Audit export
Stream session audit logs to JSONL, CSV, Datadog Logs, or any HTTP collector.
Every state-changing action a fabric-harness session takes — model calls, tool calls, approvals, webhook deliveries, errors — lands as a SessionEntry in the session log. fh export-audit walks that log and emits one row per entry, with normalized columns.
Local export
fh export-audit <session-id> # JSONL to stdout
fh export-audit <session-id> --format csv --output audit.csv # CSV to filePipe to jq for ad-hoc filtering:
fh export-audit ask-1f4f... | jq -c 'select(.type=="model_attempt") | {model, costUsd}'Datadog Logs
Ship straight to the Datadog HTTP intake:
fh export-audit <session-id> \
--to datadog \
--datadog-api-key env://DATADOG_API_KEY \
--datadog-site us5.datadoghq.com \
--service my-saas- Batches in groups of 500 rows.
- Adds
ddsource: 'fabric-harness',service, andddtags: 'session:<id>,tenant:<id?>'. - Defaults
--datadog-sitetodatadoghq.com(US1).
Splunk HEC
fh export-audit <session-id> \
--to splunk \
--splunk-url https://splunk.example.com:8088/services/collector/event \
--splunk-token env://SPLUNK_HEC_TOKEN \
--splunk-source fabric-harness \
--splunk-sourcetype fabric:auditEach row is wrapped in a Splunk HEC envelope ({ event, source, sourcetype, time }) and POSTed in batches of 200. The time field uses entry.timestamp (epoch seconds) so Splunk indexes events at their original time.
BigQuery
fh export-audit <session-id> \
--to bigquery \
--bigquery-project my-gcp-project \
--bigquery-dataset audit \
--bigquery-table fabric_harness \
--gcp-access-token env://GCP_TOKENUses BigQuery's tabledata.insertAll REST endpoint. Caller supplies a pre-issued OAuth access token (Workload Identity, ADC, GCS impersonation, etc.) — fabric-harness doesn't bake in google-auth-library. Batches at 500 rows per request; each row gets a deterministic insertId so retries deduplicate cleanly. Schema in BigQuery should match the audit row shape; missing columns are tolerated via ignoreUnknownValues: true.
Generic HTTP collector
For Splunk HEC, Logflare, an internal NDJSON ingestor, etc., point --to http:
fh export-audit <session-id> \
--to http \
--url https://collector.internal/audit \
--auth-token env://COLLECTOR_TOKENPosts a single NDJSON body (application/x-ndjson) with each row as one line. Bearer-token auth is optional.
Row shape
Every row carries these columns when populated:
| Column | Source |
|---|---|
timestamp, type, sessionId, entryId, parentId | session entry envelope |
tenantId | session-level tenant id |
tool, command, model, provider, durationMs | per-entry metadata |
inputTokens, outputTokens, cachedInputTokens, cacheWriteTokens, costUsd | usage from model_attempt entries |
approvalId, audience | approval lifecycle entries |
eventType, idempotencyKey | webhook deliveries |
errorMessage | error entries |
Streams line-by-line — handles large sessions without buffering.
Backfill / replay
fh export-audit reads from any configured SessionStore — file-backed, SQLite, or Postgres. Run it as a periodic job to push the last hour's sessions to your SIEM, or on-demand when investigating an incident.