DEV Community: Srinivas Kondepudi

How to stream Claude Code audit logs into Microsoft Sentinel (with Chron)

Srinivas Kondepudi — Tue, 26 May 2026 15:41:50 +0000

If your team uses Claude Code (or any MCP-based AI tool), those sessions are currently invisible to your security stack. No SIEM events. No audit trail. Nothing.

Chron fixes that. It's an MCP server that logs every AI session to a local SQLite database and can relay structured metadata events to your SIEM. This post walks through the Azure Sentinel integration end to end.

What gets logged

Chron transmits metadata only, never message content:

Event Fields
session_started session ID prefix, AI tool, timestamp, OS
message_logged role (user/assistant), session ID prefix
secret_detected detection type, masked value
Prerequisites

Chron installed (npm install -g chron-mcp or via npx)
Azure subscription with a Log Analytics workspace
App Registration with a client secret
Azure setup (5 steps)

Create a Data Collection Endpoint (DCE) — Azure Portal > Monitor > Data Collection Endpoints > Create
Create a custom table — Log Analytics workspace > Tables > Create > New custom log (MMA-based) — name it ChronEvents_CL, add columns: EventType, SessionIdPrefix, AiTool, OS, ChronVersion, Computer, Role, DetectionType, MaskedValue (all string type)
Create a Data Collection Rule (DCR) — Monitor > Data Collection Rules > Create, point the stream Custom-ChronEvents_CL to your workspace table
Assign role — on the DCR resource, add your App Registration as Monitoring Metrics Publisher
Note down your Tenant ID, Client ID, Client Secret, DCE URL, and DCR Immutable ID (starts with dcr-)

Connect Chron
chron connect sentinel

The CLI prompts for your credentials, authenticates against Azure AD, sends a test event, and patches ~/.claude.json automatically. You should see the test event in Log Analytics within 5-10 minutes (first ingestion into a new custom table can take up to 15 min).

Verify in Log Analytics

ChronEvents_CL
| order by TimeGenerated desc
| take 10

If the table doesn't appear yet, check the DCR > Monitoring tab for ingestion errors. The most common issue is a missing Monitoring Metrics Publisher role on the DCR (not the workspace).

What you get

Once connected, every Claude Code session generates a real-time stream of events in your Sentinel workspace. You can build workbooks, alerts, and hunting queries on top of it — e.g. alert when EventType == "secret_detected", or track AI tool adoption across your org by machine ID.

Issues can be logged here: https://github.com/SirinivasK/chron

How I wired chron into CrowdStrike LogScale - and shipped 5 dashboards with it

Srinivas Kondepudi — Mon, 18 May 2026 15:12:03 +0000

In my first post I wrote about why I built chron, an MCP server that logs every AI conversation to local SQLite. This one is about what I built next: streaming those events into CrowdStrike LogScale so security teams can see AI activity across their org.

The problem with local-only logging
chron stores everything locally. That's good for individuals, your data, your machine, no cloud. But for an org with 50 developers all using Claude or Cursor, "local SQLite per machine" doesn't give anyone a picture of what's happening org wide.

Security teams need a centralized view. And they already have one: their SIEM.

Why LogScale (Humio)
CrowdStrike acquired Humio in 2021 and rebranded it LogScale. It's one of the fastest log ingestion systems available, and it's already deployed at most enterprises that take security seriously. If I could get chron events into LogScale, I'd be sending data somewhere security teams already look.

LogScale has a clean structured ingest API. You POST an array of events, each with a timestamp and key-value attributes. No schema to define upfront, it's schema less by default.

The relay design
I wanted the integration to be genuinely zero-friction for chron's critical path. Logging a message should never slow down because the relay is having a bad day.

The solution: fire-and-forget via setImmediate.

export function emitEvent(payload: ChronEventPayload): void {
const url = process.env.CHRON_LOGSCALE_URL;
const token = process.env.CHRON_LOGSCALE_TOKEN;
if (!url || !token) return;

setImmediate(() =>
fetch(url, {
method: 'POST',
headers: {
'Authorization': Bearer ${token},
'Content-Type': 'application/json',
},
body: buildLogScalePayload(payload),
}).catch(() => undefined)
);
}
setImmediate pushes the fetch to the next iteration of the event loop, after the current operation completes. The .catch(() => undefined) means a failed relay never surfaces as an error. The audit log always writes to local SQLite first. The relay is best effort.

Three event types
chron emits exactly three event types to LogScale:

session_started - when a new AI session begins. Includes the AI tool name and an anonymized machine ID (SHA-256 of hostname, truncated to 16 chars).

message_logged - when a message is recorded. Includes role (user/assistant), timestamp, session prefix. Message content never leaves the machine.

secret_detected - when the auto-scanner finds a credential in a user message. Includes detection type (aws_key, github_token, etc.) and a masked value. The real value stays local.

