Audit Log Reference¶
The Audit Log records every significant action taken by ntkDeploy — profile changes, deployments, policy events, and system telemetry. It serves as the primary trail for compliance review, incident investigation, and operational monitoring.
Prerequisites¶
- ntkDeploy running with at least one completed action (profile creation, deployment, etc.)
- No special permissions are required to read the audit log.
Accessing the Audit Log¶
Navigate to Audit Log in the left sidebar. The view loads the most recent 50 entries automatically. Pull-to-refresh re-fetches the same limit from the local database.
The Audit Log view can also be embedded inline within other feature screens (for example, within a profile or device group detail view) where it is automatically pre-filtered to entries for that specific entity.
Recorded Event Types¶
| Action key | Triggered by | Color |
|---|---|---|
profile_created |
A new profile is saved for the first time | Green |
profile_updated |
An existing profile version is edited and saved | Blue |
assignment_created |
A new deployment assignment is created | Orange |
rollout_succeeded |
A deployment rollout completes successfully | Green |
rollout_failed |
A deployment rollout fails | Red |
profile_priority_changed |
The priority order of assignments is changed | Grey (no dedicated color mapping in current implementation) |
priority_changed |
Legacy alias handled by the display layer for backward compatibility | Purple |
policy_capabilities_check |
Policy capabilities check ran (system telemetry) | Grey |
policy_connectivity_gate |
Policy connectivity gate failure or error outcome (system telemetry — ready and unavailable outcomes are not persisted) |
Grey |
mobile_profile_build_succeeded |
Mobile profile successfully built and encrypted | Green |
mobile_profile_build_failed |
Mobile profile build or validation failure | Red |
mobile_profile_deploy_succeeded |
.ntkprofile written successfully to a device group path |
Green |
mobile_profile_deploy_failed |
.ntkprofile write failed for a device group path |
Red |
mobile_profile_export_succeeded |
.ntkprofile saved via file export (path redacted in log) |
Green |
mobile_profile_rollback_attempted |
Rollback initiated for a path in a partially written mobile deployment | Orange |
mobile_profile_rollback_completed |
Rollback completed successfully for a path | Orange |
mobile_profile_rollback_failed |
Rollback attempt failed for a path | Red |
tpa_definition.create |
A TPA definition record is created | Grey |
tpa_definition.update |
A TPA definition record is updated | Grey |
tpa_definition.delete |
A TPA definition record is deleted | Grey |
tpa_grant.create |
A TPA grant is issued | Grey |
tpa_grant.revoke |
A TPA grant is revoked | Grey |
tpa_import.validate |
A TPA import package is submitted for advisory validation | Grey |
tpa_import.commit |
A TPA import is successfully committed | Grey |
tpa_import.failed |
A TPA import fails at the commit step | Grey |
tpa_import.disable |
A TPA import record is disabled | Grey |
tpa_import.delete |
A TPA import record is deleted | Grey |
tpa_trust.create |
A trading partner trust relationship is created | Grey |
tpa_trust.update |
A trading partner trust relationship is updated | Grey |
tpa_trust.revoke |
A trading partner trust relationship is revoked | Grey |
| (other) | Any other system event | Grey |
Mobile Profile Audit Events¶
The eight mobile-specific event types above are recorded by the mobile build and delivery pipeline:
| Event | When recorded |
|---|---|
mobile_profile_build_succeeded |
MobileConfigBuildService successfully encrypts and packages the .ntkprofile payload |
mobile_profile_build_failed |
MobileProfileValidator or NtkProfileCrypto raises an error during the build |
mobile_profile_deploy_succeeded |
MobileDeliveryService successfully writes a .ntkprofile to a target path |
mobile_profile_deploy_failed |
MobileDeliveryService fails to write a .ntkprofile to a target path |
mobile_profile_export_succeeded |
User saves a .ntkprofile via the File Export delivery mode |
mobile_profile_rollback_attempted |
Rollback is initiated for a path where a partial write was detected |
mobile_profile_rollback_completed |
Rollback completes successfully for a path |
mobile_profile_rollback_failed |
Rollback attempt fails for a path |
Redaction in mobile audit events¶
The following are never recorded in any mobile audit event metadata:
- The encryption password
- The decrypted profile payload
- Full file export paths (path is replaced with a redacted placeholder)
The profileId and profileName are recorded, allowing event correlation without exposing sensitive material.
