Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt

Use this file to discover all available pages before exploring further.

Viewing Audit Logs

Audit Logs Every action in Runlayer is logged for security and compliance:
  1. Navigate to Audit Logs in the sidebar
  2. Filter by:
    • Date range
    • Action type (created, deleted, accessed, etc.)
    • User
    • Resource (specific MCP server)
    • Client (MCP client application, e.g. Cursor, Claude Desktop)
  3. Click on any log entry to see full details

What Gets Logged

  • MCP server creation, configuration, and deletion
  • Skill creation, update, and deletion
  • Plugin creation, update, and deletion
  • Access requests and approvals
  • Policy changes
  • User authentication events
  • Tool calls and API requests (including skill and plugin proxy calls) — tool call events include ToolGuard scan metadata (scanner name, score, duration) when security scanners are active
  • Agent run lifecycle (start, success, failure) — including source, model, and duration
  • Agent account lifecycle (creation, credential rotation, deletion)
  • OAuth token refresh events (upstream success/failure, client-side failures)
  • Security violations and risk assessments
All logs are tamper-proof and retained for compliance purposes.
Need to query audit logs programmatically (or inside your AI client)? Use Runlayer MCP.

Sensitive Connector Redaction

Connectors that handle highly sensitive data (e.g. HR systems, financial databases) can be marked as sensitive by a Super Admin. When enabled, tool call arguments, results, errors, and security scan details are automatically redacted from audit log entries for that connector.

What gets redacted

Event typeRedacted fields
Tool calls and resource accessargs, result, error
Security violations and warningsscan_input, area_of_concern, detected_items
Metadata such as tool name, server name, timestamps, and actor information remain visible so admins can still see who called what and when — just not the payload contents.

Enabling sensitive mode

  1. Navigate to the connector’s settings (Super Admin only)
  2. Enable Sensitive audit log
  3. Optionally select viewer roles that should see unredacted data
  4. Save — redaction takes effect immediately for all future and existing log entries
Redaction is applied at read time, not at write time. The underlying audit log data is unchanged. If you later disable sensitive mode or add a viewer role, previously redacted entries become visible again.

Querying from the CLI

The uvx runlayer logs command lets you query audit logs from the terminal. By default it shows your own events from the last 7 days. 
uvx runlayer logs

Options

FlagDescription
--type, -tFilter by action type(s). Comma-separated or use shortcuts: auth, tools, security, servers, agents
--server-idFilter by MCP server UUID
--agent-idFilter by agent account UUID
--client-nameFilter by client name in event details
--user-idFilter by user ID (admin only, defaults to self)
--allShow all users’ logs (admin only)
--startStart time (ISO 8601). Default: 7 days ago
--endEnd time (ISO 8601). Default: now
--limit, -nMax events to return (default 50, max 2000)
--jsonOutput raw JSON for scripting

Examples

# View security events from the last 7 days
uvx runlayer logs --type security

# View tool calls for a specific server
uvx runlayer logs --type tools --server-id <uuid>

# View all auth events as JSON
uvx runlayer logs -t auth --json

# View all users' events (admin only)
uvx runlayer logs --all --type tools

# View events in a specific time range
uvx runlayer logs --start 2026-03-20T00:00:00Z --end 2026-03-27T00:00:00Z
When the result set is larger than --limit, the CLI prints a next-page command you can copy-paste to continue paginating.

SIEM Export (S3)

Runlayer can continuously export audit logs to an S3 bucket for ingestion into your SIEM (e.g. CrowdStrike NG-SIEM, Splunk, Sentinel). Once enabled, every audit event is written as a gzip-compressed JSON file to the configured bucket in near real-time.

How it works

  1. Runlayer pushes to S3 — each audit log is enqueued to an internal outbox and asynchronously exported as a .json.gz file. There is no polling or pull mechanism required on Runlayer’s side; logs land in the bucket automatically.
  2. You provide a cross-account IAM role — your team creates an IAM role in your AWS account and supplies the Role ARN to Runlayer. Runlayer’s export worker assumes that role to write objects into your bucket.
  3. Your SIEM reads from the bucket — point your SIEM’s S3 connector (e.g. CrowdStrike’s S3 data connector) at the bucket. Most SIEMs support S3 as a native log source.

S3 object layout

Objects are written with a Hive-style date partition prefix: 
audit-logs/year=2026/month=04/day=08/<audit_log_id>.json.gz
If a tool call produced a large result payload, it is stored alongside the main event: 
audit-logs/year=2026/month=04/day=08/payloads/<audit_log_id>-result.json

Payload schema

Each exported file contains a single JSON object: 
{
  "schema_version": 1,
  "audit_log_id": "uuid",
  "timestamp": "2026-04-08T12:00:00+00:00",
  "action_type": "TOOL_CALL_SUCCESS",
  "actor_id": "uuid",
  "actor_type": "user",
  "resource_type": "server",
  "resource_id": "uuid",
  "resource_name": "my-connector",
  "details": { ... }
}

Getting started

To enable SIEM export for your organization, contact your Runlayer account team. You will need to:
  1. Create an S3 bucket in your AWS account for audit log delivery.
  2. Create an IAM role that trusts Runlayer’s AWS account and grants s3:PutObject on the bucket.
  3. Share the Role ARN and bucket name with Runlayer so the feature can be enabled for your environment.
The S3 export is independent of the in-app audit log viewer and the CSV/JSON download export. All three can be used simultaneously.
CrowdStrike NG-SIEM, Splunk, and most major SIEMs support S3 as a native data source. Use your SIEM’s S3 connector and point it at the bucket to start ingesting Runlayer audit events.

Security

Monitor security alerts

Employee Handbook

Complete user guide