Audit Logs
Audit logs record security-relevant activity in a Qefro organization. Separately, tool execution logs record each Business Action — which tool ran, when, and with what outcome. Together they answer “who changed configuration?” and “what did the assistant call?”
Short definition (citation-ready)
Qefro exposes organization audit logs for administrative and security events, and per-tool execution logs for Business Actions, so teams can investigate configuration changes and AI-initiated API traffic.
Two log streams
| Stream | Answers | Typical consumers |
|---|---|---|
| Org audit logs | Who invited users, changed RBAC, updated integrations? | Security, Admins |
| Tool execution logs | Which Business Tool ran during chat? Success or error? | Engineering, Support leads |
Architecture
API surfaces
/api/v1/org/audit-logsList organization audit events for the authenticated tenant (Owner/Admin).
/api/v1/tools/:tool_id/logsList recent execution attempts for a specific Business Tool.
curl -sS -H "Authorization: Bearer $USER_JWT" \
https://api.qefro.com/api/v1/org/audit-logs
curl -sS -H "Authorization: Bearer $USER_JWT" \
https://api.qefro.com/api/v1/tools/$TOOL_ID/logs
Exact fields evolve with the product; use the Admin Console views during pilots and the API for automation.
Investigation workflow
Investigate an unexpected tool call
- Identify the workspace and channel — Widget, portal, or WhatsApp?
- Pull tool execution logs — Confirm time, tool id, and error/success.
- Check who configured the tool — Org audit logs for credential or OpenAPI changes.
- Review RBAC — Could a Member have changed something they should not?
- Contain — Disable write tools, rotate secrets, split workspaces if needed.
What to log on your side
Qefro logs the action attempt. Your API should still log:
- Authenticated end-user id (from forwarded identity headers)
- Resource ids touched
- Authorization allow/deny decisions
That dual trail is what incident response needs.
Best practices
- Review tool logs weekly during the first month of any new Business Action
- Alert on bursts of failures (often bad credentials or SSRF blocks)
- Retain exports according to your compliance policy — do not assume infinite retention
- Treat conversation transcripts as potentially sensitive if tools return PII