Platform
Secure
Audit Logs

Audit Logs

Audit logs are the immutable record of every security decision Xilos makes. Each query that passes through the platform generates an audit entry capturing the governance actions applied, restriction rules triggered, guardrail results, and the final disposition — allow, block, mask, or flag. Audit logs support compliance reporting, security analysis, and SIEM integration.

Info: Audit logs are immutable. Once written, entries cannot be modified or deleted. This guarantees a tamper-evident record for compliance and forensic analysis.

Audit Log Fields

Each audit log entry contains the following fields:

FieldTypeDescription
timestampISO 8601UTC timestamp when the query was received
query_idUUIDUnique identifier for the query
user_idStringIdentifier of the user who submitted the query
user_emailStringEmail address of the user (when available)
tenant_idStringTenant identifier
query_textStringThe original query content
query_text_maskedStringThe query after PII masking (if applicable)
target_modelStringThe LLM selected to process the query
actionEnumFinal disposition: allow, block, mask, flag
triggered_rulesArrayList of restriction rules that matched the query
guardrail_resultsObjectResults from each guardrail (PII, HAP, jailbreak, content moderation)
pii_detectedArrayList of PII types detected in the query
severityEnumHighest severity among triggered rules: high, medium, low
latency_msIntegerTotal processing time in milliseconds
model_latency_msIntegerLLM inference time in milliseconds (when applicable)
tokens_inIntegerInput token count (when the query reached the model)
tokens_outIntegerOutput token count (when the query reached the model)
cost_usdFloatEstimated cost in USD (when the query reached the model)
sourceStringOrigin of the query (dashboard, API, agent, webhook)
ip_addressStringIP address of the requesting client

Searching and Filtering

The audit log viewer supports structured search and filtering across all fields.

Search Filters

FilterDescriptionExample
Date rangeFilter by timestamp rangeLast 24 hours, last 7 days, custom range
ActionFilter by final dispositionblock, mask, flag, allow
SeverityFilter by highest triggered severityhigh, medium, low
Rule nameFilter by triggered restriction ruleAPI-Key-Exposed-Block
UserFilter by user ID or emailuser@example.com
PII typeFilter by detected PII typeSSN, CREDIT_CARD, EMAIL
ModelFilter by target modelgpt-4.1, claude-sonnet-4
SourceFilter by query origindashboard, api, agent

Search Syntax

The audit log search bar supports structured queries using field:value pairs:

action:block severity:high rule:API-Key-Exposed-Block

Combine multiple filters with spaces (implicit AND):

action:flag user:user@example.com date:2024-01-15

Info: All search queries are themselves audited. Searching the audit log does not modify or redact existing entries.

Export for SIEM

Xilos supports continuous export of audit logs to external Security Information and Event Management (SIEM) systems. SIEM export enables long-term retention, cross-platform correlation, and centralized compliance reporting.

Webhook Export

Xilos streams audit events to an HTTP endpoint in real time. Configure the webhook URL in Secure → Audit Logs → SIEM Export.

Payload format: Each audit entry is sent as a JSON object in the request body. Events are batched and sent every 5 seconds, or when 100 events accumulate, whichever comes first.

Headers: Requests include an X-Xilos-Signature header containing an HMAC-SHA256 signature of the payload, verified using your tenant's shared secret.

Syslog Export

Xilos forwards audit events to a syslog server using RFC 5424 format. Configure the syslog endpoint (host, port, protocol) in Secure → Audit Logs → SIEM Export.

Supported protocols: UDP, TCP, and TLS-encrypted TCP.

CSV Export

For ad-hoc analysis, export audit log entries as a CSV file from the audit log viewer. Select a date range, apply filters, and download the results.

Limit: Exports are capped at 100,000 entries per file. For larger exports, use webhook or syslog streaming.

SIEM Integration Verification

After configuring SIEM export, verify that events are arriving at your destination:

  1. Submit a test query that triggers a restriction rule (e.g., a Flag rule).
  2. Check the audit log viewer to confirm the entry was created.
  3. Check your SIEM platform to confirm the event was received.
  4. Verify the HMAC signature using your shared secret (for webhook export).

Retention Policy

Audit log retention is configurable per tenant. The retention policy determines how long entries are stored before automatic deletion.

SettingDefaultRangeNotes
Retention period365 days30 – 2,555 daysEntries older than the retention period are automatically deleted
SIEM exportDisabledOn / OffWhen enabled, entries are streamed to your SIEM before deletion
Immutable storageEnabledOn / OffPrevents modification of entries after creation

Warning: Reducing the retention period permanently deletes older entries. If you need longer retention for compliance, configure SIEM export before reducing the retention period.

Compliance Retention Guidelines

FrameworkMinimum RetentionRecommendation
SOC 2365 days365 days minimum
HIPAA2,191 days (6 years)2,555 days (7 years) recommended
PCI DSS365 days365 days minimum
GDPRAs long as necessaryConfigure Flag-only rules to minimize PII in audit logs

Compliance Reporting

Audit logs support compliance reporting for common security frameworks. Generate reports from the audit log viewer by selecting a date range and report type.

Available Reports

ReportDescriptionUse Case
Blocked QueriesAll queries that were blocked by restriction rules or guardrailsSecurity incident review
PII ExposureAll queries where PII was detected, including masking actions takenData privacy compliance
Prompt Injection AttemptsAll queries flagged by jailbreak detection or injection rulesThreat analysis
Rule EffectivenessTrigger counts and false positive rates per restriction ruleRule tuning
User ActivityQuery volume, action breakdown, and model usage per userUsage auditing
Full ExportComplete audit log entries for the selected date rangeRegulatory submission

Generating a Report

  1. Navigate to Secure → Audit Logs.
  2. Select the date range.
  3. Apply any additional filters (user, rule, action, severity).
  4. Select Generate Report and choose the report type.
  5. Download the report as PDF or CSV.

Info: Compliance reports inherit the immutability of the underlying audit log data. Report contents reflect the exact audit entries recorded during the selected period.

Related

  • Guardrails — Guardrail results are captured in the guardrail_results field.
  • Restriction Rules — Triggered rules are recorded in the triggered_rules field.
  • Prompt Injection Defense — Injection attempts are logged with the triggering rule and action.
  • PII Detection — Detected PII types are recorded in the pii_detected field.