// GLOSSARY -- POLICY ENFORCEMENT

What is an Audit Log?

2 min read Updated

An audit log is the structured log output from Intercept containing tool call details, matched policies, evaluation results, timestamps, and contextual metadata for every MCP tool call processed.

WHY IT MATTERS

While the audit trail is the conceptual record of agent activity, the audit log is the concrete implementation — the actual structured data that Intercept writes for each tool call. The distinction matters because the log format, content, and destination directly affect what you can do with the data.

Intercept's audit logs are structured JSON by default, making them machine-parseable and compatible with every major log aggregation platform. Each log entry is self-contained — you can understand a single entry without needing context from other entries. This is important for log systems that may process entries out of order or across different time windows.

The audit log differs from application logs in purpose and audience. Application logs help developers debug software. Audit logs help organisations prove governance, investigate incidents, and understand agent behaviour. They are designed to answer "who did what, when, and was it allowed?" — questions that come from security, compliance, and operations rather than engineering.

HOW POLICYLAYER USES THIS

Intercept writes audit logs as structured JSON to stdout by default, following the twelve-factor app convention. Each entry includes: ISO 8601 timestamp, request ID, MCP server name, tool name, sanitised arguments, matched rule ID, evaluation result, conditions checked, and latency. The output can be directed to files, syslog, or piped to log aggregation agents. Intercept supports configurable log levels — minimal (action and tool only), standard (full evaluation details), and verbose (including raw arguments and full rule matching trace).

FREQUENTLY ASKED QUESTIONS

What format are audit logs in?
Structured JSON by default, with one JSON object per line (JSONL format). This is compatible with every major log aggregation platform and can be parsed with standard tools like jq for local analysis.
How do audit logs differ from decision logs?
Audit logs capture every tool call with full context (arguments, server, timestamps). Decision logs are a specific subset focused on the policy evaluation — which rule matched, what conditions were checked, and why the action was chosen. Decision log entries are embedded within audit log entries.
Can I send audit logs to multiple destinations?
Yes. Intercept outputs logs to stdout, which can be consumed by any log forwarding agent (Fluentd, Filebeat, Vector) and routed to multiple destinations. You can also configure file output for local retention alongside remote forwarding.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.