Skip to content

Audit & compliance

Kilasec keeps two separate records, on purpose, because auditors and incident responders ask two different questions.

RecordAnswersWhere
Traffic Log"What did agents try to do, and what did we decide?"Traffic Log page
Audit Log"What did administrators change?"Audit Log page

Conflating them is a common mistake — every serious framework (SOC 2, and every SIEM) treats decision history and configuration-change history as distinct.

Traffic Log — decision history

Every policy decision on the wire: timestamp, verdict, agent, source IP, destination, matched rule, and reason. It's the forensic record of what your AI traffic did. Filter by agent, verdict, matched rule, free-text, or since-date; export to CSV for an investigation.

Note: raw request bodies are not stored in the cloud. The collector applies redaction and sanitization before anything is uplinked — the cloud sees the decision and metadata, not the prompt content (unless you explicitly opt into shipping content). Full-fidelity forensics live in the collector's local audit log on-prem.

Audit Log — configuration changes

Every administrative mutation: who edited which rule, who approved or rejected which collector, who changed retention, who impersonated a tenant, who enabled or reset 2FA. Each row carries the actor, timestamp, action, target, a human summary, and (where relevant) a before/after diff. This is your change-management and accountability record.

Staff impersonation ("View as tenant") is audited under the tenant, so it also appears in that customer's own audit log — impersonation is never invisible.

Retention

Set per-tenant event retention in Settings → Event retention. Common targets:

DaysRationale
30small shops
90recommended baseline
365SOC 2 minimum
2190HIPAA minimum (6 years)
0keep forever

An hourly sweeper deletes events past the window; reducing retention purges older rows immediately. Retention controls the long-term store — the Live Traffic view always shows only the last few hours regardless.

Exporting

  • CSV — one click from the Traffic Log and Audit Log for the current filter/window; hand it to an auditor or drop it in a ticket.
  • SIEM — see Export audit log to SIEM for forwarding decisions to Splunk / Datadog / a generic HEC.

Backups

Your audit history lives in the cloud database. On the Kilasec-hosted cloud, nightly snapshots are taken automatically. If you self-host, ensure a DB backup is in place — see Sizing & failure modes.

Documentation for kilasec — the AI Agent Firewall.