Search the audit trail

Every governed action produces an audit event: who, what, the policy decision and version, the credential mode, the upstream transport, latency/status, and a safe error category. Audit is metadata‑only by design — it never stores raw tool arguments or secret material — which is what makes it safe to search, export, and ship to a SIEM.

Requires audit.read

Searching audit needs the audit.read permission in the target environment.

Search events

Search the audit trail

UIAPICLI

1. Open Investigate → Audit search.
2. Filter by environment, actor, resource, decision, or time range.
3. Open any row to see the full event detail, including the policy version that produced the decision.

POST/v1/audit/search

Copy

curl -X POST "$GATEWAY/v1/audit/search" \
-H "authorization: Bearer $TOKEN" \
-H "content-type: application/json" \
--data '{
  "environment_id": "prod",
  "decision": "deny",
  "time_range": "24h"
}'

View searchAudit in the API reference →

Copy

gatewayctl search-audit --environment prod --decision deny --format json

Every gatewayctl verb accepts --format text|json.

Pull a single request bundle

To investigate one request end‑to‑end, fetch its bundle by request_id — the chain of events the gateway recorded for that call.

Read the audit bundle for one request

UIAPICLI

1. From a search result, open the event and choose View request bundle.

GET/v1/audit/requests/{request_id}

Copy

curl "$GATEWAY/v1/audit/requests/req_m1_002" \
-H "authorization: Bearer $TOKEN"

View getAuditRequestBundle in the API reference →

Copy

gatewayctl search-audit --request-id req_m1_002 --format json

Every gatewayctl verb accepts --format text|json.

Export and SIEM

For continuous monitoring, create an export (POST /v1/audit/exports) or configure a SIEM webhook so events flow to your own tooling — the same metadata‑only guarantees apply.