Audit Trail
The Audit Trail screen at app.igrisecurity.com/audit provides a paginated, filterable table of every event recorded by the proxy and LLM gateway. Use it for incident investigations, compliance reviews, and ad-hoc queries.Audit events are mutable. The archive job deletes rows from the database after your plan’s retention window and writes them to S3. You can restore archived events back into the live table — see Archive and restore below.
Event types
| Type | Description |
|---|---|
llm.call | A request forwarded by the LLM gateway to a provider |
mcp.tool | A tool call evaluated by the MCP proxy |
connection | A connection-level lifecycle event |
Filters
The toolbar exposes six independent filters that can be combined freely:| Filter | Values |
|---|---|
| Type | All / llm.call / mcp.tool / connection |
| Action | Policy outcome: allow, deny, alert, redact |
| Connection | Dropdown of all registered connection slugs (or (none) for events without a connection) |
| Date range | Calendar picker for from / to timestamps |
| Text search | Free-text match across event ID, model, tool name, connection slug, and user ID |
| Sort | Column (timestamp / type / action / detail) and direction (asc / desc) |
Table columns
| Column | Content |
|---|---|
| Time | Event timestamp |
| Type | llm.call, mcp.tool, or connection |
| Detail | Model name (LLM calls) or tool name (MCP calls) |
| Actor | User or service that triggered the event |
| Connection | Connection slug |
| Action | Policy outcome |
Pagination
Page size is configurable (default 25 events per page). Navigation controls sit at the bottom of the table. The toolbar also shows a count: “Showing N of total events”.CSV export
Click Export in the toolbar to download the current page of results as a CSV file (audit-trail.csv). The export includes: Time, Type, Detail, Actor, Connection, Action.
The export covers only the rows currently loaded in the table — not the entire result set. Apply filters first to scope what you need, then export.
Archive and restore
Igris archives audit events to S3 when they exceed your plan’s retention window. The archive runs daily and deletes the rows from Postgres after writing them, so they no longer appear in the live table.Archive banner
When you apply a date range filter that overlaps an archived period, an amber banner appears above the table:Some logs in this range are archived. [date range] — Request restoreThe banner shows the start and end of the first archived range, plus a count of additional ranges if more than one overlaps.
Requesting a restore
Click Request restore to open the restore dialog. It shows:- The date range to be restored
- Estimated row count and data size
- The exact fee for this restore job and how many free restores your org has remaining this month
Archive restore requires the Growth plan or above. The button is disabled on Starter.
API
The audit trail is backed byGET /api/v1/audit-events. See the Reference section for full parameter documentation.