Understanding Audit Logs

Anatomy of a Log Entry

A standard audit log entry contains four main categories of data:

The core decision (Allow, Warn, Block) and when it happened.

Who took the action (Actor) and what content was involved (URL, ID, Revision).

Technical proof including content length and SHA-256 hash for chain-of-custody.

An itemized list of rule failures, including the specific policy triggered.

The Decision field is the most critical part of the log operation.

Decision	Description
Allow	The content passed all checks. No violations were found, or all violations were overridden.
Warn	Issues were found, but the policy is set to "Warn only" for this stage (e.g., Draft). The user was notified but not blocked.
Block	Critical violations were found and the action (Save/Publish) was prevented.
Error	A system error prevented checks from completing. Depending on your "Fail Safe" configuration, this may default to Allow or Block.

Forensics allow you to trace actions to specific users and content revisions.

Actor ID: The CMS User ID (uid) responsible for the action.
Content Hash: A SHA-256 hash of the content payload. This ensures that you can prove exactly what text was evaluated at that moment in time.
Request ID: A unique identifier for the transaction, useful for debugging with support.

If your plan includes LLM-assisted checks (e.g., Tone or Context analysis), the log will include an LLM Proof section.

Overall Score: The model's rating (0-1) of the content against the policy.
Confidence: How sure the model is about its decision.
Skipped Code: Whether code blocks were automatically excluded to prevent false positives.

Note: LLM checks are usage-limited. You can view your remaining quota in the "Usage Impact" section of any log detail.