Audit Logging

February 15, 2026 · View on GitHub

Compliance-ready audit trails for Loki Mode operations.

Overview

Audit logging captures all significant events for compliance requirements (SOC2, HIPAA), security monitoring, debugging, and usage analytics. Audit logging is enabled by default as of v5.37.0.

Configuration

Enable/Disable Audit Logging

Audit logging is on by default. To disable:

export LOKI_AUDIT_DISABLED=true

The legacy variable LOKI_ENTERPRISE_AUDIT=true still works and will force audit logging on regardless of LOKI_AUDIT_DISABLED.

Configuration File

# .loki/config.yaml
enterprise:
  audit:
    enabled: true              # Audit logging enabled (default)
    level: info                # Minimum level: debug, info, warning, error
    retention_days: 90         # Days to keep logs
    max_file_size: 100         # MB per file before rotation
    compress: true             # Compress rotated files
    integrity_check: true      # Enable SHA-256 chain hashing (v5.38.0)
    syslog_enabled: false      # Forward to external syslog
    exclude_events:            # Events to exclude
      - api.request
    include_metadata:          # Additional metadata fields
      - environment
      - deployment_id

Environment Variables

Variable	Default	Description
`LOKI_AUDIT_DISABLED`	`false`	Set to `true` to disable audit logging
`LOKI_ENTERPRISE_AUDIT`	`false`	Force audit on (legacy, audit is now on by default)
`LOKI_AUDIT_LEVEL`	`info`	Minimum log level: debug, info, warning, error
`LOKI_AUDIT_RETENTION`	`90`	Retention period in days
`LOKI_AUDIT_SYSLOG_HOST`	-	Syslog server hostname for forwarding
`LOKI_AUDIT_SYSLOG_PORT`	`514`	Syslog server port
`LOKI_AUDIT_SYSLOG_PROTO`	`udp`	Syslog protocol: `udp` or `tcp`
`LOKI_AUDIT_NO_INTEGRITY`	`false`	Disable SHA-256 chain hashing

Logged Events

Session Events

Event	Description
`session.start`	Session started with PRD
`session.stop`	Session stopped (manual or automatic)
`session.pause`	Session paused
`session.resume`	Session resumed
`session.complete`	Session completed successfully
`session.fail`	Session failed with error

API Events

Event	Description
`api.request`	API request received
`api.response`	API response sent
`api.error`	API error occurred

Authentication Events

Event	Description
`auth.token.create`	Token created
`auth.token.use`	Token used for authentication
`auth.token.revoke`	Token revoked
`auth.fail`	Authentication failed
`auth.oidc.success`	OIDC authentication succeeded
`auth.oidc.fail`	OIDC authentication failed

Task Events

Event	Description
`task.create`	Task created in queue
`task.start`	Task started by agent
`task.complete`	Task completed successfully
`task.fail`	Task failed with error

Agent Events

Event	Description
`agent.spawn`	Agent spawned
`agent.action`	Agent performed action
`agent.complete`	Agent completed work
`agent.fail`	Agent encountered error

Log Format

JSONL Format

Audit logs use JSON Lines format (one JSON object per line):

{
  "timestamp": "2026-02-15T14:30:00.000Z",
  "event": "session.start",
  "level": "info",
  "actor": "user",
  "details": {
    "prd": "./prd.md",
    "provider": "claude",
    "parallel": false
  },
  "metadata": {
    "hostname": "dev-machine",
    "pid": 12345,
    "version": "5.42.2"
  }
}

Fields

Field	Type	Description
`timestamp`	ISO 8601	Event timestamp in UTC
`event`	string	Event type (e.g., `session.start`)
`level`	string	Log level: debug, info, warning, error
`actor`	string	Who performed the action (user, token:name, agent:type)
`resource`	string	Resource affected (optional)
`details`	object	Event-specific details
`metadata`	object	System metadata (hostname, PID, version)
`chain_hash`	string	SHA-256 chain hash for integrity (v5.38.0)

Log Location

# Audit log directory
~/.loki/dashboard/audit/

# Daily rotation
audit-2026-02-15.jsonl
audit-2026-02-14.jsonl
audit-2026-02-13.jsonl

# Compressed archives (after rotation)
audit-2026-02-12.jsonl.gz
audit-2026-02-11.jsonl.gz

CLI Commands

View Summary

loki enterprise audit summary

Output:

