Skip to main content
MagOneAI maintains comprehensive audit trails for every significant action in the platform. From agent executions to tool calls to configuration changes, every event is logged with user, timestamp, and context. This creates a complete record for security investigations, compliance audits, and operational troubleshooting.

What gets logged

MagOneAI captures audit events across multiple categories, ensuring complete visibility into platform activity.

Agent executions

Every time an agent runs, the platform logs:
  • Execution metadata — Agent ID, version, executing user, workflow ID (if applicable), timestamp
  • Input and output — User input to the agent, agent’s final response
  • Model usage — Provider, model name, tokens consumed (prompt and completion), cost
  • Duration — Total execution time, time spent in LLM calls vs. tool calls
  • Outcome — Success, failure, or timeout status
This creates a complete record of what every agent did, who invoked it, and what resources it consumed.

Tool calls

When an agent uses a tool via MCP, the platform logs:
  • Tool metadata — Tool name, MCP server, version
  • Parameters — Input parameters passed to the tool (sanitized to remove credentials)
  • Outcome — Tool response or error message
  • User context — Which user’s credentials were used (for OAuth-based tools)
  • Duration — Time spent in the tool call
Tool call logs are essential for debugging agent behavior and understanding what external systems the agent interacted with.
Tool call logs are sanitized to remove credentials and sensitive data. However, they do include parameter values, which may contain business data. Apply appropriate access controls to audit logs.

Data access

Whenever an agent or workflow accesses data, the platform logs:
  • Knowledge base queries — Which knowledge base, query text, results returned, user
  • Database queries — Database connection, query (sanitized), rows affected, user
  • File access — File path, operation (read/write), user, timestamp
  • External API calls — API endpoint, HTTP method, status code (credentials removed)
This creates an audit trail for data governance and compliance — you can track exactly which data was accessed by which user and agent.

Authentication events

All authentication and authorization activities are logged:
  • Successful logins — User, authentication method (SSO, username/password, API key), source IP, timestamp
  • Failed login attempts — Username, authentication method, source IP, failure reason, timestamp
  • Logouts — User, session duration, timestamp
  • Token refreshes — OAuth token refreshes, user, provider (Google, Microsoft, etc.)
  • API key usage — Every API request with key ID, endpoint, user, timestamp
Authentication logs are critical for security monitoring — repeated failed logins may indicate brute force attacks, and unusual token refresh patterns may indicate compromised credentials.

Configuration changes

All changes to platform configuration are logged:
  • Role changes — User granted or revoked from a role, by whom, timestamp
  • Provider updates — Provider added, modified, or deleted, which fields changed, by whom
  • Project modifications — Project created, settings changed, deleted, by whom
  • Agent and workflow changes — Version control for agent and workflow definitions, who made each change
  • Policy changes — Organization policies, quotas, or settings modified, by whom
This creates an audit trail for change management and compliance. You can answer questions like “Who gave this user Org Owner access?” or “When was this provider’s API key last updated?”

Workflow executions

MagOneAI workflows are built on Temporal, which provides detailed execution history:
  • Workflow metadata — Workflow ID, definition version, triggering user or API key, timestamp
  • Activity executions — Each activity (agent, tool, human task) with input, output, duration, status
  • Retry history — Failed activities with retry attempts, backoff intervals, eventual outcome
  • Human task events — Task assigned, completed, or escalated, assignee, completion time
  • Workflow outcome — Success, failure, timeout, or cancellation
Temporal’s event history is immutable and can be replayed for debugging or analysis.

Viewing audit trails

MagOneAI provides multiple interfaces for viewing audit logs, scoped to the user’s role and permissions.

Admin Portal — Platform-wide logs

Who has access: SuperAdmins only What you can see:
  • All organizations, users, and authentication events
  • Platform-level provider configurations and changes
  • Cross-organization metrics and usage trends
  • Security events like failed logins and unauthorized access attempts
How to access:
  1. Log into the Admin Portal
  2. Navigate to “Audit Logs” in the sidebar
  3. Filter by event type, date range, user, or organization
Use the Admin Portal for security investigations that span multiple organizations or for platform-wide compliance reporting.

