Skip to main content

Audit Logging

Tollgate maintains a complete audit log of all tool calls, policy decisions, and user approvals. This enables compliance reporting, debugging, and security analysis.

What’s Logged

Every tool call records:
FieldDescription
timestampWhen the call occurred
serverMCP server name
toolTool being called
argumentsTool arguments (optionally redacted)
policyDecisionWhat the policy said (allow, deny, prompt)
userDecisionWhat the user chose (for prompts)
resultWhether the call succeeded
durationMsHow long the call took
riskLevelAnalyzer-determined risk

Viewing Logs

Recent Activity

# Last 20 entries
dotset tollgate logs

# Last 100 entries
dotset tollgate logs -n 100

Statistics

dotset tollgate stats

Exporting Logs

Export for compliance reporting or SIEM integration: 
# JSON format
dotset tollgate export -f json -o audit.json

# CSV for spreadsheets
dotset tollgate export -f csv -o audit.csv

# CEF for SIEM (Splunk, Datadog, etc.)
dotset tollgate export -f cef -o audit.cef

# JSONL for streaming
dotset tollgate export -f jsonl

Filtering Exports

# Last 24 hours
dotset tollgate export --since "2024-01-14T00:00:00Z"

# Specific server
dotset tollgate export -s postgres

# Only dangerous operations
dotset tollgate export --risk dangerous

# Date range
dotset tollgate export \
  --since "2024-01-01" \
  --until "2024-01-31" \
  -o january-report.json

PII Redaction

By default, tool arguments are redacted in logs to protect sensitive data: 
{
  "tool": "query",
  "arguments": "[REDACTED]",
  "argumentsHash": "sha256:abc123..."
}
The hash allows correlation without exposing data.

Disabling Redaction

For debugging, you can export with original data: 
dotset tollgate export --no-redact -o debug.json
[!CAUTION] Non-redacted exports may contain PII, credentials, or sensitive data. Handle with appropriate security controls.

Storage Location

Audit logs are stored in SQLite at: 
~/.dotset/tollgate.db
Override with --audit-path: 
dotset tollgate start -s postgres --audit-path /var/log/tollgate.db

Retention

Tollgate does not automatically delete old logs. For compliance, implement your own retention policy: 
# Export and archive old logs
dotset tollgate export \
  --until "$(date -v-90d +%Y-%m-%d)" \
  -o archive-$(date +%Y%m%d).json

# Clear database (caution: irreversible)
rm ~/.dotset/tollgate.db

SIEM Integration

Splunk

# Real-time forwarding
dotset tollgate export -f cef | nc splunk-server 514

Datadog

# Export JSONL for Datadog logs
dotset tollgate export -f jsonl | \
  datadog-agent-pipe --source tollgate

CloudWatch

# Export and upload
dotset tollgate export -f jsonl -o /tmp/audit.jsonl
aws logs create-log-stream --log-group-name tollgate ...
aws logs put-log-events --log-group-name tollgate ...

Compliance

Tollgate audit logs support:
  • SOC 2: Complete access logging with user attribution
  • GDPR: PII redaction by default
  • CCPA: Data access visibility
  • HIPAA: Audit trail for PHI access (when properly configured)