Rensei docs

Observability

Sentry/OTel/SIEM observability.

Rensei ships three complementary observability layers: Sentry for error and exception capture, OpenTelemetry (OTel) for distributed tracing of agent verb execution, and SIEM export for forwarding audit events to your security information platform. All three are opt-in via environment variables and operate independently.

Sentry error capture

Sentry is instrumented at all three Next.js execution boundaries: server, client, and edge. Configuration lives in sentry.server.config.ts, sentry.client.config.ts, and sentry.edge.config.ts.

Setup

Sentry integration is configured by the platform operator at the deployment level. Deployment-level Sentry setup (DSN, project credentials) is covered in the operator docs. Errors are enriched with user context (org ID and user ID) to enable per-tenant issue filtering.

What Sentry captures

  • Unhandled exceptions in API route handlers
  • React component render errors (via Error Boundary integration)
  • Edge runtime errors (middleware, edge API routes)
  • Manual Sentry.captureException() calls for known error paths (e.g., webhook signature failures, policy evaluation errors)

OpenTelemetry tracing

The OTel exporter subscribes to the Layer-6 verb bus and emits one span per agent tool invocation. This means every pre-verb / post-verb pair produces a span - no manual tracer.startSpan() calls are scattered through the codebase.

Enabling OTel traces

OTel tracing is activated by the platform operator via deployment-level environment variables. The exporter sends OTLP HTTP spans to any OTLP-compatible endpoint (LangSmith, Langfuse, Arize, Honeycomb, Grafana Cloud, etc.). Deployment-level OTel configuration is covered in the operator docs.

Span attributes

Every verb span includes:

AttributeDescription
org_idOrganization ID
agent_card_idThe agent card that owned the session
session_idPlatform session identifier
work_typeSDLC work type (e.g. development, qa) when present
toolThe tool/verb name
latency_msDuration from pre-verb to post-verb
agent_urlURL of the A2A agent
skill_idSkill being invoked

Session events

In addition to verb spans, the exporter can emit one span per SessionEvent (session start, activity, completion). The projectSessionEvent projector maps session events to OtelTraceSpan format.

Exporter failure isolation

The OTel subscriber runs inside the verb bus's subscriber crash-isolation wrapper. A thrown or rejected span export does not block other subscribers (audit, cost, eval) and is logged at warn level.

SIEM export

The audit trail's fanOutToSIEM function delivers every appendEvent() call to all configured SIEM destinations for the workspace. Delivery is fire-and-forget (non-blocking).

Supported formats

FormatProtocolCompatible platforms
jsonHTTP POST, JSON bodySplunk HEC, Elasticsearch, Datadog
cefHTTP POST, ArcSight CEF stringArcSight, HP ArcSight Logger
leefHTTP POST, IBM LEEF stringIBM QRadar

Configuring a SIEM destination

SIEM destinations are managed per workspace via the API:

# Add a Splunk HEC destination
curl -X POST https://rensei.ai/api/audit/siem/destinations \
  -H "Authorization: Bearer rsk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "type": "http",
    "url": "https://splunk.example.com:8088/services/collector",
    "format": "json",
    "apiKey": "Splunk <hec-token>",
    "name": "Splunk Production",
    "filter": ["agent.spawned", "agent.completed", "approval.gate_created"]
  }'

The filter array is optional. When omitted, all audit event types are forwarded. When present, only matching eventType values are delivered.

Event types forwarded to SIEM

The platform emits audit events for all security-relevant operations. A representative sample:

agent.spawned          agent.completed         agent.failed
user.login             user.logout             user.invited
user.deprovisioned     org.member_role_changed
approval.gate_created  approval.decision_submitted  approval.gate_resolved
policy.created         policy.evaluated
audit.chain_break_detected  audit.key_rotated  audit.anchored
sso.connection_created      scim.user_provisioned
m2m.client_created          m2m.token_issued
credential.rotated          workflow.deployed

See Audit Trail for the complete event taxonomy and hash-chain integrity guarantees.

SIEM destination health

Test delivery to a configured destination:

curl -X POST https://rensei.ai/api/audit/siem/destinations/<id>/test \
  -H "Authorization: Bearer rsk_live_..."
# Returns: { "ok": true, "latencyMs": 45 }

Destinations are stored in Redis under workspace:{id}:siem:destinations. Removing the destination stops further delivery immediately.

CLI observability commands

# Tail live audit events
rensei observability events tail --org acme-corp

# Query historical events by type
rensei observability events query \
  --org acme-corp \
  --type agent.spawned \
  --since 2026-06-01 \
  --until 2026-06-02 \
  --json
  • Audit Trail - hash-chain integrity, Merkle anchoring, crypto-shredding
  • Cedar Policies - policy evaluation events that appear in the audit trail
  • Sessions Inspector - per-session 7-tab debug view including OTel spans

Billing

Stripe billing: plans, self-service portal, subscription status, and usage tracking.

On this page

Sentry error captureSetupWhat Sentry capturesOpenTelemetry tracingEnabling OTel tracesSpan attributesSession eventsExporter failure isolationSIEM exportSupported formatsConfiguring a SIEM destinationEvent types forwarded to SIEMSIEM destination healthCLI observability commandsRelated pages