Overview
Audit Logs provides enterprise-grade tracking across all core surfaces of the platform, including documents, assistant interactions, portals, editor, Tabular Review, and knowledge items. This gives security and governance teams detailed, compliance-ready visibility into activity across AI-powered workflows, collaboration, and document handling.
When Audit Logs is enabled and a user has access:
Activity is captured across supported surfaces and can be filtered for investigation and reporting.
Events include relevant context such as timestamps, user identity, session information, IP address, and device information.
Audit Logs are exportable programmatically via API.
Audit Logs is designed for organization-level governance and is typically used for compliance, incident response, and client audit requests.
Who can use Audit Logs
Eligibility: Access is role-based and requires an Auditor role.
Typical users: Audit Logs is usually required and reviewed by information security teams, legal operations professionals, and risk or compliance officers.
Prerequisites
A workspace administrator must assign the Auditor role to the user.
Audit Logs is available from the Audit Logs page (previously called the Data Governance page).
No additional setup is required to view audit logs once access is granted.
How to find and use Audit Logs
Navigate to the Audit Logs page in your Legora workspace.
Use filters to narrow down activities by user, date range, action type, or other criteria.
Review the activity timeline with detailed event context.
Export the current filtered view for reporting or compliance purposes.
Investigate a specific user by selecting them to view their activity history.
What gets tracked
Audit Logs covers activity across core platform surfaces, including:
User actions: Login/logout, sessions, invites, password changes
Document actions: Upload (filterable by source), move, download, delete
Assistant interactions: Actions like if a user created a workflow or sent a message, including conversation history (filterable by surface such as Word, Outlook, or mobile), but not the specific prompts and responses.
Portals: Creation, deletion, user invites, actions, workflows run, documents uploaded
Editor: Creation, deletion, edits, comments
Tabular Review: Creation, deletion, documents added, columns added, issues flagged, cells reviewed, comments
Knowledge items: Workflows, prompts, templates, playbooks — creation, deletion, edit
Admin setup
Assigning Auditor roles
Navigate to Workspace Settings → Members & Roles.
Select the user you want to grant audit access to.
Assign the Auditor role.
Save and verify the user can access the Audit Logs page.
Tips:
Align retention settings with regulatory requirements and client audit expectations.
Confirm whether your organization prefers a fixed retention window or long-term retention.
Retention policy does not apply to audit logs.
FAQ
Are audit logs updated in real time?
No, audit logs are updated every 30 minutes.
What time zone are audit logs captured in?
Logs are localized to your web browser location. When exported, timestamps are shown in UTC.
What is the retention period for audit logs?
This data is held forever.
Can I see the full conversation history for AI assistant interactions?
No, not in the audit logs. The Auditor can see the action that was undertaken but not the specific prompts and responses.
How do I investigate a specific user’s activity?
Select the user from the Audit Logs page to view their activity history, including session context and timestamps.
Can I export audit logs for reporting?
Yes. Exports include the currently filtered view.
Troubleshooting
I can’t access the Audit Logs page
Verify the user has been assigned the Auditor role by a workspace administrator.
Filters are not showing recent activity
Expand the date range. Also confirm the configured audit log retention period.
Export is not including all the data I see on screen
Exports reflect the current filtered view. Re-check filters before exporting.
Can’t find search functionality in filters
Search is available within filter drop-downs. Click a filter and start typing.
API: Technical guide
Audit Logs API
Legora provides a REST API for programmatically retrieving audit logs. This is useful for SIEM integrations (e.g. Splunk, Microsoft Sentinel), automated compliance reporting, and custom dashboards.
Authentication
All API requests require a Legora API key with the audit-logs:read scope. Include it as a Bearer token in the Authorization header:
Authorization: Bearer <your-api-key>
API keys can be created by organization administrators from Workspace Settings.
Listing audit logs
Retrieve a paginated list of audit log events, ordered by timestamp (oldest first).
GET /api/v1/audit-logs
Parameter | Required | Description |
| Yes (on first request) | Start date (inclusive), e.g. |
| No | End date (inclusive). Defaults to today. |
| No | Opaque pagination cursor from a previous response. When provided, |
| No | Number of records per page (1–1000, default 100). |
Example request
curl -H "Authorization: Bearer <your-api-key>" \\ "https://<your-domain>/api/v1/audit-logs?from=2026-03-01&limit=500"
Example response
{ "data": [ { "id": "3f6c7a2e-9b9f-4c1d-8f6a-2e1b9c4a7d32", "timestamp": "2026-03-01T09:15:42.123Z", "organisationId": "a1b2c3d4-...", "actorType": "user", "actorId": "7c2b1d54-...", "actorEmail": "[email protected]", "sourceIp": "203.0.113.42", "sourceUserAgent": "Mozilla/5.0 ...", "action": "document.download", "operation": "read", "resourceType": "document", "resourceId": "b9a4f2d1-...", "resourceDisplayName": "Q1 Report.pdf", "resultStatus": "success", "clientExternalId": "CLI-001", "clientDisplayName": "Acme Corp", "matterExternalId": "MAT-2026-042", "matterDisplayName": "Acme Acquisition", "collaborationPolicyId": null, "collaborationPolicyDisplayName": null, "projectName": "Due Diligence", "organisationDatabaseName": null } ], "nextCursor": "eyJ0cyI6IjIwMjYtMDMtMDFUMDk6MTU6NDIuMTIzWiIsImlkIjoiM2Y2YzdhMmUtLi4uIn0=" }Pagination and continuous polling
The response always includes a nextCursor when there are results. Pass it on the next request to fetch the following page:
GET /api/v1/audit-logs?cursor=eyJ0cyI6...&limit=500
When no new events exist, the response returns an empty data array with the same cursor. This makes it straightforward to set up a polling loop for SIEM ingestion — simply retry with the last cursor on a schedule (e.g. every few minutes) to pick up new events as they appear.
Rate limits
The API is rate-limited per organization. If you exceed the limit, requests return 429 Too Many Requests. Back off and retry after the period indicated in the response headers.
Integration tips
For Splunk, use a scripted input or HTTP Event Collector (HEC) that polls the cursor-based API on a schedule.
For Microsoft Sentinel / Azure Monitor, configure a Logic App or Function App that polls the API and pushes events to a Data Collection Endpoint.
For any SIEM, the cursor-based design means you never need to track timestamps yourself — the cursor handles deduplication and resumption.
For detailed integration guidance, contact the Legora team.
Changelog
Initial availability: Q1 2026
February 2026: Expanded audit logging across core product surfaces
Future updates: API-based automated export and richer automation and alerting