--- title: Read the operator audit log description: Who did what, when, from where - the ARGUS operator audit log in the console and via argusctl logs tail, what gets audited, and where it is stored. --- # Read the operator audit log ## Goal Answer "who did what, when, from where" against the operator audit log, from the console or the terminal. ## What gets audited * **Every authenticated call** to the ops API writes one row, whether it came from the Operations Console or from argusctl. PAT calls are attributed to the PAT owner's Clerk user; there is no anonymous use. * **Compute writes** (`/compute/ops/*` launch, stop, resume, terminate) additionally write to the compute domain audit table (`argus.compute_control_audit`). * **Arm and disarm** and other remote-support actions additionally write to `argus.remote_support_audit`. ## Where it is stored The platform-wide log is **`argus.argus_audit_log`**. Each row records the actor (Clerk user), actor kind (Clerk session, PAT, or break-glass token), the PAT id when relevant, the scope checked for the call, the normalized route template, HTTP method and status, latency, client IP, user agent, a SHA-256 digest of the request body (which proves what was submitted without storing PII), and the timestamp. The log is append-only: the runtime DB role has no UPDATE or DELETE on it. Retention is 365 days. CLI calls carry a `User-Agent: argusctl/` string so CLI traffic can be sliced out in queries. ## Prerequisites * A PAT with the **`logs:read`** scope (included in the `support-readonly` and `admin-full` presets). ## Steps (console) 1. Open the audit log page in the Operations Console (under Settings, route `#/settings/audit`). 2. Filter by actor, route, status, or time window. 3. Click a row to see its request body digest, which lets you verify what was submitted without the log storing payload contents. Backing endpoint: `GET /v1/audit-log` (scope `logs:read`). ## Steps (CLI) ```bash argusctl logs tail --since 1h # last hour of audit rows argusctl logs tail --since 1h --actor user_ABC # one operator's actions argusctl logs tail --since 1h --json # machine-readable ``` `logs tail` also accepts a `--route` filter against the normalized route templates. Because routes are stored as stable templates (for example `GET /v1/tenants/:id`), a route filter matches every call to that endpoint regardless of the id. ## Verify Run any read command (for example `argusctl health` followed by `argusctl compute list`), then `argusctl logs tail --since 5m --json`: your own calls appear, attributed to your PAT's Clerk user. ## Troubleshooting * **403 on `logs tail` (exit code 5).** Your PAT lacks `logs:read`. * **A route filter returns nothing.** Filters match the normalized route template, not the literal URL; check the template spelling. * **Latency questions.** `argusctl perf` derives per-route p50/p95/p99, error rate, and requests per minute from the same audit log. --- For a semantic overview of all documentation, see [/sitemap.md](/sitemap.md) For an index of all available documentation, see [/llms.txt](/llms.txt) For agent-facing discovery, including API and MCP surfaces, see [/agents.md](/agents.md)