Security Audit Logging
Defense Layer: Complete Activity Tracking and Forensics
CBrowser's audit logging system maintains a comprehensive record of all tool invocations, enabling security analysis, compliance reporting, and incident investigation. Every action is logged with full context for post-incident forensics.
What Gets Logged
Every tool invocation creates an audit record containing:
| Field | Description | Example |
|---|---|---|
timestamp |
ISO 8601 timestamp | 2026-02-15T14:30:45.123Z |
toolName |
Full tool identifier | mcp__browser__navigate |
serverName |
MCP server providing the tool | browser |
parameters |
Tool parameters (sanitized) | {"url": "https://example.com"} |
executionTime |
Duration in milliseconds | 234 |
result |
Success/failure status | success |
zone |
Permission zone at invocation | GREEN |
sessionId |
Current session identifier | sess_abc123 |
hashVerified |
Tool pinning verification result | true |
injectionScanResult |
Injection scanner findings | clean |
Log File Location
Audit logs are stored in daily rotation files:
~/.cbrowser/audit/
tool-invocations-2026-02-15.json
tool-invocations-2026-02-14.json
tool-invocations-2026-02-13.json
...
File Naming Convention
tool-invocations-YYYY-MM-DD.json
Files are created at midnight UTC and contain all invocations for that calendar day.
Log Entry Format
Standard Log Entry
{
"id": "inv_a7f3b2c9d4e5f6a1",
"timestamp": "2026-02-15T14:30:45.123Z",
"tool": {
"name": "mcp__browser__navigate",
"server": "browser",
"hashVerified": true,
"zone": "GREEN"
},
"invocation": {
"parameters": {
"url": "https://example.com",
"waitUntil": "networkidle"
},
"executionTime": 234,
"result": "success"
},
"security": {
"injectionScan": "clean",
"permissionCheck": "allowed",
"sensitiveDataRedacted": false
},
"context": {
"sessionId": "sess_abc123",
"conversationTurn": 15,
"initiatedBy": "ai-request"
}
}
Failed Invocation Entry
{
"id": "inv_b8c4d0e1f2a3b4c5",
"timestamp": "2026-02-15T14:31:22.456Z",
"tool": {
"name": "mcp__filesystem__write_file",
"server": "filesystem",
"hashVerified": true,
"zone": "ORANGE"
},
"invocation": {
"parameters": {
"path": "[REDACTED:sensitive_path]",
"content": "[REDACTED:content_length=4096]"
},
"executionTime": 12,
"result": "blocked"
},
"security": {
"injectionScan": "clean",
"permissionCheck": "denied",
"permissionReason": "ORANGE zone requires confirmation",
"sensitiveDataRedacted": true
},
"context": {
"sessionId": "sess_abc123",
"conversationTurn": 16,
"initiatedBy": "ai-request"
},
"error": {
"code": "PERMISSION_DENIED",
"message": "User confirmation required for ORANGE zone tools"
}
}
Security Alert Entry
{
"id": "inv_c9d5e1f2a3b4c5d6",
"timestamp": "2026-02-15T14:32:00.789Z",
"tool": {
"name": "mcp__untrusted__helper",
"server": "untrusted",
"hashVerified": false,
"hashMismatch": true,
"zone": "RED"
},
"invocation": {
"parameters": {},
"executionTime": 0,
"result": "blocked"
},
"security": {
"injectionScan": "CRITICAL",
"injectionPatterns": ["cross-tool-instructions", "exfiltration"],
"permissionCheck": "denied",
"sensitiveDataRedacted": false
},
"context": {
"sessionId": "sess_abc123",
"conversationTurn": 17,
"initiatedBy": "ai-request"
},
"alert": {
"severity": "CRITICAL",
"type": "TOOL_POISONING_DETECTED",
"message": "Tool definition contains malicious patterns",
"quarantined": true
}
}
Sensitive Parameter Redaction
CBrowser automatically redacts sensitive information from logs.
Automatically Redacted Fields
| Pattern | What Gets Redacted |
|---|---|
password, passwd, pwd |
[REDACTED:password] |
secret, api_key, apiKey |
[REDACTED:secret] |
token, bearer, auth |
[REDACTED:token] |
private_key, privateKey |
[REDACTED:private_key] |
File paths matching ~/.ssh/* |
[REDACTED:sensitive_path] |
File paths matching ~/.aws/* |
[REDACTED:sensitive_path] |
| Content fields > 1KB | [REDACTED:content_length=N] |
Redaction Examples
Before Redaction:
{
"parameters": {
"url": "https://api.example.com/auth",
"headers": {
"Authorization": "Bearer sk-abc123xyz789",
"X-Api-Key": "key_secret_value"
},
"body": "username=admin&password=super_secret_123"
}
}
After Redaction:
{
"parameters": {
"url": "https://api.example.com/auth",
"headers": {
"Authorization": "[REDACTED:token]",
"X-Api-Key": "[REDACTED:secret]"
},
"body": "[REDACTED:contains_password]"
}
}
Custom Redaction Rules
Add patterns in ~/.cbrowser/config.json:
{
"auditLog": {
"customRedactionPatterns": [
{
"pattern": "internal_id",
"replacement": "[REDACTED:internal_id]"
},
{
"pattern": "customer_.*_number",
"replacement": "[REDACTED:customer_number]"
}
]
}
}
CLI Commands
View Recent Invocations
npx cbrowser audit-log
Output:
Recent Tool Invocations
=======================
Showing last 20 invocations
2026-02-15 14:30:45 mcp__browser__navigate SUCCESS 234ms GREEN
2026-02-15 14:30:44 mcp__browser__screenshot SUCCESS 567ms GREEN
2026-02-15 14:30:40 mcp__filesystem__read_file SUCCESS 12ms YELLOW
2026-02-15 14:30:35 mcp__browser__navigate SUCCESS 189ms GREEN
...
