OpenClaw Audit Log Hook

MCP Tools

Records and logs all tool calls before and after execution for auditing, debugging, usage stats, and error tracking with sensitive data redaction.

Install

openclaw skills install openclaw-audit-log-hook

Audit Log Hook - Tool Call Audit

Purpose

Record all tool calls via before_tool_call and after_tool_call hooks for:

Security auditing
Debugging issues
Usage statistics
Error tracking

Implementation

// Audit log file path
const AUDIT_LOG = path.join(process.env.OPENCLAW_STATE_DIR || '~/.openclaw', 'audit.log');

api.registerHook("before_tool_call", async ({ event, ctx }) => {
  const entry = {
    ts: new Date().toISOString(),
    event: "before_tool_call",
    tool: event.tool.name,
    params: JSON.stringify(event.tool.params).slice(0, 500),
    session: ctx.sessionKey,
    user: ctx.session?.senderId || 'unknown'
  };
  console.log("[AUDIT]", JSON.stringify(entry));
  return {};
});

api.registerHook("after_tool_call", async ({ event, ctx }) => {
  const entry = {
    ts: new Date().toISOString(),
    event: "after_tool_call",
    tool: event.tool.name,
    result: String(event.result).slice(0, 200),
    error: event.error?.message || null,
    duration: event.durationMs,
    session: ctx.sessionKey
  };
  console.log("[AUDIT]", JSON.stringify(entry));
  return {};
});

Log Format

{"ts":"2026-04-01T23:00:00.000Z","event":"before_tool_call","tool":"exec","params":"{\"command\":\"ls -la\"}","session":"agent:main:feishu:direct:ou_xxx","user":"ou_xxx"}
{"ts":"2026-04-01T23:00:00.050Z","event":"after_tool_call","tool":"exec","result":"total 8\ndrwxr-xr-x  12 dc  staff   384 Apr  1 23:00","error":null,"duration":50,"session":"agent:main:feishu:direct:ou_xxx"}

Sensitive Data Handling

Auto-redact sensitive fields:

function redactSensitive(obj) {
  const sensitive = ['apiKey', 'token', 'password', 'secret'];
  for (const key of Object.keys(obj)) {
    if (sensitive.some(s => key.toLowerCase().includes(s))) {
      obj[key] = '[REDACTED]';
    }
  }
  return obj;
}

Statistics Analysis

Periodically analyze audit.log:

# Count tool usage
grep "before_tool_call" audit.log | jq -r .tool | sort | uniq -c | sort -rn

# Count errors
grep "after_tool_call" audit.log | jq -r '.error' | grep -v null | wc -l

# Count sessions
grep "before_tool_call" audit.log | jq -r .session | sort -u | wc -l