Tutorial 12

View your audit logs

Open the Audit Logs page to see every job that's run, every conversation that's happened, and every system event — in one searchable, live-updating view.

Plus: three prompts that turn the Admin Agent into your audit-log analyst — investigating incidents, running compliance checks, and finding the agent quietly eating tokens.

Audience	Admins
Time	~3 min
Prerequisites	An Auxot account on any tier. You've been using Auxot long enough to have something to look at — at least one chat conversation, one agent job, or one system event in the past few days.
You'll end up with	A clear sense of what each tab on the Audit Logs page shows you, when to use which filter, and how to ask the Admin Agent to do the analysis instead of doing it yourself.

Why this matters

Auxot logs everything that happens — every chat, every job, every agent action, every login, every configuration change. Audit Logs is the page that lets you see all of it.

Most days, you don’t need it. The system runs, the agents do their work, you get on with yours. But on the days you need to know who did what when — when a customer asks why an answer changed, when something got expensive overnight, when an integration started behaving oddly — Audit Logs is where you go.

The page has three tabs because three different kinds of activity matter: Jobs (the background work your AI is doing), Threads (the conversations happening with your agents), and Events (system-level things like configuration changes and scheduled triggers). Each tab has filters so you can narrow the noise. Live mode keeps the page refreshing as things happen.

Today, learn what’s in each tab. Tomorrow, when something looks off, you know exactly where to look.

Audit Logs gathers every job, every conversation, and every system event into one searchable view. Filter by status, time range, source, severity, or agent. Toggle Live mode to watch activity in real time. Click any row to see the full detail underneath.

Quick start

Sign in — open Auxot in your browser and log in.
Open Audit Logs — click Audit Logs in the left menu.
Pick a tab — Jobs (background work), Threads (conversations), or Events (system activity). Start with Threads if you want to see what your agents have been answering lately.
Apply a filter — narrow by time range, status, source, or severity, depending on the tab.
Click any row — see the full detail of that job, thread, or event underneath.

Done? You’ve taken your first audit-log spin. The rest is knowing which tab to open when something specific comes up.

The agent can do that?

You don’t have to dig through audit logs yourself. The Admin Agent has access to the same data and can do the analysis for you. Three prompts that turn the page into a quick briefing.

1. Investigate something that just went weird

Open chat with the Admin Agent and ask:

Something feels off in our Auxot account in the last [hour / day / week] — slower replies, weird answers, an integration acting up, anything. Look at recent events, recent jobs, and any errors. Tell me what's worth investigating, what's probably nothing, and what I should check first.

Why it’s non-obvious: The Audit Logs page is comprehensive but overwhelming — by the time you open it during an incident, you’re trying to skim five tabs of data while pressure builds. The Admin Agent reads the same data, weights what’s actually anomalous against what’s normal noise, and hands you a prioritized list. Triage that would take you twenty minutes, in fifteen seconds.

2. Run a compliance check

Same chat, follow-up:

For compliance, I need a summary of what [user name or team name] has done in Auxot over the past [time range]. List their thread count, the agents they used most, any failed jobs, any sensitive actions (role changes, credential changes, agent edits), and anything that looks unusual. Be specific.

Why it’s non-obvious: Compliance audits typically involve scrolling through hundreds of rows trying to summarize behavior. The Admin Agent can pull the same data, cross-reference user actions against agent activity and system events, and produce the kind of narrative summary that compliance reviewers actually want — instead of a CSV dump nobody reads.

3. Find the agent quietly eating tokens

Which of my agents used the most tokens last [week / month]? Break it down by agent, what kind of work the tokens went to, and whether any of them are using more than I'd expect for their job. If any look out of line, recommend specific things to investigate or change.

Why it’s non-obvious: Token costs sneak up — an agent with a poorly-tuned context file or a runaway loop can quietly cost more than the rest of your account combined. The Admin Agent reads the Jobs tab, groups by agent, and surfaces the outliers with reasoning. Way faster than building a spreadsheet, and it’ll tell you why an agent is expensive — not just that it is.

Go deeper

Retention and export

Retention: Audit logs in Auxot’s database don’t currently expire — old records stay queryable indefinitely. (The live activity feed on System Health is separate; that’s a 20-minute sliding window in Redis.)

Export: Audit Logs doesn’t currently have a built-in CSV/JSON export from the UI. If you need to pull records for an external tool — a SIEM, a compliance platform, a quarterly report spreadsheet — you’d use Auxot’s API directly, with a Team API Key (Tutorial 11). The Admin Agent’s list_events tool also returns structured data that you can copy out of chat for one-off needs.

Troubleshooting

The page is blank — “No jobs found” / “No threads found” / “No events found”. Likely a filter is hiding everything. Check: is your time range too narrow? Are you on the right tab? Is your account too new to have any history yet?
Live mode isn’t refreshing. The 5-second refresh runs from your browser tab. If your tab is in the background, browsers throttle it — bring the tab forward and refresh once.
A job shows “Failed” but you don’t know why. Click the row. The detail view shows the error message. Common causes: provider over quota, credential expired, the agent’s tool returned an error, the model timed out.
A thread is missing. Confirm the thread is on a team you have access to. If it should be in your scope but isn’t appearing, the source might not be flagged correctly — check the source filter.
You see jobs but no provider information. The provider was deleted after the job ran. Auxot keeps the job record but the provider link goes stale.

