Audit & Observability
Every agent interaction, tool call, and model invocation is logged in your tenant. This page covers what’s tracked, where it lives, and how to access it.
What’s Logged
Application-Level (Corral)
Corral tracks agent activity through the analytics and activity features:
| Data | What It Contains |
|---|---|
| Conversations | Count, duration, message counts per app |
| LLM Usage | Token consumption by model (input/output tokens) |
| Tool Calls | Which tools were called, how often, success/failure |
| Usage Patterns | Hourly and daily activity trends |
| Turn Records | Individual conversation turns with full detail |
This data is accessible through the admin console:
- Analytics tab — summary dashboards for conversations, LLM usage, tool calls, and usage patterns
- Activities tab — browsable individual conversation turns
Infrastructure-Level (Azure)
All infrastructure telemetry stays in your tenant:
| Service | What It Captures |
|---|---|
| Application Insights | Application performance, distributed traces, exceptions, custom events |
| Log Analytics | Centralized logs from all Container Apps and Azure services |
| Azure Activity Log | Every Azure resource operation, including Corral maintenance actions |
| Key Vault Audit Logs | Every secret access and modification |
You query these with the same tools you use for any Azure workload — Azure Monitor, Log Analytics queries (KQL), Azure workbooks.
Accessing Analytics in the Admin Console
Each app has an Analytics tab with:
- Summary — total conversations, messages, average duration
- LLM — token usage broken down by model
- Functions — tool call statistics (frequency, which tools are used most)
- Usage Patterns — when your agents are busiest (hourly/daily heatmaps)
The Activities tab provides a paginated view of individual turns — you can see exactly what happened in each conversation, what tools were called, and how the agent responded.
Querying Logs Directly
All Corral application logs are sent to the Log Analytics workspace in your tenant via OpenTelemetry. You can query them directly:
This section is a work in progress.
What’s Not Yet Built
Immutable Audit Log
Transcript logging is currently fire-and-forget — events are recorded in Application Insights and the SQL database but there’s no dedicated immutable event store designed for compliance-grade audit trails. The data exists and is queryable, but it hasn’t been packaged into a purpose-built audit export or retention mechanism.
CRF Taint Transitions
When Phase 2 of the Cumulative Restrictions Framework ships, taint transitions (the moment a conversation escalates from Clean to Internal or Tainted) will be logged as events. This will be valuable for security teams monitoring for potential injection attempts.
Dedicated Audit UI
The current analytics and activities views show agent behavior data. A dedicated audit log view — designed for compliance officers and security reviewers, with filtering, export, and retention policies — is planned.
For Security Reviews
When your security team evaluates Corral, point them to:
- Azure Activity Log — shows all Corral maintenance operations (proof of what the publisher does and doesn’t do)
- Application Insights — shows all agent behavior (proof of what agents do)
- Network monitoring — shows no outbound data flows to Corral’s infrastructure (proof of zero data egress)
- Key Vault logs — shows all secret access (proof of credential management)
All of this is in your tenant, queryable by your team, using your existing Azure monitoring tools.