Audit Logs
The Audit Logs page in the Admin Panel provides a chronological, tamper-resistant record of every administrative action performed on your SetGet instance. Audit logs are essential for security monitoring, compliance audits, incident investigation, and operational accountability.
Navigate to Admin Panel > Audit Logs or go directly to /backoffice/logs/audit.
What gets logged
SetGet records audit log entries for the following categories of actions:
Settings changes
| Action | Description |
|---|---|
settings.general.updated | General settings (name, URL, branding) changed |
settings.smtp.updated | SMTP configuration changed |
settings.smtp.tested | SMTP test email sent |
settings.auth.updated | Authentication settings changed |
settings.security.updated | Security settings changed |
settings.storage.updated | Storage configuration changed |
settings.storage.tested | Storage connection tested |
settings.ai.updated | AI configuration changed |
settings.features.updated | Feature flags toggled |
settings.gdpr.updated | GDPR/KVKK settings changed |
settings.email_template.updated | Email template modified |
settings.email_template.reset | Email template reset to default |
User management
| Action | Description |
|---|---|
user.created | New user account created by admin |
user.updated | User profile modified by admin |
user.role_changed | User's instance role changed |
user.deactivated | User account deactivated |
user.reactivated | User account reactivated |
user.deleted | User account permanently deleted |
user.sessions_terminated | User's sessions force-terminated |
user.password_reset | Admin initiated a password reset for a user |
user.bulk_deactivated | Multiple users deactivated in bulk |
user.bulk_deleted | Multiple users deleted in bulk |
Workspace management
| Action | Description |
|---|---|
workspace.suspended | Workspace suspended |
workspace.resumed | Workspace suspension lifted |
workspace.ownership_transferred | Workspace ownership changed |
workspace.deleted | Workspace permanently deleted |
GDPR / Compliance
| Action | Description |
|---|---|
gdpr.export_requested | User data export initiated |
gdpr.export_completed | User data export ready for download |
gdpr.deletion_requested | User data deletion initiated |
gdpr.deletion_completed | User data deletion completed |
gdpr.consent_updated | Consent configuration changed |
gdpr.retention_updated | Data retention policy changed |
Authentication events
| Action | Description |
|---|---|
auth.oauth_provider_enabled | OAuth provider enabled |
auth.oauth_provider_disabled | OAuth provider disabled |
auth.saml_configured | SAML settings updated |
auth.ldap_configured | LDAP settings updated |
auth.signup_toggled | Sign-up enabled or disabled |
Log entry format
Each audit log entry contains the following fields:
| Field | Description | Example |
|---|---|---|
| Timestamp | When the action occurred (ISO 8601, UTC) | 2026-03-29T14:23:01Z |
| Actor | User who performed the action (name and email) | John Doe (john@example.com) |
| Actor IP | IP address of the actor | 203.0.113.10 |
| Action | Machine-readable action identifier | user.deactivated |
| Action Label | Human-readable description | User deactivated |
| Target | Entity affected by the action | jane@example.com |
| Target Type | Type of the target entity | user, workspace, settings |
| Details | Additional context (JSON) | {"previous_role": "user", "new_role": "admin"} |
| Request ID | Unique identifier for the API request | req_abc123def456 |
Viewing audit logs
The audit log page displays entries in reverse chronological order (newest first). Each entry shows:
- Timestamp and relative time ("2 hours ago")
- Actor name and avatar
- Action description in human-readable form
- Target entity with a link (when applicable)
- Expandable details section for the full JSON payload
Searching and filtering
Search
Use the search bar to find entries by:
- Actor name or email
- Target name or email
- Action identifier
- Free text in the details field
Filters
| Filter | Options |
|---|---|
| Date range | Start and end date/time pickers |
| Actor | Select a specific user |
| Action category | Settings, User Management, Workspace Management, GDPR, Authentication |
| Action | Specific action type from the dropdown |
| Target type | User, Workspace, Settings |
| IP address | Filter by actor's IP address |
Combined filters
Filters can be combined to narrow results. For example:
- Show all
user.deletedactions in the last 30 days. - Show all actions by a specific admin user.
- Show all settings changes from a particular IP address.
- Show all workspace management actions for a specific workspace.
Exporting audit logs
Export audit logs for external analysis, compliance audits, or archival.
- Apply any desired filters to narrow the scope.
- Click Export at the top of the log list.
- Choose the export format:
| Format | Description |
|---|---|
| CSV | Comma-separated values, compatible with spreadsheets |
| JSON | Full JSON records with all metadata |
- Click Download.
The export includes all fields for each log entry within the filtered scope.
TIP
For regular compliance reporting, schedule monthly exports of audit logs filtered to the relevant action categories. Store exports in a secure, tamper-evident location.
Retention period
Audit logs are subject to the data retention policy configured in GDPR / KVKK settings.
| Setting | Default | Configurable |
|---|---|---|
| Audit log retention | 365 days | Yes |
| Minimum retention | 90 days | Cannot be set lower |
WARNING
When the retention period expires, audit log entries are permanently deleted by the nightly cleanup job. Export logs before the retention period ends if you need to keep them longer.
Log integrity
Audit log entries are append-only. Once written, they cannot be modified or deleted through the Admin Panel or API (except by the automated retention cleanup). This ensures the reliability of the audit trail for compliance and investigation purposes.
TIP
For additional tamper protection, consider forwarding audit logs to an external SIEM or log management system (Splunk, ELK, Datadog) in real time.
Common audit queries
| Question | How to find the answer |
|---|---|
| Who changed the SMTP settings? | Filter: Action = settings.smtp.updated |
| When was a user deleted? | Filter: Action = user.deleted, Target = user email |
| What did a specific admin do this week? | Filter: Actor = admin email, Date = last 7 days |
| Were any workspaces suspended? | Filter: Action = workspace.suspended |
| Who enabled GitHub OAuth? | Filter: Action = auth.oauth_provider_enabled |
| Were there any GDPR deletion requests? | Filter: Action category = GDPR |
Related pages
- Admin Panel Overview — Navigate the Admin Panel
- Login Logs — Authentication-specific activity logs
- Security Settings — Security configuration that generates audit events
- User Management — User actions that appear in audit logs
- Workspace Management — Workspace actions that appear in audit logs
- GDPR / KVKK — Compliance actions and retention settings