TPA Audit Events¶
The TPA detail views recognize the 13 action keys below when matching entries are present in local audit storage:
In the main Audit Log view, TPA actions currently use the default grey icon color because they are not part of the legacy dedicated color map.
| Event | Meaning in TPA timelines |
|---|---|
tpa_definition.create |
A TPA definition record is created in the Policy Manager |
tpa_definition.update |
An existing TPA definition record is updated |
tpa_definition.delete |
A TPA definition record is deleted |
tpa_grant.create |
A TPA grant is issued (canonically signed and submitted to the Policy Manager) |
tpa_grant.revoke |
A TPA grant is revoked |
tpa_import.validate |
A TPA import package is submitted for server-side advisory validation |
tpa_import.commit |
A TPA import is successfully committed; the imported grant is now active |
tpa_import.failed |
A TPA import fails at the commit step (server re-validation returned blocking findings) |
tpa_import.disable |
A TPA import record is disabled |
tpa_import.delete |
A TPA import record is deleted |
tpa_trust.create |
A trading partner trust relationship is created |
tpa_trust.update |
An existing trading partner trust relationship is updated |
tpa_trust.revoke |
A trading partner trust relationship is revoked |
Redaction in TPA audit events¶
TPA-related audit metadata should never include:
- The
tpaKeyor any hex representation of it - The raw bytes of any uploaded trusted public key
Identifiers such as grantId, tpaId, issuerOrgId, recipientOrgId, and event timestamps are safe correlation fields when present.
TPA import failure events¶
The tpa_import.failed event includes failure context metadata from the server flow, including a failureReason value when present. These events are visible in the inline audit timeline on the TPA Imports detail panel.
Entry Structure¶
Each audit log entry contains the following fields:
| Field | Description |
|---|---|
| Action | One of the action keys listed above |
| Entity Type | The type of entity affected (e.g., profile, assignment, rollout) |
| Entity ID | The unique identifier of the affected entity |
| Actor | The user or system component that triggered the action |
| Occurred At | UTC timestamp in yyyy-MM-dd HH:mm:ss format |
| Metadata | Optional structured details specific to the action (e.g., failure code, old/new values) |
Audit Log UI¶
Row Layout¶
| Column | Content |
|---|---|
| Leading icon | Color-coded action type indicator |
| Title | Human-readable action label |
| Subtitle line 1 | entityType/entityId |
| Subtitle line 2 | By: <actor> • <timestamp> |
Rows are three-line tiles. The list renders all loaded entries without pagination in the current implementation.
Filtering¶
The Audit Log view supports two optional filter parameters:
| Parameter | Effect |
|---|---|
entityType |
Supplied together with entityId to scope the view to a specific entity |
entityId |
Supplied together with entityType to scope the view to a specific entity |
The entity filter is active only when both entityType and entityId are provided. Supplying entityType alone does not filter entries. When neither parameter is set, the view shows the most recent 50 entries across all entity types (the repository default limit).
No additional in-UI filter controls (date range, text search) are available in the current release.
Refreshing¶
Pull down on the list to trigger a refresh. The view re-fetches entries from the local database.
Storage and Retention¶
| Property | Value |
|---|---|
| Storage engine | Local SQLite (Drift) — no cloud dependency |
| Location | Application data directory on the Windows device running ntkDeploy |
| Retention | Entries are not automatically purged; manual deletion is not exposed in the UI |
| Scope | All audit entries are local to the machine and environment where ntkDeploy runs |
Note: Exporting the audit log to CSV or JSON is not available in the current release.
Audit Events Generated by Preflight¶
Policy preflight and connectivity gate transitions are also recorded in the audit log as telemetry events. For details on these event types see Deployment Preflight Reference.
Next Steps¶
- Deploying Configurations — trace a deployment end-to-end.
- Deployment Failures — use the audit log to diagnose failed rollouts.
- Dashboard Reference — the Recent Activity card shows the latest 10 entries.