Audit Logs
Audit logs are the immutable record of every security decision Xilos makes. Each query that passes through the platform generates an audit entry capturing the governance actions applied, restriction rules triggered, guardrail results, and the final disposition — allow, block, mask, or flag. Audit logs support compliance reporting, security analysis, and SIEM integration.
Info: Audit logs are immutable. Once written, entries cannot be modified or deleted. This guarantees a tamper-evident record for compliance and forensic analysis.
Audit Log Fields
Each audit log entry contains the following fields:
| Field | Type | Description |
|---|---|---|
timestamp | ISO 8601 | UTC timestamp when the query was received |
query_id | UUID | Unique identifier for the query |
user_id | String | Identifier of the user who submitted the query |
user_email | String | Email address of the user (when available) |
tenant_id | String | Tenant identifier |
query_text | String | The original query content |
query_text_masked | String | The query after PII masking (if applicable) |
target_model | String | The LLM selected to process the query |
action | Enum | Final disposition: allow, block, mask, flag |
triggered_rules | Array | List of restriction rules that matched the query |
guardrail_results | Object | Results from each guardrail (PII, HAP, jailbreak, content moderation) |
pii_detected | Array | List of PII types detected in the query |
severity | Enum | Highest severity among triggered rules: high, medium, low |
latency_ms | Integer | Total processing time in milliseconds |
model_latency_ms | Integer | LLM inference time in milliseconds (when applicable) |
tokens_in | Integer | Input token count (when the query reached the model) |
tokens_out | Integer | Output token count (when the query reached the model) |
cost_usd | Float | Estimated cost in USD (when the query reached the model) |
source | String | Origin of the query (dashboard, API, agent, webhook) |
ip_address | String | IP address of the requesting client |
Searching and Filtering
The audit log viewer supports structured search and filtering across all fields.
Search Filters
| Filter | Description | Example |
|---|---|---|
| Date range | Filter by timestamp range | Last 24 hours, last 7 days, custom range |
| Action | Filter by final disposition | block, mask, flag, allow |
| Severity | Filter by highest triggered severity | high, medium, low |
| Rule name | Filter by triggered restriction rule | API-Key-Exposed-Block |
| User | Filter by user ID or email | user@example.com |
| PII type | Filter by detected PII type | SSN, CREDIT_CARD, EMAIL |
| Model | Filter by target model | gpt-4.1, claude-sonnet-4 |
| Source | Filter by query origin | dashboard, api, agent |
Search Syntax
The audit log search bar supports structured queries using field:value pairs:
action:block severity:high rule:API-Key-Exposed-BlockCombine multiple filters with spaces (implicit AND):
action:flag user:user@example.com date:2024-01-15Info: All search queries are themselves audited. Searching the audit log does not modify or redact existing entries.
Export for SIEM
Xilos supports continuous export of audit logs to external Security Information and Event Management (SIEM) systems. SIEM export enables long-term retention, cross-platform correlation, and centralized compliance reporting.
Webhook Export
Xilos streams audit events to an HTTP endpoint in real time. Configure the webhook URL in Secure → Audit Logs → SIEM Export.
Payload format: Each audit entry is sent as a JSON object in the request body. Events are batched and sent every 5 seconds, or when 100 events accumulate, whichever comes first.
Headers: Requests include an X-Xilos-Signature header containing an HMAC-SHA256 signature of the payload, verified using your tenant's shared secret.
Syslog Export
Xilos forwards audit events to a syslog server using RFC 5424 format. Configure the syslog endpoint (host, port, protocol) in Secure → Audit Logs → SIEM Export.
Supported protocols: UDP, TCP, and TLS-encrypted TCP.
CSV Export
For ad-hoc analysis, export audit log entries as a CSV file from the audit log viewer. Select a date range, apply filters, and download the results.
Limit: Exports are capped at 100,000 entries per file. For larger exports, use webhook or syslog streaming.
SIEM Integration Verification
After configuring SIEM export, verify that events are arriving at your destination:
- Submit a test query that triggers a restriction rule (e.g., a Flag rule).
- Check the audit log viewer to confirm the entry was created.
- Check your SIEM platform to confirm the event was received.
- Verify the HMAC signature using your shared secret (for webhook export).
Retention Policy
Audit log retention is configurable per tenant. The retention policy determines how long entries are stored before automatic deletion.
| Setting | Default | Range | Notes |
|---|---|---|---|
| Retention period | 365 days | 30 – 2,555 days | Entries older than the retention period are automatically deleted |
| SIEM export | Disabled | On / Off | When enabled, entries are streamed to your SIEM before deletion |
| Immutable storage | Enabled | On / Off | Prevents modification of entries after creation |
Warning: Reducing the retention period permanently deletes older entries. If you need longer retention for compliance, configure SIEM export before reducing the retention period.
Compliance Retention Guidelines
| Framework | Minimum Retention | Recommendation |
|---|---|---|
| SOC 2 | 365 days | 365 days minimum |
| HIPAA | 2,191 days (6 years) | 2,555 days (7 years) recommended |
| PCI DSS | 365 days | 365 days minimum |
| GDPR | As long as necessary | Configure Flag-only rules to minimize PII in audit logs |
Compliance Reporting
Audit logs support compliance reporting for common security frameworks. Generate reports from the audit log viewer by selecting a date range and report type.
Available Reports
| Report | Description | Use Case |
|---|---|---|
| Blocked Queries | All queries that were blocked by restriction rules or guardrails | Security incident review |
| PII Exposure | All queries where PII was detected, including masking actions taken | Data privacy compliance |
| Prompt Injection Attempts | All queries flagged by jailbreak detection or injection rules | Threat analysis |
| Rule Effectiveness | Trigger counts and false positive rates per restriction rule | Rule tuning |
| User Activity | Query volume, action breakdown, and model usage per user | Usage auditing |
| Full Export | Complete audit log entries for the selected date range | Regulatory submission |
Generating a Report
- Navigate to Secure → Audit Logs.
- Select the date range.
- Apply any additional filters (user, rule, action, severity).
- Select Generate Report and choose the report type.
- Download the report as PDF or CSV.
Info: Compliance reports inherit the immutability of the underlying audit log data. Report contents reflect the exact audit entries recorded during the selected period.
Related
- Guardrails — Guardrail results are captured in the
guardrail_resultsfield. - Restriction Rules — Triggered rules are recorded in the
triggered_rulesfield. - Prompt Injection Defense — Injection attempts are logged with the triggering rule and action.
- PII Detection — Detected PII types are recorded in the
pii_detectedfield.