Skip to main content

overwatch logs

Query and display the audit log of all tool calls.

Usage

overwatch logs [options]

Options

OptionDescription
-n, --limit <count>Number of entries to show (default: 20)
--tailFollow log in real-time (Ctrl+C to stop)
--since <duration>Show logs since duration (e.g., 1h, 30m, 7d)
--server <name>Filter by server name
--risk <level>Filter by risk level
--export <format>Export format: json, csv, cef
--jsonOutput in JSON format

Examples

Recent Logs

overwatch logs
Output: 
Audit Log
=========

2026-01-09 10:30:15  postgres  query      write      allowed
2026-01-09 10:30:18  postgres  query      read       allowed
2026-01-09 10:31:02  filesystem read_file read       allowed
2026-01-09 10:31:45  postgres  query      destructive denied

4 entries

Follow Log in Real-Time

overwatch logs --tail

Filter by Time

# Last hour
overwatch logs --since 1h

# Last 30 minutes
overwatch logs --since 30m

# Last 7 days
overwatch logs --since 7d

Filter by Server

overwatch logs --server postgres

Filter by Risk Level

overwatch logs --risk destructive
overwatch logs --risk dangerous

Export Logs

# JSON export
overwatch logs --export json > audit.json

# CSV export
overwatch logs --export csv > audit.csv

# CEF format (for SIEM integration)
overwatch logs --export cef > audit.cef

Log Entry Structure

Each log entry contains:
FieldDescription
idUnique entry ID
timestampWhen the operation occurred
serverMCP server name
toolTool that was called
argsTool arguments (may be redacted)
riskLevelClassified risk level
decisionallowed or denied
sessionIdSession grant ID (if applicable)
durationExecution time (ms)
errorError message (if failed)

Export Formats

JSON

[
  {
    "id": "abc123",
    "timestamp": "2026-01-09T10:30:15Z",
    "server": "postgres",
    "tool": "query",
    "riskLevel": "write",
    "decision": "allowed"
  }
]

CSV

id,timestamp,server,tool,riskLevel,decision
abc123,2026-01-09T10:30:15Z,postgres,query,write,allowed

CEF (Common Event Format)

CEF:0|DotsetLabs|Overwatch|1.0|ALLOWED|Tool Call Allowed|3|cs1=query cs2=postgres outcome=allowed
CEF severity mapping:
  • dangerous = 10
  • destructive = 8
  • write = 5
  • read = 3
  • safe = 1