Skip to main content

Audit Logs

Audit logs record security-relevant activity in a Qefro organization. Separately, tool execution logs record each Business Action — which tool ran, when, and with what outcome. Together they answer “who changed configuration?” and “what did the assistant call?”

Short definition (citation-ready)

Qefro exposes organization audit logs for administrative and security events, and per-tool execution logs for Business Actions, so teams can investigate configuration changes and AI-initiated API traffic.

Two log streams

StreamAnswersTypical consumers
Org audit logsWho invited users, changed RBAC, updated integrations?Security, Admins
Tool execution logsWhich Business Tool ran during chat? Success or error?Engineering, Support leads

Architecture

API surfaces

GET/api/v1/org/audit-logs

List organization audit events for the authenticated tenant (Owner/Admin).

GET/api/v1/tools/:tool_id/logs

List recent execution attempts for a specific Business Tool.

curl -sS -H "Authorization: Bearer $USER_JWT" \
https://api.qefro.com/api/v1/org/audit-logs

curl -sS -H "Authorization: Bearer $USER_JWT" \
https://api.qefro.com/api/v1/tools/$TOOL_ID/logs

Exact fields evolve with the product; use the Admin Console views during pilots and the API for automation.

Investigation workflow

Investigate an unexpected tool call

  1. Identify the workspace and channelWidget, portal, or WhatsApp?
  2. Pull tool execution logsConfirm time, tool id, and error/success.
  3. Check who configured the toolOrg audit logs for credential or OpenAPI changes.
  4. Review RBACCould a Member have changed something they should not?
  5. ContainDisable write tools, rotate secrets, split workspaces if needed.

What to log on your side

Qefro logs the action attempt. Your API should still log:

  • Authenticated end-user id (from forwarded identity headers)
  • Resource ids touched
  • Authorization allow/deny decisions

That dual trail is what incident response needs.

Best practices

  • Review tool logs weekly during the first month of any new Business Action
  • Alert on bursts of failures (often bad credentials or SSRF blocks)
  • Retain exports according to your compliance policy — do not assume infinite retention
  • Treat conversation transcripts as potentially sensitive if tools return PII

FAQ

Are prompts fully stored in audit logs?
Audit and tool logs focus on administrative and execution metadata. Conversation content is handled in the conversation subsystem — review retention with your security team.
Can Members read org audit logs?
Audit APIs are intended for Owner/Admin roles. Members use granted workspaces for Employee AI chat.
Do WhatsApp messages appear in tool logs?
Only if a Business Action runs. Channel messages are conversations; tool logs appear when tools execute.