Evidence the auditor (and the incident) will ask for
When the auditor arrives, or the incident does, you need the proof. Observe gives you operational metrics, DLP events and an immutable, exportable audit log of everything that happened, with cryptographic chain verification.
Observability and audit in one place
Metrics turns the request stream into operational series: request volume, cost over time, requests by provider, error rate, top agents by cost, error types and anomalies. DLP Findings lists every prompt and response that tripped a detector, by severity and category, with prompt-injection signals, so data-leak events are visible instead of invisible.
The Audit Log is a searchable, color-coded record of every action, with expandable rows for full trace detail. It is tamper-evident: a SHA-256 chain verifies integrity, and you can export any range to CSV or NDJSON with PII redaction for the auditor or your SIEM.
What Observe gives you
Operational metrics
Request volume, cost over time, requests by provider, error rate, top agents by cost, error types and anomalies: the whole estate at a glance.
DLP findings
Every prompt and response that tripped a detector, by severity and category, with prompt-injection signals and the action taken.
Immutable audit log
A searchable, color-coded record of every action, with expandable rows for full trace detail and policy-match reasons.
Chain verification
A SHA-256 hash chain proves the audit log has not been altered, so the evidence holds up under scrutiny.
Exports
Export any range to CSV or NDJSON with PII redaction for an auditor, or stream events to your SIEM.
Anomaly tracking
Cost and volume spikes, new models and provider switches are tracked over time so drift is visible, not buried.
What we record
- Metrics Requests, cost, tokens, latency, error rate, active agents Operational time series broken down by provider and agent.
- DLP events Time, agent, severity, findings, categories, prompt-injection, action, model Filterable by severity, category and prompt-injection level.
- Audit log Time, actor, action, resource, details, with chain verification Tamper-evident record across admin, system and auth events.
- Exports CSV / NDJSON with PII redaction Range exports for auditors, plus SIEM connectors (OCSF/CEF).
- Anomalies Cost spike, volume spike, new model, provider switch Tracked over time against per-agent baselines.
Watch, triage, export
-
Watch the metrics
Track requests, cost, errors and anomalies by provider and agent as traffic flows through the proxy.
-
Triage DLP events
Filter findings by severity and category, and see the action taken on each: block, redact or alert.
-
Export for the auditor
Pull any range from the audit log to CSV or NDJSON with PII redaction, or stream it to your SIEM, with integrity guaranteed by the hash chain.
Frequently asked questions
What makes the audit log tamper-evident?
Every entry is linked into a SHA-256 hash chain. Altering or removing a record breaks the chain, and the console can verify integrity on demand, so the log is defensible evidence, not just a list.
Can I send events to my SIEM?
Yes. Observe exports to CSV or NDJSON with PII redaction, and SIEM connectors emit events in OCSF or CEF with presets for Splunk HEC, Sumo Logic, Cribl and generic collectors.
What DLP categories are reported?
PII, secrets, PHI, national IDs, financial data, crypto wallets and custom patterns, each finding classified by severity and paired with prompt-injection signals.
How far back does the data go?
Retention is configurable per data type (traces, audit log and DLP events), with optional archival to S3 or GCS before purge, so you keep what compliance requires and nothing more.