Audit Logs — MCP Ambassador | Enterprise MCP Gateway — MCPAmbassador

Every tool invocation, login, client registration, and administrative action is recorded in the audit log with a unique correlation ID.

What is logged

Tool invocations

Every tool call records:

Field	Description
`event_type`	`tool_invocation`
`timestamp`	ISO 8601 timestamp
`correlation_id`	Unique ID linking request and response
`user_id`	User who made the call
`client_id`	Which Ambassador Client
`mcp_id`	Which MCP
`tool_name`	Which tool (e.g., `github.search_code`)
`arguments`	Tool arguments (redacted for sensitive fields)
`result_status`	`success`, `error`, `blocked`
`duration_ms`	Time to complete the call

Authentication events

Event	Logged data
`login_success`	User, IP, timestamp
`login_failure`	Username attempted, IP, failure reason
`login_rate_limited`	IP, timestamp
`session_created`	User, client, timestamp
`session_expired`	Client, timestamp

Administrative events

Event	Logged data
`user_created`	Admin, new user details
`user_deactivated`	Admin, user ID
`group_member_added`	Admin, group, user
`mcp_published`	Admin, MCP details
`mcp_archived`	Admin, MCP ID
`kill_switch_activated`	Admin, tool/MCP, reason
`kill_switch_deactivated`	Admin, tool/MCP
`client_registered`	User, client details
`client_deactivated`	Who deactivated, client ID

Querying the audit log

Via Admin UI

Navigate to Audit Logs. Filter by:

Date range
Event type
User
Tool

Via Admin API

# All recent events (paginated)
curl -k -b cookies.txt "https://localhost:9443/v1/admin/audit?limit=50&offset=0"

# Filter by event type
curl -k -b cookies.txt "https://localhost:9443/v1/admin/audit?type=tool_invocation"

# Filter by user
curl -k -b cookies.txt "https://localhost:9443/v1/admin/audit?user=alice"

# Filter by MCP
curl -k -b cookies.txt "https://localhost:9443/v1/admin/audit?mcp=github"

# Filter by tool
curl -k -b cookies.txt "https://localhost:9443/v1/admin/audit?tool=github.search_code"

# Date range
curl -k -b cookies.txt "https://localhost:9443/v1/admin/audit?from=2026-01-01&to=2026-01-31"

Log format

Audit events are stored as JSON in the database and returned as JSON from the API:

{
  "id": "evt_uuid",
  "event_type": "tool_invocation",
  "timestamp": "2026-02-19T14:32:01.123Z",
  "correlation_id": "corr_uuid",
  "user_id": "user_uuid",
  "user_username": "alice",
  "client_id": "client_uuid",
  "client_label": "VS Code - Work Laptop",
  "mcp_id": "mcp_uuid",
  "mcp_name": "github",
  "tool_name": "github.search_code",
  "arguments": {"query": "authentication"},
  "result_status": "success",
  "duration_ms": 234
}

The server also emits JSON structured logs to stdout with the same correlation IDs, useful for log aggregation.

Argument redaction

Arguments are logged but sensitive fields are redacted. Fields named token, secret, password, key, credential are replaced with [REDACTED] in the audit record. The raw argument value is never logged.

Retention

Audit logs are stored in the SQLite database indefinitely by default. There is no automatic rotation in 0.8.0-beta.1. For compliance use cases requiring log export or rotation:

Export: Use the Admin API to page through events and export to your SIEM
Streaming (v1.1): File-based export in Splunk-compatible JSON format
SIEM streaming (v2.0): Real-time export to Splunk, Datadog, Elastic

Correlation IDs

Every tool call generates a correlation ID that appears in:

The audit log record
The server's stdout JSON log
The HTTP response header (X-Correlation-Id)

This makes it easy to trace a specific tool invocation across log sources.