Audit log

Shipping in stages. What's live today: every Monroe run posts a 2-line receipt in the channel where it ran (see run receipts), and the raw events sit on the workspace usage_events ledger. The dedicated in-dashboard browser, retention controls, and S3 / Splunk / syslog exports described below are on the public roadmap for the next release. Enterprise customers can request a one-off CSV export today by emailing enterprise@getmonroe.com.

The audit log is the system of record for every action Monroe takes in your workspace. Workspace admins can browse, search, and (on Enterprise) export.

What's logged

For every Monroe run:

• When — UTC timestamp, also workspace-local
• Who — Slack/Teams user that triggered the run
• Where — channel or DM
• What — the user's request (verbatim)
• How — every tool Monroe called, with arguments and the response (truncated to 4KB; full payload available on Enterprise)
• Approvals — who approved (or denied) every gated action
• Credits — total credits consumed + per-tool breakdown
• Outcome — completed / approval denied / error / over-budget

The log is append-only. You cannot edit history. Workspace admins can delete entries older than 30 days; Enterprise can hold up to 7 years.

In-dashboard browser

Dashboard → Audit log. Filter by:

• Date range
• User (who triggered)
• Tool (which integration was called)
• Approval status (all / approved / denied / pending)
• Cost (>X credits)

Click a run to see the full timeline: every step Monroe took, the model used, the tools called, the approval decisions.

Exports (Enterprise only)

Three sink targets:

• S3 — JSON.gz files dropped to a customer-owned bucket, hourly batched
• Splunk — HEC endpoint, streamed
• Syslog — RFC 5424, streamed

Configure in Settings → Audit → Export.

Retention

|---|---|

When audit log entries are deleted (retention expiry or admin action), they're cryptographically erased — not just soft-deleted.

Next: data residency.