RUNLOCALAIv38
->Will it run?Best GPUCompareTroubleshootStartLearnPulseModelsHardwareToolsBench
Run check
RUNLOCALAI

Independently operated catalog for local-AI hardware and software. Hand-written verdicts. Source-cited claims. Reproducible commands when we have them.

OP·Eruo Fredoline
DIR
  • Models
  • Hardware
  • Tools
  • Benchmarks
TOOLS
  • Will it run?
  • Compare hardware
  • Cost vs cloud
  • Choose my GPU
  • Prompting kits
  • Quick answers
REF
  • All buyer guides
  • Learn local AI
  • Methodology
  • Glossary
  • Errors KB
  • Trust
EDITOR
  • About
  • Author
  • How we make money
  • Editorial policy
  • Contact
LEGAL
  • Privacy
  • Terms
  • Sitemap
MAIL · MONTHLY DIGEST
Get monthly local AI changes
Monthly recap. No spam.
DISCLOSURE

Some links on this site are affiliate links (Amazon Associates and other first-class retailers). When you buy through them, we earn a small commission at no extra cost to you. Affiliate links do not influence our verdicts — there are cards we rate highly that we don't have affiliate relationships with, and cards that sell well that we refuse to recommend. Read more →

© 2026 runlocalai.coIndependently operated
RUNLOCALAI · v38
  1. >
  2. Home
  3. /Learn
  4. /Courses
  5. /Security and Privacy for Local AI
  6. /Ch. 14
Security and Privacy for Local AI

14. Audit Logging

Chapter 14 of 16 · 15 min
KEY INSIGHT

Audit logs only provide value if you review them. Configure alerts for anomalous patterns: authentication failures, unusual API usage, or data access outside normal hours. Logs that nobody reads are wasted storage.

Audit logging records security-relevant events for detection, investigation, and compliance. For AI systems, key events include: authentication attempts, API requests, data access, configuration changes, and errors.

What to log:

Authentication events: Login attempts (success and failure), API key usage, session creation and termination.

Data access: Queries processed, documents retrieved, conversation history accessed.

Administrative actions: Configuration changes, model deployments, permission modifications.

Security events: Rate limit triggers, blocked requests, detected injection attempts.

Malfunctions: Errors, exceptions, unexpected model behavior.

Logging implementation:

import logging
import json
from datetime import datetime

class AuditLogger:
    def __init__(self, log_file: str = "/var/log/ai-audit.log"):
        self.logger = logging.getLogger("ai-audit")
        self.logger.setLevel(logging.INFO)
        
        # File handler with rotation
        handler = logging.handlers.RotatingFileHandler(
            log_file, maxBytes=10_000_000, backupCount=5
        )
        handler.setFormatter(logging.Formatter(
            '%(asctime)s %(message)s'
        ))
        self.logger.addHandler(handler)
        
        # Structured JSON output for SIEM integration
        self.json_handler = logging.handlers.RotatingFileHandler(
            "/var/log/ai-audit.json", maxBytes=10_000_000, backupCount=5
        )
        self.json_handler.setFormatter(JsonFormatter())
        self.logger.addHandler(self.json_handler)
    
    def log(self, event_type: str, user: str, details: dict):
        self.logger.info(json.dumps({
            "timestamp": datetime.utcnow().isoformat(),
            "event_type": event_type,
            "user": user,
            "details": details,
            "source_ip": details.get("ip", "unknown")
        }))
    
    def log_auth(self, user: str, success: bool, ip: str, reason: str = ""):
        self.log("authentication", user, {
            "success": success,
            "ip": ip,
            "reason": reason
        })
    
    def log_api_request(self, user: str, endpoint: str, model: str, 
                        prompt_length: int, response_time_ms: int):
        self.log("api_request", user, {
            "endpoint": endpoint,
            "model": model,
            "prompt_length": prompt_length,
            "response_time_ms": response_time_ms
        })

Log retention and protection:

# Configure log retention (90 days for audit logs)
sudo journalctl --vacuum-time=90d

# Protect logs from tampering
sudo chmod 640 /var/log/ai-audit.log
sudo chattr +a /var/log/ai-audit.log  # Append-only (if filesystem supports)

# Ship logs to central SIEM
# Configure Filebeat or Fluentd to forward to Elasticsearch/Splunk

Local verification checkpoint

Run the smallest example from this chapter in a local workspace and record the package version, runtime, data path, and observed output. If the result depends on model size, vector count, CPU/GPU backend, or available memory, note that constraint beside the exercise so the lesson remains reproducible.

EXERCISE

Enable logging in your AI service for authentication and API requests. Generate test logs by making several API calls with valid and invalid credentials. Verify logs appear with correct timestamps and details.

← Chapter 13
CCPA Considerations
Chapter 15 →
Incident Response