AS-301g · Module 1

Log Schema Design for AI Events

3 min read

Unstructured logs are unsearchable logs. Structured logs with inconsistent schemas are barely better. An AI log schema standardizes the format of every AI-specific event so that SIEM detection rules can reference specific fields reliably. The schema must capture the who (agent identity), what (action taken), when (timestamp), where (system and component), and why (the trigger or input that caused the action).

Do This

Define a standard schema for AI events before shipping logs to the SIEM — consistency enables detection rules
Include agent identity, session ID, input hash, output hash, tool name, and guardrail status in every log entry
Use a common event format (CEF or OCSF) extended with AI-specific fields — leverage existing SIEM parsers

Avoid This

Ship unstructured text logs and hope the SIEM can parse them — unstructured logs produce unreliable detections
Design different schemas for different agent types — inconsistency breaks cross-agent correlation
Include full prompt text in SIEM-ingested logs — log size explodes and may violate data retention policies. Use hashes with a separate prompt store.