Skip to main content
Every tool call made through Civic is logged at the Hub level. Audit logs answer the question: “What exactly did my agent do, when, and with what data?”

What Gets Logged

For every tool call, Civic records:
  • Tool name — e.g. get_events, send_gmail_message, search_drive_files
  • Parameters — the exact inputs passed to the tool
  • Response — the result returned from the external service
  • Timestamp — precise time of execution
  • Agent identity — which session or toolkit made the call
Retention: Audit data is retained for approximately 30 days. Scope: Audit covers all tool calls passing through the Hub. Local agent actions (file system, terminal commands, in-process operations) are outside Civic’s visibility.

How to Access Audit Logs

Audit logs are currently accessible via Civic Chat. A UI view is coming soon. Open nexus.civic.com and use the Audit Agent with natural language queries.

Aggregated Summary

Get a high-level overview of agent activity: 
"What did my agent do this week?"

"Show me a summary of tool usage for the production-agent toolkit"

"How many tool calls did my agent make yesterday?"

Line-by-Line Detail

Get the full record with timestamps and parameters: 
"Show me every tool call from the last 24 hours with timestamps"

"What did my agent do between 2pm and 4pm yesterday?"

"Show me all the parameters passed to get_events in the last week"

CSV Export

Export the full log for analysis or incident response: 
"Export my audit log as a CSV"

"Export the last 7 days of tool calls to CSV"
CSV exports include up to 5,000 lines per export. For longer time ranges, export in segments.

Searching for Specific Activity

"Did my agent try to delete anything this week?"

"Show me all send_gmail_message calls from the last 30 days"

"Did my agent call any write operations on Google Sheets?"

"Show me all tool calls that returned an error"

What Audit Can Answer

QuestionHow to ask
What tools fired?”Show me all tool calls from yesterday”
What parameters were passed?”Show me every call to modify_event with its parameters”
What responses came back?”Show me the full details of last night’s calendar sync”
When exactly?”Show every tool call from 10pm to midnight on March 5”
Was there an error?”Show me any failed tool calls in the last 7 days”
Did the agent access sensitive data?”Show me all Gmail read operations this week”

Incident Response with Audit

If something unexpected happened, this is the workflow:
1

Revoke first

If the agent may still be active, revoke access immediately before investigating. See Revocation.
2

Export the log

Ask the Audit Agent for a CSV export covering the relevant time window.
3

Identify the sequence

Look for the tool calls immediately before and after the suspicious activity. Parameters often reveal what the agent was trying to do.
4

Check guardrails

Review whether guardrails would have blocked the problematic action. If not, add them before re-authorizing.
5

Re-authorize with minimum scope

Only re-enable the specific tools required. Consider whether the toolkit scope was too broad.

Limitations

  • Hub layer only — Local agent actions (file writes, shell commands, network requests outside the Hub) are not captured
  • No real-time streaming — Logs are available for query after the fact, not as a live stream
  • 30-day retention — Logs older than ~30 days are not available via Chat export
  • 5,000 line CSV limit — Export in multiple segments for longer time ranges

Revocation

How to immediately stop agent access at any granularity

Guardrails

Prevent problematic tool calls before they happen

Civic Chat

The Audit Agent and how to use it

Secret Management

How credentials are stored and isolated