Audit Logging
The audit log provides an immutable, compliance-grade record of all security-relevant operations in AppProfileSafe. Every entry captures WHO performed WHAT action, WHEN it happened, and WHERE it was executed. Entries are protected by a SHA-256 hash chain to detect tampering.
Audit Entry Structure
Each audit entry is an immutable record that captures:
| Category | Fields | Purpose |
|---|---|---|
| WHO | UserId, UserSid, AuthMethod | Identifies the user (Domain\Username or local) and authentication type (Windows/Local) |
| WHAT | Action, Target, Success, Details, ErrorMessage | The operation performed, its target resource, and outcome |
| WHEN | TimestampUtc, SequenceNumber | UTC timestamp (ISO 8601) and a monotonically increasing sequence number for ordering |
| WHERE | MachineName, OsVersion, ApplicationVersion, Interface | Machine identity, OS, app version, and whether the action was taken via GUI or CLI |
| HOW | DurationMs, FileCount, DataSize, RegistryValueCount | Technical metrics of the operation (duration, scope, volume) |
| Integrity | EntryHash, PreviousHash | SHA-256 hash chain for tamper detection |
Audit Actions
The following actions are recorded in the audit log:
| Category | Actions |
|---|---|
| Export | ExportStarted, ExportCompleted, ExportCompletedWithErrors, ExportFailed |
| Import | ImportStarted, ImportCompleted, ImportCompletedWithErrors, ImportFailed |
| Configuration | MappingConfigurationChanged, SettingsChanged |
| Validation | AppSchemaValidationFailed |
| Security | UnauthorizedAccess, IntegrityCheckFailed |
| Privacy | PersonalDataExported, PersonalDataImported |
| Simulation | DryRunExecuted, SimulateMappingExecuted |
| Log management | LogRotation, LogArchived |
Hash Chain Integrity
Every audit entry is protected by a cryptographic hash chain:
- The entry's key fields (timestamp, sequence, user, action, target, success) are serialized into a canonical string.
- This string is concatenated with the
PreviousHash(the hash of the preceding entry). - A SHA-256 hash is computed over the combined string and stored as
EntryHash.
The HMAC key used for hashing is stored securely in Windows Credential Manager under the reference AppProfileSafe:Audit:HmacKey. If no key exists, one is generated automatically on first use.
The integrity verification service checks the entire chain by recomputing hashes, detecting sequence gaps, and validating that associated import diff CSV files have not been modified. See Audit Log Viewer (GUI) for how to run a verification.
Event Severity Mapping
When audit entries are dispatched to the Event Pipeline, each entry is assigned a severity level based on its action and outcome:
| Severity | Condition | CEF | Syslog |
|---|---|---|---|
| Critical | IntegrityCheckFailed, UnauthorizedAccess |
9 | Critical |
| Error | ExportFailed, ImportFailed, or completed with Success = false |
7 | Error |
| Warning | CompletedWithErrors, AppSchemaValidationFailed, or success with error messages |
5 | Warning |
| Info | All other successful operations | 3 | Informational |
Retention Policy
Audit log retention is configured in settings.xml:
<Audit>
<RetentionDays>365</RetentionDays>
</Audit>Files older than the retention period can be either archived to a separate folder or deleted, depending on the retention policy settings. When a file is archived, the last entry's hash and sequence number are recorded in the current audit log to preserve hash chain continuity.
Event Pipeline Integration
Each audit entry is automatically dispatched as a ProfileSafeEvent via the Event Pipeline. Dispatch happens asynchronously (fire-and-forget) to ensure that pipeline failures never block the local audit CSV write. Events include a deterministic EventId derived from the sequence number for deduplication, and the current OperationId for correlation across related events.
Events are routed to all configured sinks — SIEM, Webhooks, and Windows Event Log — with redaction applied before delivery.
Compliance Standards
The audit log design addresses requirements from the following standards:
- GDPR — Personal data operations (
PersonalDataExported,PersonalDataImported) are explicitly tracked - ISO 27001 — All access and configuration changes are logged with user identification
- SOC 2 — Hash chain integrity provides evidence of non-repudiation
- HIPAA — Immutable records with timestamp, user, and action meet audit trail requirements