Chaber · Oversight Suite

See who used AI,
what happened,
and prove it.

with .

Chaberista turns Claude and Perplexity activity into redacted, plain-English summaries your compliance, legal, security, and IT teams can actually use. PII is stripped at ingest, every answer is citation-backed, and you can export an audit-ready report in one click — no SPL, no SQL, no lawyer required.

Start free View live demo Compare View sample report

247

AI events · 30 days

Alerts unreviewed

File uploads flagged

Webhook ingestion ·Encrypted at rest ·Ask Logs in plain English ·Audit-ready reports ·Per-user · per-matter · per-project ·Claude Enterprise ·Perplexity Enterprise ·Role-based access ·Webhook ingestion ·Encrypted at rest ·Ask Logs in plain English ·Audit-ready reports ·Per-user · per-matter · per-project ·Claude Enterprise ·Perplexity Enterprise ·Role-based access ·

What it does

One quiet dashboard for every AI interaction at your organization.

Live audit ingestion

Drop in a Perplexity webhook URL or import a Claude audit-log export. Activity appears in seconds — no engineering required.

Encrypted at rest

Every raw payload is sealed with AES-256-GCM. Only authorised roles can decrypt query text or file titles.

Ask Logs, safely

Type a plain question. Chaberista answers from approved analytics views — never raw, unrestricted logs.

Built for

Any team that has to answer for how AI gets used.

Compliance teams

Evidence the AI policy is being followed — and catch the moments it isn't.

In-house legal

Track AI use across departments, matters, and outside counsel touchpoints.

Law firms

Per-matter audit trails, billable-hour cross-checks, and client-ready disclosures.

Security teams

Spot exfiltration risk, off-hours access, and confidential file uploads.

IT & DevEx

Govern Claude and Perplexity rollouts without standing up a custom pipeline.

Tech & SaaS companies

Show customers and auditors exactly how internal AI tools are used.

Defensible by design

Audit-ready records, in plain English.

Per-user, per-matter, per-project audit log
Confidential file upload detection
Off-hours and anomalous access flags
Monthly reports for management & auditors
Slack + email alert integration (soon)
eDiscovery-ready exports by user or date

Live demo

Ask your logs in plain English

No SPL. No KQL. Just a question. Chaberista answers from your AI logs and returns a compliant, citation-backed summary with PII redacted at ingest.

/app/ask · ask-logs

You · last 7 days

Example 1 / 5

Prompt preview · example 1Not yet sent

“Did anyone paste customer SSNs or credit cards into Claude this week, and which workspaces were involved?”

Pick another:

Chaberista will answer from your redacted AI logs with citations.

Illustrative example. Real responses are generated from your own redacted log events. .

Live demo · Content Privacy Mode

Ask the redacted logs

Same questions, stricter answers. With Content Privacy Mode on, Chaberista reports on PII flags, MCP connectors, independent AI actions, database & file uploads, flagging, and alerts — never the message text itself. Reveal is gated to owners, admins, and the compliance reviewer role and is audit-logged.

/app/ask · ask-logs · privacy mode on Privacy Mode

You · last 7 days

Example 1 / 3

Prompt preview · example 1Not yet sent

“Show me activity that triggered PII or sensitive-data flags this week — without showing the message contents.”

Pick another:

Chaberista will answer from metadata only — message contents stay hidden.

Illustrative example. In Content Privacy Mode, only owners, admins, and the compliance reviewer role can Reveal a message body — and every reveal is audit-logged.

MCP Connector Tracker

See every tool your AI can actually run.

When Claude (or any MCP-aware client) connects to an MCP server, it inherits the right to call that server's tools on your behalf — including ones that delete data, charge cards, or push to production. Chaberista reads your audit log to discover each server, classify its tools, and surface destructive calls that ran without human approval — so you can require HITL inside Claude before the next one fires.

Detection & evidence live here. Hard enforcement (the “ask the human first” prompt) is toggled in Claude Teams/Enterprise → MCP → Require approval for tool use. We verify it’s on by reading your logs.

1 · Discover servers

github-mcpapproved
GitHub · us-east-1 · 14 tools
Approved for engineering · scope limited to read-only repos
salesforce-mcppending
Salesforce · us-west-2 · 22 tools
Awaiting review — surfaced from a Claude audit log 2h ago
internal-fileopsflagged
Self-hosted · eu-central-1 · 6 tools
Flagged — exposes delete_file, but HITL is OFF in Claude. Action: enable approvals in Claude's MCP settings.

