Overview
Observability in DefenseClaw has three layers, emitted in parallel:
- Audit store — authoritative, persisted SQLite database of every decision, verdict, and action.
- JSONL local log — append-only structured events on disk, readable by Splunk Universal Forwarder and
jq. - OTel + audit sinks — OpenTelemetry traces/metrics plus audit-event delivery to Splunk HEC, OTLP logs, or HTTP JSONL.
The streams share correlation and provenance fields, but they are not identical copies: the audit bridge translates persisted audit rows into lifecycle JSONL events, while native guardrail/judge/scan emitters write richer structured rows directly.
Section map
| Page | Purpose |
|---|---|
| OTEL spec | Span/metric names, attributes, resource conventions |
| Audit store | The SQLite schema, querying, and export paths |
| Audit bridge | Translating audit rows into gatewaylog lifecycle events |
| Gateway JSONL log | On-disk structured log, rotation, schema |
| Sinks | Audit sink catalog and per-kind config |
| Webhook dispatcher | Queueing, retry, HMAC signing |
| Redaction | What is and isn't scrubbed before egress |
| Splunk app | Cisco DefenseClaw Splunk app overview |
| Troubleshooting | Common signal-drop scenarios |