# Audit Log The Audit Log is the structured, immutable record of every tool call passing through the MCP Gateway. The gateway writes one audit event per tool call. Audit events are the investigation surface for any Admin question that starts with "why did the Agent do that?" *** ### 📖 Key Concepts * **Audit Log**: Cakewalk's immutable record of every tool call. The MCP Gateway writes one audit event per call. * **Audit event**: A single tool call's record: who, what, against which Connection, which Policies fired, what data was exchanged. * **Triggered Policy**: Any Policy whose conditions matched the tool call. Multiple Policies can trigger on a single call. The gateway applies one outcome per call, resolved by the [Policy](/docs/ai-agent-access/concepts/policies.md) conflict rules (Custom > Default, then most restrictive wins). :bulb: *Why this matters:* The Audit Log is the only way to answer "why was this allowed?" or "why was this blocked?" Audit events are immutable: each event is what the gateway decided at the moment of the call. *** ### 📋 What an Audit Event Contains Each audit event records: * The **request payload** sent to the Connection * The **response payload** returned to the Agent * Every **triggered Policy** with its conditions and outcome The event surfaces alongside the tool call's context: User, Agent, Connection, tool, Action type, decision (Auto-approved, Require approval or Denied) and timestamp. The Admin sees the full record in a single side panel and reviews exactly what data was shared through the gateway. *** ### 🔍 Where Admins Read the Audit Log Audit events surface in three places in the Admin product surface: * **Agent Activity**: The org-wide reverse-chronological view of every session across the org. Click any tool call row to open the audit event. * **Sessions tabs**: Filtered views of the same data, scoped to one Agent, one Connection or one User. Same nested table pattern (session row, expand, tool call rows, click for the event). * **Tool call side panel**: The drawer that opens when an Admin clicks a tool call. Shows request payload, response payload and every triggered Policy with its outcome. *** ### 🛡️ Immutability Once written, an audit event cannot be modified. The record stays accurate even as the surrounding state changes: * If a Policy changes after the call, the event still shows the Policy that fired at the time. * If a User is offboarded, the event still shows what they delegated. * If an Agent is restricted, the event still shows everything the Agent did before. *** ### Related Concepts * [The MCP Gateway](/docs/ai-agent-access/concepts/the-mcp-gateway.md): where audit events are produced * [The Tool Call Lifecycle](/docs/ai-agent-access/concepts/the-tool-call-lifecycle.md): Step 6 produces the audit event * [Policies](/docs/ai-agent-access/concepts/policies.md): what makes a Policy trigger and how conflicts resolve * [Trust and Security](/docs/ai-agent-access/concepts/trust-and-security.md): what payload data the gateway sees and stores --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.cakewalk.security/docs/ai-agent-access/concepts/audit-log.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.