Audit Log Summary (Last 24 Hours)

Events by Type:
  session.start:    5
  session.complete: 4
  session.fail:     1
  api.request:     42
  auth.token.use:  15

Events by Level:
  info:    58
  warning:  3
  error:    1

Events by Actor:
  user:         10
  token:ci-bot: 35
  agent:dev:    13

Tail Recent Entries

# Last 20 entries
loki enterprise audit tail

# Follow new entries in real-time
loki enterprise audit tail --follow

# Filter by event type
loki enterprise audit tail --event session.start

# Filter by level
loki enterprise audit tail --level error

Search Logs

# Search by event
loki enterprise audit search --event auth.fail

# Search by date range
loki enterprise audit search --from 2026-02-01 --to 2026-02-15

# Search by actor
loki enterprise audit search --actor ci-bot

# Combined filters
loki enterprise audit search --event task.fail --from 2026-02-15 --level error

Export Logs

# Export to file
loki enterprise audit export --output audit-export.json

# Export with filters
loki enterprise audit export --from 2026-01-01 --level error --output errors.json

# Export as CSV
loki enterprise audit export --format csv --output audit.csv

API Endpoints

Get Audit Entries

# Recent entries
curl "http://localhost:57374/api/audit?limit=50"

# With filters
curl "http://localhost:57374/api/audit?event=session.start&limit=100"

# Date range
curl "http://localhost:57374/api/audit?start=2026-02-01&end=2026-02-15"

Query Parameters

Parameter	Type	Description
`start`	ISO date	Start timestamp
`end`	ISO date	End timestamp
`event`	string	Filter by event type
`level`	string	Filter by level (debug, info, warning, error)
`actor`	string	Filter by actor
`limit`	number	Max results (default: 100)
`offset`	number	Pagination offset

Get Summary

curl http://localhost:57374/api/audit/summary

Response:

{
  "period": "24h",
  "total_events": 62,
  "by_type": {
    "session.start": 5,
    "session.complete": 4,
    "api.request": 42
  },
  "by_level": {
    "info": 58,
    "warning": 3,
    "error": 1
  }
}

Log Integrity (v5.38.0)

Audit entries are chain-hashed with SHA-256 for tamper detection.

How It Works

Each audit entry includes a chain_hash field:

First entry hashes against a genesis hash (0 * 64)
Each subsequent entry hashes: SHA256(previous_hash + current_entry_json)
Any modification to a past entry invalidates all subsequent hashes

Verification

# Verify integrity via CLI
loki audit verify

# Python verification
from dashboard.audit import verify_log_integrity

result = verify_log_integrity("~/.loki/dashboard/audit/audit-2026-02-15.jsonl")
print(f"Valid: {result['valid']}")
print(f"Entries checked: {result['entries_checked']}")
if not result['valid']:
    print(f"First tampered line: {result['first_tampered_line']}")

Disabling Chain Hashing

export LOKI_AUDIT_NO_INTEGRITY=true

SIEM Integration (v5.38.0)

Syslog Forwarding

Forward audit events to external syslog servers for SIEM integration:

export LOKI_AUDIT_SYSLOG_HOST=syslog.example.com
export LOKI_AUDIT_SYSLOG_PORT=514
export LOKI_AUDIT_SYSLOG_PROTO=udp

Details:

Uses Python stdlib logging.handlers.SysLogHandler
Facility: LOG_LOCAL0
Security actions forwarded at WARNING level
Fire-and-forget: syslog failures do not block audit writes
Supports both UDP and TCP protocols

Splunk

# Configure Splunk Universal Forwarder
/opt/splunkforwarder/bin/splunk add monitor ~/.loki/dashboard/audit/ \
  -sourcetype loki:audit \
  -index security

# Or use HTTP Event Collector
curl -H "Authorization: Splunk YOUR-HEC-TOKEN" \
     -d "$(cat ~/.loki/dashboard/audit/audit-2026-02-15.jsonl)" \
     https://splunk.example.com:8088/services/collector/raw

Datadog

# datadog.yaml
logs:
  - type: file
    path: /home/user/.loki/dashboard/audit/*.jsonl
    source: loki-mode
    service: loki-mode
    tags:
      - env:production
      - team:devops

Elastic SIEM

# Filebeat configuration
cat > /etc/filebeat/inputs.d/loki-audit.yml <<EOF
- type: log
  enabled: true
  paths:
    - /home/user/.loki/dashboard/audit/*.jsonl
  json.keys_under_root: true
  fields:
    log_type: audit
    application: loki-mode
  tags: ["loki", "audit"]
EOF

# Restart Filebeat
systemctl restart filebeat

Agent Action Audit (v5.38.0)

In addition to dashboard audit logs, agent actions are tracked separately.

