MACAWMACAW
Get Started
Docs/Console/Logs

Logs

The Logs tab provides access to all system events. View cryptographically signed audit trails, event streams, policy denials, and attestation activity.

The Logs tab has four sub-tabs, each showing different event categories:

Sub-tabDescriptionUse Case
Audit TrailCryptographically signed security eventsCompliance, forensics, tamper detection
Event StreamAll system eventsDebugging, monitoring, understanding behavior
DenialsPolicy denial events onlySecurity monitoring, policy tuning
AttestationsAttestation lifecycle eventsApproval workflow audit, access tracking

Audit Trail

Audit Trail

The Audit Trail contains cryptographically signed events for compliance and forensics. Each event includes a hash and digital signature that can be verified.

Event Types

  • policy_decision — Allow/deny decisions
  • tool_execution — Tool invocations
  • agent_registered — Agent registrations
  • prompt_created — Prompt generation
  • attestation_* — Attestation events

Columns

  • Time — Event timestamp (sortable)
  • Event — Event type with lock icon (signed)
  • Agent — Source agent identifier
  • Op — Operation (execute, etc.)
  • Target — Target resource or agent
  • Result — OK or Deny

Event Details

Event Details Modal

Click any event to view full details including the raw JSON payload, cryptographic signature, and hash. Click Verify to validate the signature and hash chain integrity.

Event Stream

Event Stream

The Event Stream shows all system events, including informational logs that aren't part of the signed audit trail. Useful for debugging and understanding system behavior.

Denials

Denials

The Denials tab filters to show only policy denial events. Use this to:

  • • Monitor for suspicious activity (repeated denials from same source)
  • • Debug policy issues (legitimate requests being blocked)
  • • Tune policies (identify overly restrictive rules)

Attestations

Attestation Logs

The Attestations sub-tab shows all attestation lifecycle events:

Event Types

  • attestation_created — Request initiated
  • attestation_approved — Admin approved
  • attestation_denied — Admin denied
  • attestation_accessed — Grant used
  • attestation_consumed — Single-use consumed
  • attestation_expired — time_to_live expired
  • attestation_disabled — Manually revoked

Columns

  • Source — Who initiated the action
  • Op — Operation type
  • Target — Attestation ID or role
  • Result — OK indicates successful operation

Filtering and Search

Column Filters

Click the filter icon to filter by any column value. Combine multiple filters to narrow down results.

Search

Use the search box for full-text search across event content including agent IDs, resources, and error messages.

Related Topics

Traces

Correlated event sequences

Activity

Real-time event feed

OTEL & Logs Settings

Export and retention config

Architecture

Audit logging architecture