Can audit logs be deleted?

Audit logs cannot be manually deleted when tamper protection is enabled. They are purged automatically when the retention period expires. This ensures a complete, unmodifiable record for compliance purposes.

Do audit logs affect performance?

The performance impact is minimal. Audit events are written asynchronously so they do not add latency to user-facing operations. The storage overhead depends on your event volume but is typically small relative to operational logs.

Are audit logs included in backups?

Audit logs are backed up separately with their own retention schedule. This ensures they persist independently of agent configuration backups and comply with the retention policies you have configured.

Security

Audit Logging: Track All Agent Actions

Enable audit logging to create a complete, tamper-resistant record of every action taken on and by your OpenClaw agent.

Deploy OpenClaw See How It Works

What You Will Get

By the end of this guide, your OpenClaw agent will have comprehensive audit logging that records every significant action: configuration changes, user access events, tool invocations, data modifications, and security events. This creates a tamper-resistant trail that supports compliance, security investigations, and operational transparency.

Audit logs differ from operational logs in their purpose. Operational logs help you debug technical issues. Audit logs answer the question 'who did what, when, and from where?' They are essential for compliance with frameworks like SOC2, HIPAA, and GDPR.

You will enable audit logging, configure which events to capture, set retention and export policies, and learn to query the audit log for security investigations. The result is a complete record of all activity that gives you confidence and accountability.

Step-by-Step Setup

Follow these steps to configure audit logging.

Enable Audit Logging

Open the Security settings in your RunTheAgent dashboard and navigate to Audit Logging. Toggle the feature on. Once enabled, the system begins recording audit events immediately. Events that occurred before enabling are not retroactively captured, so enable this as early as possible.

Configure Event Categories

Choose which event categories to capture. Categories include authentication events (login, logout, failed login), configuration changes (prompt edits, tool modifications), data access (conversation views, knowledge base queries), and security events (key rotation, permission changes). For compliance, enable all categories.

Set Retention Policies

Configure how long audit logs are retained. Compliance frameworks typically require 1 to 7 years of retention depending on the regulation. Set the retention period to meet your compliance requirements. Audit logs are stored separately from operational logs with their own storage allocation.

Configure Export Destinations

Set up automatic exports of audit logs to external storage or a SIEM system. This ensures logs are preserved even if the platform has an issue and enables centralized analysis across multiple systems. Common export formats include JSON, CSV, and syslog.

Enable Tamper Protection

Turn on tamper protection, which generates a cryptographic hash for each log entry. Any modification to a log entry invalidates its hash, making tampering detectable. This is required for most compliance frameworks and adds a strong layer of integrity assurance.

Test by Performing Auditable Actions

Perform several actions that should be captured: log in, edit the system prompt, view a conversation, rotate an API key, and change a user's role. Then open the audit log and verify that each action appears with the correct user, timestamp, and details.

Set Up Audit Alerts

Create alerts for high-risk audit events such as failed login attempts, permission escalations, API key revocations, and bulk data access. These alerts provide real-time visibility into potentially suspicious activity so you can investigate promptly.

Tips and Best Practices

Log Everything, Filter When Querying

It is better to capture too many events than too few. Storage is cheap compared to the cost of missing a critical audit entry. Use filters when querying to find relevant events rather than limiting what gets captured.

Protect Audit Log Access

Restrict who can view and export audit logs using RBAC. Audit logs often contain sensitive information about user activity. Only security and compliance personnel should have access.

Include Context in Every Entry

Each audit entry should include the user, action, target resource, source IP, timestamp, and result (success or failure). This context makes investigations faster because you do not need to correlate multiple log sources.

Review Audit Logs Regularly

Schedule monthly reviews of audit log summaries to spot trends like increasing failed logins, unusual access patterns, or configuration changes outside of change windows. Regular reviews turn audit logs from a passive record into an active security tool.

Frequently Asked Questions

Compliance Frameworks Access Control Security Monitoring

Ready to get started?

Deploy your own OpenClaw instance in under 60 seconds. No VPS, no Docker, no SSH. Just your personal AI assistant, ready to work.

Deploy OpenClaw View Pricing

Starting at $24.50/mo. Everything included. 3-day money-back guarantee.