That last point matters: chron's secret detection is designed to alert without exfiltrating. The masked value in LogScale tells the CISO "a GitHub token appeared in a developer's AI prompt on this machine at this time." The token itself is not in LogScale.

The connect CLI
Getting the credentials set up should be one command, not a documentation page.

chron connect crowdstrike
This prompts for your LogScale URL and ingest token, sends a real test event, validates the HTTP 200 response, and saves the config to ~/.chron/config.json. It also prints the exact env block to paste into ~/.claude.json so the credentials load automatically on every Claude Code session.

Five dashboards, ready to import
The hardest part of a new data source isn't the ingest — it's getting useful queries in front of the people who need them. I shipped five LQL queries and one importable dashboard YAML with chron 0.1.14.

The dashboard covers:

AI tool usage by count (which tools are developers actually using)
Daily active developers by machine
Sessions per developer
Secret detections by type over time
API key alert query for scheduled SOC alerting
Import the YAML into LogScale and all five widgets are live. If you have chron running on even one machine, you'll see data immediately.

What's next
The relay currently supports LogScale and a generic HTTP endpoint (CHRON_RELAY_URL). Splunk, Elastic, and Datadog integrations are on the roadmap, the event schema is the same, just different destination formats.

If you're running LogScale and want to try it:

npx -y chron-mcp
chron connect crowdstrike
Restart Claude Code or Cursor, have a conversation, and watch the events appear in your LogScale stream.

github.com/sirinivask/chron

I built an MCP server to log every AI conversation, here's what I learned

Srinivas Kondepudi — Wed, 13 May 2026 17:47:43 +0000

Every serious system gets audited; databases, code, finances. AI shouldn't be the exception. I'm building the tools to close that gap. chron is the first one.

The problem

I was doing long coding sessions with Claude. We'd work through a problem, make decisions, figure out an approach together. Then the context window fills up. It resets. And suddenly the AI has forgotten everything, but I still need to know what we decided and why.

I wanted a permanent local record. Not stored in some cloud. Not owned by any AI company. Just mine, on my machine, in a format I can actually read.

What is MCP?
MCP (Model Context Protocol) is an open standard from Anthropic that lets you extend Claude with custom tools. Think of it like a plugin system, you build a server that exposes tools, Claude learns to call them, and suddenly your AI can do things it couldn't before.

I'd never built one before. This was my first.

Turns out it's simpler than it sounds. You define a tool with three things:

A name Claude can call
A description Claude reads to know when to use it
An input schema so Claude knows what arguments to pass
That's it. Claude figures out the rest.

What I built
chron; an MCP server that automatically logs every AI conversation to a local SQLite database. Every message. Every timestamp. Fully yours.

npx -y chron-mcp
Run that once in your terminal. It detects which AI tools you have installed, Claude Desktop, Claude Code, Cursor, Windsurf, and configures them automatically. Restart your AI tool. Done. Everything gets logged from that point on, with zero manual steps.

Three things I built that were interesting

Hash chaining

Each message stores a SHA-256 hash that includes the previous message's hash, same idea as a blockchain, but much simpler. It means you can verify the log hasn't been tampered with. If anyone edits an old message, every hash after it breaks.

message 1: hash(content) → abc123
message 2: hash(content + abc123) → def456
message 3: hash(content + def456) → ghi789
Run verify_session and chron walks the chain. Any break means tampering.

Auto-setup

The hardest part of building an MCP server isn't the server, it's getting people to install it. Writing JSON config files by hand is a real barrier.

So npx -y chron-mcp now does it automatically. It reads your filesystem, detects which AI clients are installed, writes their config files, and installs a SessionStart hook in Claude Code so the logging skill loads on every new session. One command, restart, works.

The SessionStart hook

Claude Code has a hook system; shell commands that run automatically at session start. I use this to inject the chron skill instructions so Claude knows to call the logging tools without you doing anything. This was the missing piece. Without it, the MCP server is registered but idle.

What surprised me
The install experience is harder than the feature itself. Getting the MCP server running took a day. Getting it to work without any user configuration took a week.

Also: npm download counts are mostly bots. chron crossed 1,000 downloads in the first week, but honest estimate is maybe 50–150 real humans. Security scanners and registry mirrors download every new package automatically. Worth knowing before you celebrate.

What's next
The data is locked in SQLite right now. The next step is a local web UI — npx chron-mcp --ui opens a browser showing your sessions, messages, and stats. If AI is doing real work, you should be able to read the log without writing SQL.

If you use Claude, Cursor, or Windsurf and you care about keeping a record of your AI conversations, give it a try.

npx -y chron-mcp
GitHub: github.com/sirinivask/chron

I'm happy to answer questions about building MCP servers, it's genuinely worth learning right now.