Location

.loki/logs/agent-audit.jsonl

Tracked Actions

Action	Description
`cli_invoke`	CLI command executed by agent
`git_commit`	Git commit performed by agent
`file_write`	File write operation
`file_delete`	File delete operation
`session_start`	Agent session started
`session_stop`	Agent session stopped

Entry Format

{
  "timestamp": "2026-02-15T14:30:00Z",
  "action": "git_commit",
  "agent": "development",
  "branch": "loki/session-20260215-143022-12345",
  "details": {
    "message": "Add authentication module",
    "files_changed": 3,
    "insertions": 150,
    "deletions": 20
  }
}

CLI Commands

# View recent agent actions
loki audit log

# Count total agent actions
loki audit count

# Filter by action type
loki audit log --action git_commit

# Show help
loki audit help

Compliance

SOC2

Audit logging supports SOC2 requirements:

CC6.1 - Logical access security (auth events)
CC7.2 - System monitoring (session and task events)
CC7.3 - Incident response (error events)

Configuration:

enterprise:
  audit:
    enabled: true
    retention_days: 365  # 1 year minimum for SOC2
    integrity_check: true
    syslog_enabled: true

HIPAA

For healthcare applications:

Enable all authentication events
Set retention to minimum 6 years
Enable log encryption
Forward to SIEM for monitoring

Configuration:

enterprise:
  audit:
    enabled: true
    retention_days: 2190  # 6 years
    encrypt: true
    integrity_check: true
    syslog_enabled: true

For European deployments:

Log access to personal data
Provide data export capability
Support right to deletion
Enable audit trail for data access

Configuration:

enterprise:
  audit:
    enabled: true
    retention_days: 365
    gdpr_compliance: true
    log_data_access: true

Troubleshooting

Logs Not Being Created

# Check if audit logging is enabled
loki enterprise status

# Verify directory exists and is writable
ls -la ~/.loki/dashboard/audit/
mkdir -p ~/.loki/dashboard/audit/
chmod 700 ~/.loki/dashboard/audit/

# Check disk space
df -h ~/.loki/

# Test log write
echo '{"test": "entry"}' >> ~/.loki/dashboard/audit/test.jsonl

Missing Events

# Check minimum level configuration
loki enterprise audit summary

# Lower level to capture more events
export LOKI_AUDIT_LEVEL=debug

# Check exclude_events in config
cat .loki/config.yaml | grep -A 5 exclude_events

Disk Space Issues

# Check current usage
du -sh ~/.loki/dashboard/audit/

# Find large log files
find ~/.loki/dashboard/audit/ -type f -size +100M

# Manually clean old logs
find ~/.loki/dashboard/audit/ -name "*.jsonl" -mtime +30 -delete

# Enable compression
export LOKI_AUDIT_COMPRESS=true

Syslog Not Forwarding

# Test syslog connectivity
nc -zv syslog.example.com 514

# Check syslog configuration
echo $LOKI_AUDIT_SYSLOG_HOST
echo $LOKI_AUDIT_SYSLOG_PORT

# View syslog errors in audit log
loki enterprise audit tail --event syslog.error

# Test manual syslog send
logger -n syslog.example.com -P 514 "Test from Loki Mode"

Best Practices

Security

Enable audit logging in production (enabled by default)
Set appropriate retention period for compliance
Enable integrity checking (SHA-256 chain hashing)
Forward logs to external SIEM
Restrict access to audit logs (file permissions 600)
Encrypt audit logs at rest
Monitor for suspicious patterns

Performance

Use async logging to avoid blocking
Rotate logs daily
Compress rotated logs
Set reasonable retention period
Exclude high-volume low-value events (e.g., api.request)

Compliance

Document audit logging configuration
Test log integrity verification regularly
Perform quarterly audit log reviews
Export logs for long-term archival
Integrate with compliance monitoring tools