What logs do I need to capture for LLM SQL forensics?

Question

Accepted Answer

For an actionable forensic trail (SOC 2, HIPAA, PCI, and "what just happened" debugging): - `timestamp` — RFC 3339 UTC, nanosecond precision if available. - `request_id` — correlates with upstream LLM call. - `subject` — authenticated user ID, tenant ID, agent ID, model + version. - `prompt` — natural-language input to the LLM (PII-redacted if needed). - `system_prompt_hash` — to identify which prompt version was active. - `generated_sql` — raw output from the LLM. - `rewritten_sql` — final SQL after policy injection (if applicable). - `decision` — `allow` / `reject` / `rewrite`, with rule ID. - `tables_accessed` — derived from AST. - `columns_accessed` — derived from AST. - `row_count` — result count (not contents). - `execution_ms` — for performance forensics. - `prev_hash` — SHA-256 of previous log entry (tamper evidence). Ship to your SIEM (Datadog, Splunk, Elastic, Chronicle). For HIPAA, retain six years; PCI DSS, one year online + three archived; SOC 2 typically one year.