Skip to main content
Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
Every tool call that flows through C1 MCP is logged. This page covers what’s captured and how to export it for long-term retention, SIEM ingestion, or compliance reviews.

What gets logged

Each tool call produces one audit log entry with:
FieldExample
Timestamp2026-05-07T14:23:11Z
End userThe C1 user the AI client is bound to
AI clientClient ID and display name
MCP serverRegistered server name
ToolTool name (for example, github_create_issue)
ResultSuccess / denied / error
Denial reasonPopulated when result = denied (for example, “tool not in user’s access profile”, “kill switch active”, “client closed”)
LatencyRound-trip time for the call
In addition to tool call events, the following non-call events are also captured:
  • Access request submitted / approved / denied
  • Tool approved / disabled / classification changed
  • MCP server registered / removed / auth changed
  • AI client registered / state changed (active → hidden → closed → deleted)
  • Kill switch flipped (tenant, server, tool, or client level)
  • Tenant defaults changed

Export the audit log

AI tool usage events are included in the C1 system log. To set up export to S3 or another data source for SIEM ingestion, see System logs.