Studio — Project-level logs

Who has access: Org Owners (all projects in their org), Project Owners and Project Members (projects they’re assigned to) What you can see:
  • Agent and workflow executions within the project
  • Tool calls made by agents in the project
  • Knowledge base queries and data access
  • Project configuration changes and role assignments
How to access:
  1. Log into Studio
  2. Select the project from the sidebar
  3. Navigate to “Execution History” or “Audit Logs” in the project menu
  4. Filter by agent, workflow, date range, or user
Use Studio logs for debugging agent behavior, understanding workflow executions, and reviewing project-level changes. All audit log interfaces support filtering and search:
  • By user — See all actions by a specific user (useful for offboarding reviews)
  • By event type — Filter to only agent executions, or only configuration changes
  • By date range — Narrow down to a specific time window (e.g., “last 7 days”)
  • By resource — See all events related to a specific agent, workflow, or tool
  • By outcome — Filter to only failures or errors
Search is indexed for fast queries across millions of log entries.

Exporting logs

Export audit logs for compliance reporting or integration with external systems:
1

Apply filters

Use the audit log UI to filter to the events you need (e.g., “All authentication events in December 2025”).
2

Click Export

Click the “Export” button and choose a format (CSV, JSON, or JSON Lines).
3

Download the file

The export is generated asynchronously and made available for download. Large exports may take a few minutes.
4

Import to your analysis tool

Use the exported data in spreadsheets, BI tools, or SIEM systems for analysis and reporting.
Exports include all fields from the audit log entries, including IDs, timestamps, users, and event-specific data.

Execution monitoring

For real-time visibility into running workflows and agents, MagOneAI provides execution monitoring dashboards.

Real-time dashboard

The execution dashboard shows:
  • Active workflows — Currently running workflows with status (running, waiting, failing)
  • Activity-level status — Which activity is currently executing, how long it’s been running
  • Resource consumption — Tokens consumed, cost incurred, API calls made (updated in real-time)
  • Queued executions — Workflows waiting to start (if rate limiting or concurrency limits apply)
Use the dashboard to identify stuck workflows, monitor high-priority executions, or track resource consumption.

Activity-level details

Drill into a running workflow to see:
  • Execution timeline — Visual representation of which activities have completed and which are running
  • Activity inputs and outputs — For completed activities, see the input data and output results
  • Retry attempts — If an activity failed and is retrying, see the retry count and backoff interval
  • Estimated completion — Based on historical data, an estimate of when the workflow will complete
This level of detail is invaluable for debugging long-running workflows or understanding performance bottlenecks.

Error and failure tracking

The monitoring dashboard highlights failures:
  • Failed workflows — Workflows that terminated due to errors, with the failing activity and error message
  • Retrying activities — Activities that failed but are being retried, with current attempt count
  • Timeout warnings — Activities approaching their timeout threshold
  • Rate limit warnings — Activities waiting due to rate limiting on external APIs
Set up alerts (see below) to be notified when failures occur.

Integration with monitoring systems

MagOneAI is designed to integrate with standard enterprise monitoring and SIEM systems.

Structured log output

All audit logs and execution logs are output in structured JSON format: 
{
  "timestamp": "2025-12-15T14:32:18Z",
  "event_type": "agent_execution",
  "user_id": "usr_abc123",
  "user_email": "[email protected]",
  "organization_id": "org_xyz789",
  "project_id": "proj_def456",
  "agent_id": "agent_ghi789",
  "agent_name": "Customer Support Agent",
  "model": "gpt-4",
  "tokens_prompt": 1250,
  "tokens_completion": 380,
  "cost_usd": 0.0234,
  "duration_ms": 3400,
  "outcome": "success"
}
This structured format can be ingested by log aggregators like Elasticsearch, Splunk, or Datadog.

Log forwarding

Configure MagOneAI to forward logs to external systems:
  • Syslog — Forward logs via syslog protocol to a central log server
  • HTTP endpoint — POST logs to a webhook or log ingestion API
  • File output — Write logs to a file for collection by a log shipper (Filebeat, Fluentd, etc.)
Configure log forwarding in the Admin Portal under Settings → Log Forwarding.

