Audit & compliance
Kilasec keeps two separate records, on purpose, because auditors and incident responders ask two different questions.
| Record | Answers | Where |
|---|---|---|
| Traffic Log | "What did agents try to do, and what did we decide?" | Traffic Log page |
| Audit Log | "What did administrators change?" | Audit Log page |
Conflating them is a common mistake — every serious framework (SOC 2, and every SIEM) treats decision history and configuration-change history as distinct.
Traffic Log — decision history
Every policy decision on the wire: timestamp, verdict, agent, source IP, destination, matched rule, and reason. It's the forensic record of what your AI traffic did. Filter by agent, verdict, matched rule, free-text, or since-date; export to CSV for an investigation.
Note: raw request bodies are not stored in the cloud. The collector applies redaction and sanitization before anything is uplinked — the cloud sees the decision and metadata, not the prompt content (unless you explicitly opt into shipping content). Full-fidelity forensics live in the collector's local audit log on-prem.
Audit Log — configuration changes
Every administrative mutation: who edited which rule, who approved or rejected which collector, who changed retention, who impersonated a tenant, who enabled or reset 2FA. Each row carries the actor, timestamp, action, target, a human summary, and (where relevant) a before/after diff. This is your change-management and accountability record.
Staff impersonation ("View as tenant") is audited under the tenant, so it also appears in that customer's own audit log — impersonation is never invisible.
Retention
Set per-tenant event retention in Settings → Event retention. Common targets:
| Days | Rationale |
|---|---|
| 30 | small shops |
| 90 | recommended baseline |
| 365 | SOC 2 minimum |
| 2190 | HIPAA minimum (6 years) |
| 0 | keep forever |
An hourly sweeper deletes events past the window; reducing retention purges older rows immediately. Retention controls the long-term store — the Live Traffic view always shows only the last few hours regardless.
Exporting
- CSV — one click from the Traffic Log and Audit Log for the current filter/window; hand it to an auditor or drop it in a ticket.
- SIEM — see Export audit log to SIEM for forwarding decisions to Splunk / Datadog / a generic HEC.
Backups
Your audit history lives in the cloud database. On the Kilasec-hosted cloud, nightly snapshots are taken automatically. If you self-host, ensure a DB backup is in place — see Sizing & failure modes.