Audit Log PRO

The Audit Log provides a tamper-proof record of every administrative action taken on your ClawHQ instance. With hash chain verification, SIEM integration, flexible export, and full-text search, the Audit Log meets the needs of compliance-driven organizations and security-conscious teams alike.

What Gets Logged

Every significant action on your instance is recorded as an audit log entry. Each entry captures the action type, the user who performed it, a timestamp, relevant metadata, and a cryptographic hash linking it to the previous entry.

Entries are organized into eight categories:

auth — Login attempts (successful and failed), session creation, password changes
vps — VPS start, stop, restart, configuration changes
agent — Agent deployment, undeployment, configuration updates
model — Model provider changes, model switching, API key configuration
api_key — API key creation, revocation, rate limit changes
account — Profile updates, email changes, plan upgrades
knowledge_base — Document uploads, deletions, reindexing, connector changes
webhook — Webhook creation, deletion, configuration changes, circuit breaker events

Hash Chain Verification

The Audit Log uses a cryptographic hash chain to ensure tamper-proofing. Each log entry contains a SHA-256 hash computed from the entry's content combined with the hash of the previous entry. This creates an unbroken chain where modifying or deleting any entry would break the chain and be immediately detectable.

The verification process works as follows:

The first entry in the log is hashed with a known seed value
Each subsequent entry computes its hash as: SHA-256(entry_data + previous_hash)
To verify the chain, re-compute each hash sequentially and confirm it matches the stored hash
If any hash does not match, the chain is broken at that point, indicating tampering

You can trigger a chain verification at any time from the Audit Log page. The verifier walks the entire chain and reports whether all hashes are valid or where a break was detected.

Why hash chains matter: Traditional logs can be edited or deleted without detection. A hash chain makes any modification mathematically provable. This is essential for compliance frameworks that require log integrity guarantees (SOC 2, HIPAA, GDPR audit trails).

SIEM Streaming

Stream your audit log entries in real time to external Security Information and Event Management (SIEM) platforms. ClawHQ supports four streaming destinations:

Datadog — Entries are shipped as structured logs to your Datadog Log Management instance. Configure with your Datadog API key and site URL. Entries include all metadata fields and are tagged with the source:clawhq tag for easy filtering.
Splunk — Entries are forwarded to your Splunk HTTP Event Collector (HEC) endpoint. Configure with your HEC token and endpoint URL. Events are sent in Splunk's native JSON format.
HTTP Endpoint — Send entries to any custom HTTP endpoint. Each entry is POSTed as a JSON payload. Use this for custom SIEM solutions, data lakes, or internal logging infrastructure.
AWS S3 — Batch audit log entries and ship them to an S3 bucket as JSON files. Configure with your bucket name, region, and access credentials. Files are organized by date for easy retrieval.

Multiple SIEM destinations can be active simultaneously. Each destination receives every audit log entry independently, so you can stream to both Datadog for real-time alerting and S3 for long-term archival.

Search and Filtering

The Audit Log includes full-text search with debounced input. Type a search query and results update as you type (with a short debounce delay to avoid excessive queries). Search matches against action descriptions, user emails, IP addresses, and metadata fields.

Filter by category using the category dropdown. Select one or more of the eight categories (auth, vps, agent, model, api_key, account, knowledge_base, webhook) to narrow the view to specific types of actions.

Results are paginated for performance. Navigate through pages to review historical entries, or combine search with category filters to find specific events quickly.

Export

Export your audit log data in two formats:

CSV — Spreadsheet-friendly format with one row per entry. Columns include timestamp, category, action, user, IP address, and metadata. Suitable for importing into Excel, Google Sheets, or business intelligence tools.
JSON — Machine-readable format preserving the full entry structure including nested metadata objects. Suitable for programmatic analysis, archival, or importing into other systems.

Both export formats support two modes:

Full export — Download the entire audit log history
Filtered export — Download only the entries matching your current search and category filters

Tip: For compliance audits, use the filtered export to generate focused reports. For example, export only "auth" category entries for the past quarter to produce a login activity report.

Retention Settings

Configure how long audit log entries are retained. The retention period is specified in days. Entries older than the retention period are automatically purged during the nightly cleanup cycle.

Before entries are purged, they can be exported or streamed to an external SIEM for long-term storage. This allows you to keep the in-dashboard audit log focused on recent activity while maintaining a complete archive externally.

If your compliance requirements mandate indefinite retention, set the retention period to the maximum allowed value and configure S3 streaming for permanent archival.

Audit Log Entry Structure

Each audit log entry contains the following fields:

{
  "id": "aud_abc123",
  "timestamp": "2026-03-16T14:30:00Z",
  "category": "agent",
  "action": "agent.deployed",
  "user_email": "admin@company.com",
  "ip_address": "203.0.113.42",
  "metadata": {
    "agent_name": "support-bot",
    "deployment_method": "dashboard"
  },
  "hash": "a1b2c3d4...",
  "previous_hash": "e5f6g7h8..."
}

The hash and previous_hash fields form the chain. Themetadata object varies by action type and contains action-specific details.