search

Reviewing BRACE Logs

BRACE generates events that can be sent to any OTEL collector. The PaaS environments and Amazon EC2 instances are configured to send events to AWS CloudWatch.

BRACE also can send logs to stdout and to a local file. It should be noted that these log events will only show alerts from BRACE. Process execution events, filesystem accesses, established network connections and any MCP events are viewable via an OTEL log event viewer.

BlueRock does support a free Grafana dashboard. For users who want a default dashboard, please contact [email protected] for access.

For more instructions on configuring OTEL with BlueRock refer to the Configuring OTEL Event Collection with BlueRock documentation.

hashtag
Reviewing BRACE Logs in AWS CloudWatch

  1. Log into the AWS Console and navigate to CloudWatch.

  2. Go to Log Management in the navigation pane

  3. Find the Log Group for your instance. This should be prefaced with either you CloudFormation stack name or provided to you as part of your PaaS onboard.

  4. Click on the Log stream.

  5. You can now begin searching for events that may be of interest. Keywords that you can use are as follows:

  • process_exec - will show all executed processes on the instance

  • file_open - will show all file accesses

  • socket_connection - will show you all network accesses

  • python_mcp_event - will show all MCP related activity and tool execution

  • "tools/call" - will list MCP tool call executions (quotation marks must be used)

  • python_mcp_violation - will list any MCP events that caused alerts on policy or were blocked via guardrails.

  • brace - will show all brace related activity running in the sandbox

  • brace_exec_violation - will show all alerts and guardrail blocks from the sandbox

Log Samples

Below is a log sample from a process_exec search in CloudWatch. This will provide a listing of all processes executed on the agent instance for observability and auditing purposes.

The log sample below is from an MCP event. You can search for python_mcp_event and retrieve all MCP events from the Sandbox instance.

Below is another sample of MCP events but filtered on "tools/call" . This can be used to analyze all MCP tool calls made by an agent's MCP client.

Below is a sample of an MCP alert. These can be identified by searching on python_mcp_violation .

Below is a sample of a BRACE event. You filter on these events by searching for brace.

Below is a sample of a BRACE alert. You can filter on these events by searching for brace_exec_violation .

When searching on BRACE alerts, to gather additional context, you will need to identify the source_event_id and search for that value which will return the associated context.

Below is a sample of a network connection detection. This can be filtered by searching for socket_connection .

PreviousConfiguring a BlueRock Agent Sandbox for ObservabilityNextBlueRock AWS CloudFormation Deployment

Last updated