Filter by Tool
npx cbrowser audit-log --tool "browser"
Filter by Date Range
npx cbrowser audit-log --from 2026-02-14 --to 2026-02-15
Filter by Result
# Show only failures
npx cbrowser audit-log --result blocked
# Show only security alerts
npx cbrowser audit-log --alerts-only
Filter by Zone
npx cbrowser audit-log --zone RED
Full Entry Details
npx cbrowser audit-log --id inv_a7f3b2c9d4e5f6a1
Export Logs
# Export as JSON
npx cbrowser audit-log --from 2026-02-01 --to 2026-02-15 --export > audit-export.json
# Export as CSV
npx cbrowser audit-log --from 2026-02-01 --to 2026-02-15 --format csv > audit-export.csv
Statistics Summary
npx cbrowser audit-log --stats
Output:
Audit Log Statistics (Last 7 Days)
===================================
Total Invocations: 1,247
Successful: 1,198 (96.1%)
Blocked: 49 (3.9%)
By Zone:
GREEN: 1,050 (84.2%)
YELLOW: 150 (12.0%)
ORANGE: 35 (2.8%)
RED: 12 (1.0%)
BLACK: 0 (0.0%)
Security Events:
Hash Mismatches: 3
Injection Detections: 2
Permission Denials: 44
Top Tools:
1. mcp__browser__navigate (423)
2. mcp__browser__screenshot (312)
3. mcp__filesystem__read_file (198)
4. mcp__browser__click (156)
5. mcp__browser__fill (158)
Average Execution Time: 187ms
Log Retention Policy
Default Retention
| Log Type | Retention Period |
|---|---|
| Standard invocations | 30 days |
| Security alerts | 90 days |
| Blocked invocations | 60 days |
Configure Retention
In ~/.cbrowser/config.json:
{
"auditLog": {
"retention": {
"standard": 30,
"securityAlerts": 90,
"blocked": 60
},
"maxFileSize": "100MB",
"compression": true
}
}
Manual Cleanup
# Remove logs older than N days
npx cbrowser audit-log --cleanup --older-than 30
# Remove logs for specific date range
npx cbrowser audit-log --cleanup --from 2026-01-01 --to 2026-01-15
Real-Time Monitoring
Watch Mode
npx cbrowser audit-log --watch
Streams new log entries as they occur:
[14:35:22] mcp__browser__navigate SUCCESS 234ms GREEN
[14:35:25] mcp__browser__screenshot SUCCESS 567ms GREEN
[14:35:30] mcp__filesystem__write BLOCKED 12ms ORANGE (requires confirmation)
Watch with Filters
# Only show security events
npx cbrowser audit-log --watch --alerts-only
# Only show specific zone
npx cbrowser audit-log --watch --zone RED
# Only show failures
npx cbrowser audit-log --watch --result blocked
Integration Examples
Send Alerts to Slack
npx cbrowser audit-log --watch --alerts-only --format json | \
while read -r line; do
curl -X POST "$SLACK_WEBHOOK_URL" \
-H 'Content-Type: application/json' \
-d "{\"text\": \"CBrowser Security Alert: $line\"}"
done
Export to Splunk
#!/bin/bash
# Daily export script
DATE=$(date -d "yesterday" +%Y-%m-%d)
LOG_FILE="$HOME/.cbrowser/audit/tool-invocations-$DATE.json"
curl -k "https://splunk.company.com:8088/services/collector/event" \
-H "Authorization: Splunk $SPLUNK_TOKEN" \
-d @"$LOG_FILE"
CloudWatch Integration
{
"auditLog": {
"cloudwatch": {
"enabled": true,
"logGroup": "/cbrowser/audit",
"region": "us-east-1"
}
}
}
Security Considerations
Log File Permissions
Audit logs contain sensitive operation details. Ensure proper permissions:
chmod 600 ~/.cbrowser/audit/*.json
Encryption at Rest
Enable log encryption in config:
{
"auditLog": {
"encryption": {
"enabled": true,
"algorithm": "aes-256-gcm"
}
}
}
Log Integrity
Enable tamper detection:
{
"auditLog": {
"integrity": {
"enabled": true,
"algorithm": "sha256",
"verifyOnRead": true
}
}
}
Verify log integrity:
npx cbrowser audit-log --verify-integrity
Compliance Support
GDPR Considerations
The audit log respects data minimization. Configure what gets logged:
{
"auditLog": {
"gdpr": {
"minimizeParameters": true,
"excludeTools": ["mcp__personal__data_tool"],
"retentionDays": 30
}
}
}
SOC 2 Requirements
For SOC 2 compliance, enable enhanced logging:
{
"auditLog": {
"soc2": {
"enabled": true,
"logUserAgent": true,
"logSourceIP": true,
"immutableStorage": true
}
}
}
Troubleshooting
Logs Not Being Created
Check disk space and permissions:
df -h ~/.cbrowser/audit
ls -la ~/.cbrowser/audit
Log File Too Large
Enable compression and rotation:
{
"auditLog": {
"compression": true,
"maxFileSize": "50MB",
"rotateDaily": true
}
}
Missing Entries
Check if the tool is in the exclusion list:
npx cbrowser config get auditLog.exclude
Related Documentation
- Tool Pinning - Cryptographic integrity
- Injection Scanner - Threat detection
- Permission Zones - Access control
- Output Sanitization - Response protection