session history. This distinction matters for compliance: the audit log tells you that a conversation happened; the session history tells you what was said.

---

Accessing the audit log

The activity audit log is available in two places:

Agent-level activity

Open any agent → Activity tab. This shows all activity for that specific agent, filterable by:

• Event type (session, cron, tool call, config change)
• Date range
• Status (success / failure)

Tenant-level audit log

Go to Settings → Audit Log for the full cross-agent audit trail for your workspace. Filterable by:

• Actor (specific user or “system” for automated events)
• Agent
• Event type
• Date range

The tenant-level log is only accessible to Owners and Admins.

---

Log integrity

Audit log records cannot be modified or deleted through the portal UI or the API. Each log entry includes:

• A monotonically increasing sequence ID
• Timestamp with microsecond precision
• The actor (user ID or “system”) responsible for the event

Note

Immutable log storage (hash-chained or write-once) is on the active engineering roadmap. For regulated industries that require cryptographic tamper-evidence today, we recommend streaming audit logs to your own SIEM or append-only storage using the Metrics API.

---

Exporting logs

Audit logs can be exported as CSV or JSON from Settings → Audit Log → Export.

Export options:

• Full log (all events, all agents)
• Filtered export (specific agent, date range, or event type)
• Max 90 days per export request

For automated log export (e.g., feeding into a SIEM), use the Metrics API which exposes the activity log as a queryable endpoint.

---

Retention policy

Log type	Retention
Activity log (agent events)	1 year
Configuration change log	2 years
Authentication log	1 year
Cron job run history	1 year
Session history (message content)	Until archived by user, then 90 days

After retention periods expire, records are permanently deleted and cannot be recovered.

Tip

If your compliance framework requires longer retention (e.g., 7 years for financial services), use the API to stream audit logs to your own long-term storage on a daily basis. This is the recommended pattern for regulated industries.

---

Using audit data for compliance

Common compliance use cases

Access review — export the authentication log quarterly and verify that only authorized personnel have accessed the system. Cross-reference against your HR system for terminated employees.

Change management — export the configuration change log for a period and verify all changes were authorized. The actor field shows who made each change.

Incident investigation — when investigating unexpected agent behavior, filter the activity log by agent and time window. You can trace every tool call, session creation, and configuration change during the incident window.

Data subject requests (GDPR) — use the session history and activity log to identify all data processed for a specific user or subject, and provide this as part of a subject access request.

Compliance documentation

AgenFleet can provide:

• Architecture diagrams showing data flows and isolation boundaries
• Completed security questionnaires (for Enterprise plans)
• Data processing agreement (DPA) for GDPR compliance
• Penetration test summaries (upon NDA)

Contact security@agenfleet.ai for compliance documentation requests.