SIEM integration

For security monitoring, integrate MagOneAI logs with your SIEM:
  1. Forward logs — Use syslog or HTTP forwarding to send audit logs to your SIEM (Splunk, Sentinel, etc.)
  2. Create detection rules — Set up rules to detect anomalous patterns (e.g., “User with 10+ failed logins in 5 minutes”)
  3. Correlate with other systems — Join MagOneAI logs with logs from your identity provider, network, and other systems
  4. Alert on security events — Trigger alerts for suspicious activity (unusual token usage, unauthorized access attempts)
Common SIEM use cases:
  • Compromised credentials — Detect API keys or OAuth tokens used from unexpected IP addresses
  • Insider threats — Detect users accessing data outside their normal patterns
  • Compliance violations — Detect access to sensitive data without proper authorization
  • Brute force attacks — Detect repeated failed login attempts

Custom monitoring dashboards

Export audit and execution data to build custom dashboards in BI tools:
  1. Export historical data — Use the audit log export feature to download data as CSV or JSON
  2. Import to your BI tool — Load the data into Tableau, Power BI, Looker, or Grafana
  3. Build dashboards — Create visualizations for metrics like executions per day, cost per project, error rates, etc.
  4. Schedule refreshes — Set up automated exports and dashboard refreshes for up-to-date metrics
This is useful for executive reporting, cost analysis, or operational monitoring.

Cost and token usage tracking

MagOneAI provides detailed visibility into the cost of agent executions, helping you understand and optimize spending.

Token consumption tracking

For every LLM API call, the platform tracks:
  • Prompt tokens — Tokens in the input to the model (system prompt, user input, context)
  • Completion tokens — Tokens in the model’s output
  • Total tokens — Sum of prompt and completion tokens
  • Model — Which model was used (gpt-4, claude-3-opus, etc.)
Token counts are logged per agent execution and aggregated across projects and organizations.

Cost calculation

The platform calculates costs based on provider pricing:
  • Per-token pricing — For models with separate prompt and completion pricing (e.g., GPT-4)
  • Per-request pricing — For models with fixed request costs (e.g., some image generation models)
  • Currency conversion — Costs normalized to USD for consistent reporting
Costs are displayed in real-time during workflow execution and in historical reports.

Cost breakdowns

View cost breakdowns by:
  • Organization — Total spend across all projects in the org
  • Project — Spend within a specific project
  • Agent — Which agents are most expensive to run
  • Workflow — Cost of individual workflow executions
  • User — Which users are triggering the most expensive executions
  • Provider and model — Spend per LLM provider (OpenAI vs. Anthropic) and model (GPT-4 vs. GPT-3.5)
Use these breakdowns to identify optimization opportunities — for example, switching from GPT-4 to GPT-3.5 for simpler tasks. The platform analyzes historical usage to provide:
  • Trend charts — Visualize token usage and costs over time (daily, weekly, monthly)
  • Forecasting — Project future costs based on current usage trends
  • Anomaly detection — Alert when usage spikes unexpectedly (e.g., 10x increase in a single day)
This helps with budgeting and capacity planning.

Budget alerts and quota enforcement

Set spending limits to prevent runaway costs:
1

Define a budget

In the Admin Portal or Studio, set a monthly budget for an organization or project (e.g., “$500/month”).
2

Configure alert thresholds

Set alert thresholds at 50%, 75%, and 90% of budget. Choose who receives alerts (email, Slack, etc.).
3

Enforce hard limits (optional)

Optionally, configure a hard limit that pauses executions when the budget is exhausted.
4

Monitor spending

View real-time budget consumption in the dashboard. Receive alerts when thresholds are crossed.
Budget enforcement prevents unexpected bills and encourages cost-conscious agent development.
Set up automated alerts for unusual patterns — sudden spikes in token usage, repeated failures, or unexpected tool calls can indicate misconfigurations or security issues. Early detection saves both money and troubleshooting time.

Compliance and retention

Audit logs are essential for regulatory compliance. MagOneAI provides features to meet common compliance requirements.

Log retention policies

Configure how long audit logs are retained:
  • Default retention — 90 days for execution logs, 1 year for authentication and configuration change logs
  • Custom retention — Extend retention to meet your compliance needs (e.g., 7 years for financial services)
  • Automatic archival — Old logs are automatically archived to cold storage (S3, Azure Blob, etc.)
  • Deletion policies — Logs older than the retention period are automatically deleted
Configure retention policies in the Admin Portal under Settings → Audit Logs.

Immutability and tamper-evidence

Audit logs are designed to be tamper-evident:
  • Append-only storage — Logs can be written but never modified or deleted (except by automated retention policies)
  • Cryptographic hashing — Each log entry is hashed and chained to previous entries, making tampering detectable
  • Access logging — Access to audit logs is itself logged, creating a complete chain of custody
These properties are essential for compliance frameworks like SOC 2 and HIPAA.

