WorkLLM records a complete audit trail of significant actions taken by users and AI systems in your workspace. Audit logs are available to Admins and are designed to support internal security reviews, incident investigation, and compliance reporting. This page explains what is logged, how to access and search logs, and how to export them.Documentation Index
Fetch the complete documentation index at: https://workllm.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
What audit logs capture
Audit logs record actions across six categories: authentication, membership, settings, integrations, AI activity, and data operations. Every log entry includes the timestamp, the user or system that performed the action, and relevant context such as the affected resource.Audit event reference
| Event | Category | Description |
|---|---|---|
user.login | Authentication | A member signed in to the workspace |
user.login_failed | Authentication | A failed login attempt on a workspace account |
user.logout | Authentication | A member signed out of the workspace |
member.invited | Membership | An Admin sent an invitation to a new member |
member.invitation_revoked | Membership | An Admin cancelled a pending invitation |
member.joined | Membership | A new member accepted an invitation and joined |
member.role_changed | Membership | An Admin changed a member’s role |
member.removed | Membership | An Admin removed a member from the workspace |
sso.configured | Settings | SSO settings were added or updated |
sso.disabled | Settings | SSO was disabled for the organization |
settings.updated | Settings | Organization settings were changed (includes what changed) |
integration.connected | Integrations | A new integration was connected to the workspace |
integration.disconnected | Integrations | An integration was removed from the workspace |
integration.token_refreshed | Integrations | An integration’s OAuth token was refreshed |
agent.run_started | AI activity | An AI Agent began executing a workflow |
agent.run_completed | AI activity | An AI Agent completed a workflow run |
agent.run_failed | AI activity | An AI Agent workflow failed |
assistant.created | AI activity | A new AI Assistant was created |
assistant.deleted | AI activity | An AI Assistant was deleted |
data.export | Data operations | A data export was initiated (includes export type and requested by) |
audit_log.exported | Data operations | An audit log export was downloaded |
document.uploaded | Data operations | A document was uploaded to the workspace |
document.deleted | Data operations | A document was deleted from the workspace |
billing.plan_changed | Settings | The organization’s plan was upgraded or downgraded |
AI model interactions (individual messages and responses within a thread) are not individually recorded in the audit log. Audit logs focus on administrative and structural actions. Usage analytics for AI interactions are available in Reports.
Accessing audit logs
Audit logs are only accessible to Admins. Members and Viewers cannot view audit log data.Filtering audit logs
The audit log viewer includes filters that help you narrow down events when investigating a specific incident or preparing a compliance report.| Filter | Description |
|---|---|
| Date range | Show only events within a specific start and end date |
| User | Filter to events performed by a specific member |
| Event type | Filter to a specific event category or individual event type |
| IP address | Filter to events from a specific IP address (useful for investigating suspicious logins) |
member.role_changed.
Exporting audit logs
Audit logs can be exported as a CSV file for use in spreadsheets, SIEM tools, or compliance reporting workflows.Apply your filters
Use the date range, user, and event type filters to scope the export to the data you need. Exporting the full log history is supported but may produce a large file.
| Column | Description |
|---|---|
timestamp | UTC timestamp of the event in ISO 8601 format |
event_type | The event identifier (e.g., member.role_changed) |
actor_name | Display name of the user or system that performed the action |
actor_email | Email address of the user that performed the action |
ip_address | IP address from which the action was performed |
resource_type | The type of resource affected (e.g., member, integration) |
resource_id | The identifier of the affected resource |
details | Additional context specific to the event type |
Each audit log export is itself recorded as an
audit_log.exported event, so you have a record of who downloaded log data and when.Audit log retention
| Plan | Retention period |
|---|---|
| Business | 12 months |
| Enterprise | 24 months |
Using audit logs for compliance reporting
Audit logs are structured to support common compliance use cases: Access reviews — Filter bymember.role_changed, member.invited, and member.removed to produce a complete record of who had access to your workspace, when they were granted access, and when it was revoked.
Authentication monitoring — Filter by user.login and user.login_failed to review sign-in activity and identify suspicious patterns such as repeated failed logins or logins from unexpected locations.
Integration governance — Filter by integration.connected and integration.disconnected to maintain a record of which third-party services were connected to your workspace and who authorized each connection.
AI Agent oversight — Filter by agent.run_started, agent.run_completed, and agent.run_failed to document automated AI activity in your workspace for governance purposes.
Data export tracking — Filter by data.export and audit_log.exported to see who has exported data from your workspace and when.
For SOC 2 audits, the audit log export CSV can be provided directly to auditors as evidence of access control and monitoring controls. Enterprise customers can contact info@workllm.io for guidance on mapping audit log events to specific SOC 2 trust service criteria.