Path: Administration → Activity (/activity) — Admin onlyThe Activity page is the platform audit trail, showing every significant action taken by users and the system.
What is Logged
User Actions
| Category | Events |
|---|
| Authentication | Login, logout, failed logins, 2FA events, password resets |
| Sites | Site created, deleted, deployed, cloned, backed up, restored |
| Users | User created, deleted, role changed, impersonation sessions |
| Billing | Subscriptions created/updated/canceled, payments received, invoices generated |
| Settings | Any admin setting changed — records old and new value |
| License | Validation, suspension detected, key changed |
System Events
| Category | Events |
|---|
| Backups | Started, completed, failed |
| Certificates | SSL issued, renewed, failed |
| Cron | Jobs executed, succeeded, failed |
| Agents | Connected, disconnected, commands executed |
| Security | IP banned, login thresholds breached, firewall rule changes |
Activity Feed
The page is rendered by the ActivityTab component, showing a real-time feed of events:
| Column | Description |
|---|
| Time | When the event occurred (relative and absolute) |
| User | Account that performed the action, or “System” |
| Action | What happened |
| Resource | What was affected (site name, user email, etc.) |
| IP Address | Origin IP address |
| Details | Expandable full event payload |
Audit Trail Properties
- Immutable — entries cannot be edited or deleted from the UI
- Complete — every state-changing action is recorded
- Timestamped — all events use UTC timestamps
- Attributed — every action linked to a user account or the system process
- Retained — logs kept for 365 days by default (configurable in Settings)
Common Investigation Queries
Use the built-in filters to narrow down activity:
Failed logins in last 24h → Action: auth.login.failed, Date: Last 24 hours
All actions by a user → User: user@example.com
Admin settings changes → Category: settings
Site deletions this month → Action: site.deleted, Date: This month
Set up Slack or email alerts in Settings → Notifications to be notified immediately when suspicious events occur — multiple failed logins, admin role changes, or site deletions.