2 · Classify tools

list_pull_requests
github-mcp
readauto
merge_pull_request
github-mcp
destructiveHITL
delete_account
salesforce-mcp
irreversibleHITL
delete_file
internal-fileops
destructiveauto

Risky classes (destructive, irreversible) without HITL surface as findings. Chaberista doesn’t intercept the call — it tells you to flip on approvals in Claude before it happens again.

3 · Verify governance

github-mcp.merge_pull_request

8 min ago

by ada@firm.com

{
  "repo": "firm/contracts",
  "pr": 482,
  "base": "main"
}

Matched policy

MCP · Destructive on production main → HITL required (verified in Claude approval log)

Approved by sam@firm.com — 42s response

Every call — approved, blocked, or auto-run — lands in the audit trail with the matched policy and reviewer for one-click export.

Before you sign up

You'll need an admin-tier Claude or Perplexity plan to ingest logs.

Before you connect — what your provider needs

Chaberista reads activity from your Claude or Perplexity workspace. Those vendors only expose org-wide audit logs on admin-tier plans, so you'll need one of the following to ingest anything beyond a manual CSV.

Anthropic Claude
Claude Enterprise — required for the Admin API and audit-log export (workspace-wide message metadata, user activity, MCP tool calls). The Primary Owner generates an Admin API key in Console → Settings → Admin Keys.
Claude Team covers SSO and seat management but does not include the audit-log API. Free / Pro plans aren't supported — there's no admin export to read.
Perplexity
Perplexity Enterprise Pro (typically 25+ seats) — required for the admin dashboard, SSO, and the activity webhook / log export Chaberista subscribes to. Your Perplexity admin enables the webhook and pastes the URL we generate.
Perplexity Max and Pro are individual plans — they expose personal history only, not an org-wide audit feed, so they can't be governed centrally.

Don't have admin access yet? You can still create a workspace and explore with the included sample data — connect a real provider whenever your Enterprise admin is ready.

Comparison

How Chaberista compares

Splunk, Datadog, Elastic, Sumo Logic, and New Relic are excellent general-purpose log lakes. Chaberista is a purpose-built AI-governance log layer for teams who need to oversee GenAI use, satisfy counsel, and ship a compliance packet on day one — without learning SPL, KQL, or NRQL.

Trademark & affiliation notice. Splunk, Datadog, Elastic, ELK, Sumo Logic, and New Relic are trademarks or registered trademarks of their respective owners. Chaber, LLC is not affiliated with, sponsored by, or endorsed by any of these vendors. References are nominative fair use for product comparison only.

Ratings reflect Chaberista's good-faith reading of each vendor's publicly available product documentation, pricing pages, and trust portals as of May 9, 2026. Vendor capabilities change frequently; please verify against the vendor's current docs before purchase. See an inaccuracy? Email michael@chabercompliance.com.

