Audit log
The Audit Log is Syntrum's system of record. Every action an agent takes, every decision a human makes, every rule a guardrail enforces, and every thing an agent learns is written here — immutably, and always. When you need to know what happened, when, and why, this is the page.
You reach it from the sidebar under Monitor → Audit Log. A live pulse next to the title shows new events streaming in.
The audit log is visible to everyone on the team, including Viewers — transparency is the point. It's read-only for all roles: no one edits or deletes events, which is what makes it trustworthy.
What's recorded#
Events fall into categories you can filter by:
| Category | What it captures |
|---|---|
| All Events | Everything, newest first |
| AI Actions | Actions agents took in your tools |
| Human Decisions | Approvals, rejections, edits, role changes, policy changes |
| Learning | New memories and skills an agent picked up |
| Security | Sign-ins, session changes, and other account-security events |
Each category tab shows a running count. The summary bar at the bottom tallies Successful, High Risk, and Learning Events in the current view, and tells you how many of the total you're showing, the retention window (how many days events are kept), and how far back decision/guardrail coverage goes.
Reading an event#
Every event is a card with, at a glance:
- An actor avatar — dark for an AI agent, light for a human, with a tool brand badge in the corner when the action touched a connected tool.
- A verb chip (e.g.
Executed after approval,Blocked,Approved,Learned) colour-coded by kind. - The action and its target (e.g. Send Message → #support).
- The actor and when it happened.
- A one-line reason where the system supplies one.
- On the right: an outcome chip (delivered, sent, rejected, blocked…) and a risk badge (Low / Medium / High / Critical).
Click any card to expand it. The details pane can include:
- Context Used — what the agent was working from.
- State Change — a before → after view for changes (e.g. a policy value flipping).
- Details / payload — the full data, shown as readable key/value rows with a Raw JSON toggle.
- Links to View agent and View approvals where relevant, plus the event's type and ID.
Provenance for guardrail decisions#
When an event is a guardrail hold, the expanded view names the rule that decided it — for example "Held by workspace policy", "Held by a tool pin", or "Held by agent policy", with the note "adjust in the agent's Permissions tab." This is the same provenance you see on an approval: it closes the loop between what happened and which rule caused it. See The three planes.
Grouping#
When the same event repeats back-to-back (an agent doing the identical thing several times in a row), the log collapses them into a single stacked card with a ×N count. Click Show all N to expand the group, and collapse to stack them again — so a burst of identical activity never buries everything else.
Finding events#
- Filter by category with the tabs at the top.
- Search actions, targets, and agent names in the search box (it debounces as you type).
- Load older events at the bottom to page further back through history.
New events tick in live via the workspace stream, with a brief green wash so you can see them arrive — except while you're searching or filtering, where the view stays as you queried it.
Exporting#
Click Export CSV to download the log for the covered date range. Use it for compliance archives, external analysis, or handing a record to someone outside the workspace.
What's next#
- Reports — the aggregate view of the same activity, summarized for a period.
- Approvals — the decisions that show up here as human events.
- Guardrails & sensitive actions — the rules whose decisions the log records.

