Skip to main content
The Audit log is the canonical record of everything Rubric records: every evaluate() call your fleet has made plus every operator action that touched governed state (policy scope edits, manual incident opens, agent freezes). One unified ledger, one hash chain, one place to answer “what happened in this org?” with cryptographic certainty.

Tool calls vs config events

Every row is either a tool call (an evaluate() from the SDK) or a config event (an operator action like editing scope, opening an incident, or freezing an agent). They’re rendered differently:
FamilyOriginDecision pillClick row
Tool callSDK evaluate()allow or the deny codeOpens the trace drawer.
Config eventOperator action in the dashboardconfig (orange)No drawer — config events have no trace.
All rows are written to the same tamper-evident chain, so any tampering with a config row is as detectable as tampering with a decision row. The chain-integrity card on this page covers both kinds.

The list

Columns:
  • #seq — the row’s position in the tamper-evident chain.
  • Time — when the event happened (your local timezone).
  • Agent — the agent’s stable id. For config rows, this is the agent the operator acted on.
  • Tool / Action — the tool name for tool-call rows, or a human-readable action label for config rows (e.g. “Added agent to policy scope”).
  • Decisionallow (green), the deny code (red), or config (orange) for non-decision rows.
  • Latency — for tool calls only; config rows show .
  • Session — first 8 chars of the session id for tool calls; for config rows.
  • 📄 — orange file icon if a trace is attached (tool calls only).

Filters

  • Decision tabsAll, Allow, Deny. Click to filter.
  • Search — case-insensitive substring match across toolName, sessionId, and agentId. Press Enter or blur to apply. Click clear to reset.

Pagination

Cursor-based on (timestamp desc, id desc) so concurrent ingest doesn’t skip rows. Click Load more for the next page. The current page size is 50.

Click a row → trace drawer

Click any row to open the trace drawer on the right. You’ll see:
  • The full transcript — user messages, assistant replies, tool calls and results, in order.
  • The current call highlighted — the message that this audit row was emitted for is marked.
  • DLP highlights inline — secret/PII matches are flagged in the message body.
If the row has no trace (the icon column is empty), the drawer shows a friendly empty state explaining how to attach traces by passing a TraceContext to evaluate().

Performance

Filtering by time, tool name, decision, or any combination is fast even at millions of rows. If you have a filter combination that feels slow (e.g., by sessionId or by policyId), file an issue and we’ll tune the index.

Export

The export button (top-right) is a placeholder in the current build. CSV export is coming soon — for now, use the in-page filters and copy.