Logging feature	Chaberista	Splunk	Datadog Logs	Elastic / ELK	Sumo Logic	New Relic Logs
AI prompt & response logging First-class capture of every LLM call with redaction.	Native Built-in Claude/OpenAI connectors capture prompt + completion + tokens by default.	DIY parsers No first-party LLM source; teams build HEC pipelines and field extractions.	LLM Obs add-on Requires the LLM Observability product and SDK instrumentation.	DIY pipelines Logstash/Beats + custom ingest pipelines per provider.	DIY parsers Generic HTTP source + field extraction rules; no LLM template.	AI Monitoring add-on Separate AI Monitoring product with agent instrumentation.
Natural-language query over logs Plain English — no SPL, KQL, or NRQL required.	Ask-Logs Default UI: type a question, get a cited answer over your redacted events.	AI Assistant for SPL Generates SPL you still need to read and run.	Bits AI (preview) Limited preview, enterprise gated, still surfaces query syntax.	AI Assistant Helps draft KQL/ES\|QL; not an answer-with-citations layer.	Mo Copilot Assists with Sumo query language; not a primary UX.	NR AI on NRQL Suggests NRQL; results returned as charts to interpret.
Predictable per-seat pricing No surprise bills from log volume spikes.	$500 / seat / mo Flat seat price with hard quotas; ingest spikes can't blow up the bill.	Ingest / workload Priced on GB/day or workload pricing — volume drives cost.	Per GB ingested Indexed logs billed per million events; retention tiers add cost.	Resource-based Cloud bills on RAM/storage; self-hosted has infra + ops cost.	Ingest / credits Credits-based plans scale with daily ingest volume.	Per GB ingested Data Plus tier bills per GB beyond the free 100 GB/mo.
Built-in PII redaction at ingest Redacts before logs hit storage.	Default on Server-side redaction runs before persistence; raw PII never stored.	Props/transforms SEDCMD / props.conf rules; configured per source by admins.	Sensitive Data Scanner add-on Separate product; requires rule packs and tuning.	Ingest processors Redact / grok processors built per pipeline.	Field masking rules Mask rules configured at the collector / source level.	Log obfuscation rules Regex-based obfuscation rules configured per account.
AUP & policy enforcement on log events Block or require approval at log time.	Native AUP rules can block, redact, or route a log event to Approvals in real time.	No Detections fire alerts; no inline block/approve on the event itself.	No Monitors notify; no policy gate on the source event.	No Detection rules + cases; no inline enforcement layer.	No Cloud SIEM signals; no enforcement on ingest.	No Alerts and incidents; no inline gating of log events.
MCP server & tool inventory Track every Model Context Protocol tool Claude can invoke, gate destructive ones with HITL.	Native inventory Auto-discovers MCP servers from audit logs, classifies tools (read/write/destructive/irreversible), enforces HITL, full change audit trail.	No No MCP-aware data source; would require custom collectors per server.	No No first-class MCP inventory; LLM Obs focuses on prompt/response telemetry.	No No MCP integration; teams would parse Claude audit logs by hand.	No No MCP inventory or tool-classification UX.	No AI Monitoring tracks model calls, not MCP tool surface area.
One-click Compliance Packet export Terms + Privacy + DPA + retention/quotas bundled.	Markdown export Admin downloads a single .md with §-cited Terms/Privacy/DPA + live retention & quotas.	No Customers assemble policy docs from trust portal manually.	No Trust center hosts docs; no per-tenant packet export.	No Trust center docs; no in-product packet.	No Trust portal documents; no bundled export.	No Trust center docs; no per-account packet.
Sub-processor transparency + Stripe billing trail	Annex III + deep link DPA Annex III lists Stripe (PCI-DSS L1) with a /dpa#subprocessor-stripe deep link.	Trust portal Sub-processor list published; billing processor not deep-linked from DPA.	Trust center Sub-processor list maintained; payment processor disclosed separately.	Trust center Sub-processor list available; not anchored from DPA UI.	Trust portal Sub-processor list published; no DPA deep-link UX.	Trust center Sub-processor list published; payment processor in separate doc.
Quota enforcement visible in-product Live 429s, AI capacity gates, source caps.	Live counters Ingest returns 429 at cap; Ask-Logs and source-connect gates show live usage.	License warnings License usage warnings; enforcement primarily via license violations.	Usage dashboards Usage UI is observational; overages bill rather than block.	Resource limits Cluster limits surface as errors; no per-feature in-product quota UX.	Credit alerts Credit consumption dashboards; alerts rather than hard gates.	Usage UI Data ingest UI shows usage; overages bill on Data Plus.
Approvals workflow tied to log events Human-in-the-loop on flagged AI usage.	Native Flagged events queue in /app/approvals with approve/deny + audit trail.	No ITSI/SOAR can route tickets, but no native per-log approval UX.	No Case management exists; no approve/deny on a single log event.	No Cases workflow; no inline event approval.	No SIEM cases; no inline event approval.	No Incident workflows; no inline event approval.
Lawyer-ready DPA & retention out of the box No custom MSA needed for SMB / small firms.	Standard DPA Self-serve DPA with Stripe sub-processor, GDPR Art. 28 terms, 365-day retention on Standard.	Enterprise only Standard DPA generally requires enterprise contracting motion.	Standard DPA Self-serve DPA available; retention configured per index.	Standard DPA Self-serve DPA available; retention via ILM policies you configure.	Standard DPA Self-serve DPA available; retention by tier.	Standard DPA Self-serve DPA available; retention tied to data tier.

Sources reviewed: splunk.com, docs.datadoghq.com, elastic.co, sumologic.com, docs.newrelic.com · last reviewed May 9, 2026.

Ship the proof

Hand auditors a report,
not a database dump.

One-click export. Every event redacted at ingest, every claim citation-backed, every page signed and timestamped. Your branding, your retention window, your region — ready for compliance, legal, or an outside auditor.

Start free See pricing

See who used AI,what happened,and prove it.