Audit Logging
Complete JSONL audit trail for every tool call, decision, and DLP event.
What Gets Logged
Policy Decisions
Every ALLOW, DENY, and ESCALATE with tool name, arguments, and matched rule.
DLP Findings
Every PII, secret, or injection detection with type, action, and position.
Session Metadata
Session start/end, agent identity, total tool calls, and timing.
Event Format
Each line in the audit log is a JSON object. Example policy decision:
json
{
"timestamp": "2026-03-09T14:23:01.234Z",
"session_id": "sess_abc123",
"event": "tool_check",
"tool": "execute_sql",
"arguments": {"query": "DROP TABLE users"},
"decision": "DENY",
"reason": "Destructive SQL operations are blocked",
"policy_rule": "block-destructive-sql",
"latency_ms": 0.8
}DLP finding event:
json
{
"timestamp": "2026-03-09T14:23:05.567Z",
"session_id": "sess_abc123",
"event": "dlp_finding",
"tool": "read_database",
"finding_type": "API_KEY",
"action": "redacted",
"pattern": "sk-proj-***",
"position": {"start": 142, "end": 178}
}CLI Usage
bash
# Show recent audit events "code-keyword">$ "code-function">spidershield audit show [14:23:01] DENY execute_sql "Destructive SQL blocked" [14:23:05] DLP read_database API_KEY redacted [14:23:12] ALLOW read_file ./data.csv # Filter by tool "code-keyword">$ "code-function">spidershield audit show "code-keyword">--tool execute_sql # Filter by session "code-keyword">$ "code-function">spidershield audit show "code-keyword">--session sess_abc123 # Aggregate stats "code-keyword">$ "code-function">spidershield audit stats Total events: 1,247 ALLOW: 1,089 (87.3%) DENY: 142 (11.4%) ESCALATE: 16 (1.3%) DLP findings: 312 Sessions: 23
SIEM Integration
Audit logs are standard JSONL — pipe them to any log aggregator. Splunk, Datadog, Elastic, or your own pipeline. SpiderShield Cloud (coming soon) adds centralized log collection and dashboards.