What is an Audit Log?

2 min read Updated

An audit log is the structured log output from PolicyLayer containing tool call details, matched policies, evaluation results, timestamps, and contextual metadata for every MCP tool call processed.

WHY IT MATTERS

While the audit trail is the conceptual record of agent activity, the audit log is the concrete implementation — the actual structured data that PolicyLayer writes for each tool call. The distinction matters because the log format, content, and destination directly affect what you can do with the data.

PolicyLayer's audit logs are structured JSON by default, making them machine-parseable and compatible with every major log aggregation platform. Each log entry is self-contained — you can understand a single entry without needing context from other entries. This is important for log systems that may process entries out of order or across different time windows.

The audit log differs from application logs in purpose and audience. Application logs help developers debug software. Audit logs help organisations prove governance, investigate incidents, and understand agent behaviour. They are designed to answer "who did what, when, and was it allowed?" — questions that come from security, compliance, and operations rather than engineering.

Audit Log isn't theory — define it as policy in PolicyLayer and it's enforced on every tool call.

ENFORCE THIS WITH POLICY →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

PolicyLayer writes audit logs as structured JSON to stdout by default, following the twelve-factor app convention. Each entry includes: ISO 8601 timestamp, request ID, MCP server name, tool name, sanitised arguments, matched rule ID, evaluation result, conditions checked, and latency. The output can be directed to files, syslog, or piped to log aggregation agents. PolicyLayer supports configurable log levels — minimal (action and tool only), standard (full evaluation details), and verbose (including raw arguments and full rule matching trace).

FREQUENTLY ASKED QUESTIONS

What format are audit logs in?
Structured JSON by default, with one JSON object per line (JSONL format). This is compatible with every major log aggregation platform and can be parsed with standard tools like jq for local analysis.
How do audit logs differ from decision logs?
Audit logs capture every tool call with full context (arguments, server, timestamps). Decision logs are a specific subset focused on the policy evaluation — which rule matched, what conditions were checked, and why the action was chosen. Decision log entries are embedded within audit log entries.
Can I send audit logs to multiple destinations?
Yes. PolicyLayer outputs logs to stdout, which can be consumed by any log forwarding agent (Fluentd, Filebeat, Vector) and routed to multiple destinations. You can also configure file output for local retention alongside remote forwarding.

FURTHER READING

Take your agents live. Without losing control.

Route your MCP traffic through PolicyLayer. Every tool call is checked against your policy before it runs: allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

Instant setup, no code required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.