Variations & edge cases

Free tier has the same Audit Logs page as paid tiers — no feature gating here. Activity volume is naturally lower (one user, one team), so filters matter less.
Cancelling a running job marks it as cancelled but doesn’t undo work that’s already happened (e.g., a tool call that already executed). Use cancel to stop ongoing work; for true rollback, you’d need agent-level logic.
The “Recently completed” data on the Jobs tab is fast-moving. Don’t bookmark a specific row to come back to later; use the time-range filter and search instead.
Cron-triggered threads show up under the Threads tab with source = cron. Useful for monitoring whether your scheduled agent runs are actually firing.
Webhook-triggered threads show up with source = webhook. The thread name will reference the intake or workflow that received the call.
Token usage in Jobs is per-job (input → output). Multiply across many jobs for a per-agent-per-week view, or use Power Move 3 to have the Admin Agent do the math.

Walkthrough

Open Auxot in your browser and sign in.

Step 2: Open Audit Logs

Click Audit Logs in the left menu. The page opens with the helper text that frames it well: “Review background jobs, threads, and system activity in one place.”

You’ll see three tabs across the top — Jobs, Threads, Events — and a Live toggle in the top right. We’ll cover each tab next.

Step 3: The three tabs (what’s in each)

a. Jobs

Every time an agent runs work — answers a chat, executes a tool, processes a task — Auxot creates a job that runs in the background. The Jobs tab shows every one of them.

Each row shows:

Status — queued, running, complete, failed, cancelled, or retrying.
Agent name — which agent the job was for.
Model and provider — which AI model handled it (Claude, GPT-4, your local GPU, etc.) and via which connected provider.
Job type — what kind of work it was.
Token usage — input tokens → output tokens (useful for spotting cost surprises).
Evaluator status — whether Auxot’s quality check liked the result.
Timestamp — when the job ran.

You can also cancel a running or queued job by clicking the cancel icon on its row. Useful when you realize a runaway loop is spinning.

b. Threads

A thread is a conversation — anything from a chat-window conversation to a Slack message that triggered an agent to a webhook that started a task. The Threads tab shows them all, regardless of source.

Each row shows:

Source — where the thread came from: app (the chat window), Slack, Discord, email, webhook, cron, or other integration.
Type — chat (interactive) or cron (scheduled).
Agent name — which agent handled the conversation.
Message count — how many back-and-forth turns there were.
Snippet — first 30 characters of the latest message (so you can roughly tell what it was about).
Timestamp — when the latest activity happened.

This is where you go when you need to see what an agent has been answering lately — or trace a specific conversation that came up in a customer report.

c. Events

Events are the system-level happenings — agent evaluations, cron triggers firing, configuration changes, errors. Each event has:

Event type — a short identifier like cron.fired or agent.evaluation.
Severity — info, warning, or error.
Description — what happened, in plain English.
Agent ID (optional) — if the event was tied to a specific agent.
Timestamp — when it happened.

Events are how you spot configuration-level oddities: a cron that’s not firing, a credential that just got revoked, an integration that lost its connection.

Step 4: Filter and search

Each tab has its own filters. Common patterns:

Time range (Jobs, Threads): All Time, Last Hour, Today, Last 7 Days, Last 30 Days. Last 7 Days is the most useful default for most questions.
Status (Jobs only): All Status, Complete, Failed, Running, Queued, Cancelled. Pick Failed to spot trouble fast.
Source (Threads only): all sources or one specific source — useful when you want to see only your Slack-triggered conversations, for example.
Severity (Events only): All Severity, Info, Warning, Error. Pick Warning or Error to skip the noise.
Search — text search by ID or model name (Jobs), or by event type (Events). Debounced — wait a moment after typing.

Tip: When you’re investigating something specific (an incident, a cost spike, a customer report), filter aggressively. The page is designed to drown you in data unless you tell it what you’re looking for.

Step 5: Click any row for detail

Every row in every tab is clickable. Clicking opens a detail view with the full record — for a job, the prompt and response; for a thread, the conversation transcript; for an event, the full metadata.

This is where most investigations actually happen. The list view is for finding the right row; the detail view is for understanding what happened.

Step 6: Live mode for real-time monitoring

Toggle Live in the top right when you want the page to refresh every 5 seconds automatically. Helper text: “While Live is on, the list refreshes every 5 seconds so you do not need Refresh.”

Use Live mode when:

You’re watching something happen right now (e.g., kicking off a workflow and wanting to see jobs appear).
You’re monitoring during a deploy or change and want to spot errors as they show up.
You’re debugging a flaky integration and want immediate feedback.

Don’t leave Live on all day — it costs nothing on Auxot’s end, but the constant updates can be distracting when you’re trying to focus on a specific row.

What’s next

→ Tutorial 03: Take Auxot’s pulse in 10 seconds — System Health is the live overview; Audit Logs is the historical record. They complement each other.
→ Tutorial 11: Create a shared Team API Key — for pulling audit data programmatically into compliance tools or dashboards.
→ Tutorial 13: Run a workflow — workflows generate a lot of audit-log activity; understanding both makes monitoring much easier.

Reference

Pages in Auxot: Audit Logs (/app/audit-logs)
Three tabs: Jobs (background work), Threads (conversations), Events (system activity)
Filters per tab: Jobs (status, time range, search) | Threads (source, type, time range) | Events (severity, event type)
Live mode: auto-refresh every 5 seconds
Permissions: org admins see everything; non-admins see filtered (own + team)
Tier: all tiers (no gating)
Export: API only (no UI export); Admin Agent’s list_events tool also surfaces structured data
See also: Tutorial 03: Take Auxot’s pulse, Tutorial 13: Run a workflow