Work with audit logs

Every tool call through Wicket — allowed or denied — writes an audit entry. This guide covers the day-to-day operations: watching live traffic, filtering, understanding matched policies, and exporting.

Watch live traffic

Open an agent’s Audit tab. New entries stream in as they happen — no refresh needed. Each row shows the timestamp, member, tool, service, decision, matched policy, and duration.

The dashboard overview adds aggregate views on top of the same data: total calls, allow/deny ratio, a time-series chart, and a per-service breakdown with top tools and top denying policies.

Filter

Filter the audit view (or the GET /api/audit endpoint) by:

Filter	Use it to
result=DENY	Surface every blocked call — your first stop when something “doesn’t work”
service=github	Watch one connector (exact key)
tool=delete_file	Check who attempts a specific tool (substring match)
agent=billing	Narrow to agents whose name contains the text (substring match)
from / to	Bound a time range (ISO dates)

Tracing one member or one policy uses internal IDs, not emails or policy keys: member=<memberId> and policy=<policyId> take the UUIDs from an audit entry. In the dashboard you don’t type these — click a member or a matched policy in the Audit view and it scopes the list for you. To do it over the API, read memberId / policyId off any entry (or list members via GET /api/audit/members) and pass that value.

See the audit event schema for the full field and parameter reference.

Read a denial

Expand a DENY row to see:

• Matched policies — which policies fired, with the exact policy version that was in force
• Deny message — the human-readable reason, if the forbid policy has one
• Tool arguments — what the agent tried to do (sensitive fields redacted)

Unexpected denies usually mean one of: a policy’s scope or tool list is wrong, the member is still pending, or the agent is disabled. Click through the matched policy and use Simulate to test a fix before enabling it.

Export to CSV

From the Audit tab, click Export — or call the endpoint directly:

GET /api/audit/export?from=2026-05-01&to=2026-05-31&result=DENY

The response is a CSV file with one row per entry (timestamp, agent, member, tool, service, resource, decision, reason, duration, matched policies). Exports return up to 500 rows per request; page through larger ranges with offset, or narrow the time window.

Note

On trusted agents, members see their own activity but not the owner’s policy identities — exports are redacted the same way the dashboard is. Owners see everything.

Retention

Audit entries are retained indefinitely by default. If your compliance posture needs bounded retention or scheduled exports, see Compliance posture.