Audit log exports for compliance

For compliance audits, export logs in auditor-friendly formats:
  1. Define the audit period — E.g., “All activity from January 1 - December 31, 2025”
  2. Filter to relevant events — E.g., “All access to customer data” or “All role changes”
  3. Export to CSV or PDF — Generate a human-readable report with timestamps, users, and actions
  4. Provide to auditors — Share the export with your compliance team or external auditors
Exports include all metadata needed for compliance documentation.

Advanced monitoring

For sophisticated operational needs, MagOneAI supports advanced monitoring patterns.

Distributed tracing

MagOneAI integrates with OpenTelemetry for distributed tracing:
  • Trace propagation — Every workflow execution generates a trace ID that propagates through all activities
  • Span details — Each agent execution, tool call, and LLM request is a span with timing and metadata
  • Trace export — Traces can be exported to Jaeger, Zipkin, or other tracing backends
Use distributed tracing to understand performance bottlenecks in complex multi-agent workflows.

Metrics and observability

The platform exposes Prometheus-compatible metrics:
  • Execution counts — Total workflows executed, success rate, failure rate
  • Latency histograms — P50, P95, P99 latency for agent executions
  • Token usage — Total tokens consumed per minute, per project, per model
  • Cost metrics — Total spend per minute, per project, per organization
Scrape these metrics with Prometheus and visualize in Grafana.

Custom alerts

Define custom alerting rules based on audit log events or metrics:
  • Failure rate alert — Trigger when workflow failure rate exceeds 10% over 5 minutes
  • Cost spike alert — Trigger when hourly spend is 3x the daily average
  • Security alert — Trigger on any failed authentication attempt from an unusual IP
  • SLA alert — Trigger when workflow execution time exceeds an SLA threshold
Alerts can be sent to email, Slack, PagerDuty, or any webhook-compatible system.

Troubleshooting with audit logs

Audit logs are invaluable for troubleshooting operational issues.

Example: Debugging a failed workflow

1

Identify the failure

In the execution dashboard or Studio, locate the failed workflow execution.
2

View the execution trace

Open the workflow execution details to see the full Temporal event history.
3

Find the failing activity

Identify which activity failed — the execution trace shows the error message and stack trace.
4

Review tool call logs

If the failure was in a tool call, review the tool call audit logs to see the parameters and error response.
5

Check for credential issues

Review authentication logs to see if an OAuth token expired or was revoked around the time of failure.
6

Fix and retry

Address the issue (e.g., re-authenticate, fix a parameter) and retry the workflow.

Example: Investigating unusual costs

1

Review cost dashboard

In the Admin Portal or Studio, check the cost dashboard for the affected time period.
2

Identify the expensive resource

Drill down to see which project, agent, or workflow consumed the most tokens.
3

Review execution logs

Look at individual executions to see what inputs caused high token usage.
4

Analyze the prompt

Check if the agent’s system prompt or context is unnecessarily long. Review knowledge base queries that may be returning excessive results.
5

Optimize

Shorten prompts, tune knowledge base retrieval, or switch to a cheaper model for simpler tasks.

Example: Security investigation

1

Identify the suspicious activity

Alert fires: “User [email protected] accessed 500 customer records in 5 minutes.”
2

Review authentication logs

Check if the user logged in from an unusual location or IP address.
3

Review data access logs

See which knowledge bases or databases were accessed, which queries were run, and what data was returned.
4

Correlate with execution logs

Determine if the access was via a workflow execution or manual query. Identify the agent or tool responsible.
5

Take action

If the activity is unauthorized, revoke the user’s access, rotate credentials, and document the incident.

Best practices

Enable comprehensive logging

Don’t disable audit logging to save storage — the value for compliance and troubleshooting far outweighs the cost.

Integrate with your SIEM

Forward logs to your security monitoring system for correlation with other security events.

Set up alerts for anomalies

Proactive alerting on cost spikes, failures, or security events helps catch issues early.

Regular audit log reviews

Monthly review of high-privilege actions (role changes, provider updates) helps ensure accountability.

Export for compliance

Even if you’re not currently audited, maintain exports of audit logs for future compliance needs.

Use budget limits

Set spending limits on projects to prevent runaway costs from misconfigured agents.
Audit logging and monitoring are most effective when combined with other security controls. Use comprehensive logging alongside RBAC, HashiCorp Vault for secrets management, and network-level security for defense-in-depth.

Next steps

Security overview

Understand MagOneAI’s defense-in-depth security architecture

Deployment guide

Deploy MagOneAI with monitoring and logging configured