Login Logs
The Login Logs page in the Admin Panel records every authentication attempt on your SetGet instance — both successful and failed. This data is essential for detecting unauthorized access attempts, investigating security incidents, and monitoring overall authentication health.
Navigate to Admin Panel > Login Logs or go directly to /backoffice/logs/login.
What gets logged
Every authentication attempt generates a log entry, regardless of the method used:
| Authentication method | Logged events |
|---|---|
| Email + Password | Login attempt, success/failure, incorrect password |
| Magic Link | Code request, code verification, success/failure |
| Google OAuth | OAuth initiation, callback success/failure |
| GitHub OAuth | OAuth initiation, callback success/failure |
| GitLab OAuth | OAuth initiation, callback success/failure |
| Gitea OAuth | OAuth initiation, callback success/failure |
| SAML | SAML assertion, success/failure |
| LDAP | LDAP bind attempt, success/failure |
Log entry details
Each login log entry contains the following information:
| Field | Description | Example |
|---|---|---|
| Timestamp | When the attempt occurred (UTC) | 2026-03-29T14:23:01Z |
| User | Email of the account targeted | john@example.com |
| Status | Success or Failure | Failure |
| Method | Authentication method used | email_password |
| Failure Reason | Why the attempt failed (if applicable) | invalid_password |
| IP Address | Source IP of the request | 203.0.113.10 |
| Country | Geo-located country (when available) | Turkey |
| City | Geo-located city (when available) | Istanbul |
| Browser | Browser name and version | Chrome 122 |
| OS | Operating system | Windows 11 |
| Device | Device type | Desktop |
| User Agent | Full user-agent string | Mozilla/5.0 ... |
Viewing login logs
The login log page displays entries in reverse chronological order. Each entry is color-coded:
| Status | Color | Icon |
|---|---|---|
| Success | Green | Check mark |
| Failure | Red | X mark |
| Locked | Orange | Lock icon |
Click on any entry to expand the full details panel showing all fields including the raw user-agent string and geo-location data.
Searching and filtering
Filters
| Filter | Options |
|---|---|
| Date range | Start and end date/time pickers |
| User | Search by email address |
| Status | All, Success, Failure, Locked |
| Method | Email+Password, Magic Link, Google, GitHub, GitLab, Gitea, SAML, LDAP |
| IP address | Exact IP or CIDR range |
| Country | Select from detected countries |
| Browser | Chrome, Firefox, Safari, Edge, Other |
Filters can be combined. For example: show all failed login attempts for a specific user from a specific country in the last 7 days.
Failure reasons
| Reason code | Description |
|---|---|
invalid_password | Correct email, wrong password |
user_not_found | No account with this email exists |
account_deactivated | Account is deactivated |
account_locked | Account locked due to brute-force protection |
magic_link_expired | Magic link code has expired |
magic_link_invalid | Magic link code is incorrect |
oauth_error | OAuth provider returned an error |
oauth_email_mismatch | OAuth email does not match any account |
saml_assertion_invalid | SAML assertion validation failed |
ldap_bind_failed | LDAP authentication rejected |
ip_blocked | Request IP is on the blocklist |
rate_limited | Too many attempts from this IP |
Identifying suspicious activity
Use login logs to detect potential security threats:
Indicators of compromise
| Pattern | What it may indicate | Recommended action |
|---|---|---|
| Many failed attempts for one user | Targeted brute-force attack | Check Security Settings for lockout policy |
| Failed attempts from many IPs for one user | Distributed brute-force attack | Consider adding the user's IP to the allowlist |
| Failed attempts for many users from one IP | Credential-stuffing attack | Block the IP address |
| Successful login from unusual country | Possible account compromise | Terminate user sessions, require password change |
| Login at unusual time | Possible account compromise | Verify with the user |
| Rapid successive logins | Token theft or session replay | Terminate sessions and investigate |
Monitoring dashboard
The top of the Login Logs page shows summary metrics:
| Metric | Description |
|---|---|
| Total logins (24h) | Successful logins in the last 24 hours |
| Failed attempts (24h) | Failed login attempts in the last 24 hours |
| Failure rate | Percentage of failed attempts |
| Locked accounts | Currently locked accounts due to brute-force protection |
| Unique IPs (24h) | Number of distinct IP addresses with login attempts |
| Top failed IPs | IP addresses with the most failed attempts |
Export login logs
Export login logs for external analysis or compliance reporting:
- Apply filters to narrow the scope.
- Click Export.
- Choose format (CSV or JSON).
- Click Download.
TIP
For security audits, export login logs filtered to failed attempts and review them for patterns of malicious activity. Include this data in your regular security review process.
Retention
Login logs are subject to the data retention policy configured in GDPR / KVKK settings.
| Setting | Default | Minimum |
|---|---|---|
| Login log retention | 180 days | 30 days |
WARNING
Reducing the retention period deletes historical login data permanently. Ensure this aligns with your compliance requirements before making changes.
Related pages
- Admin Panel Overview — Navigate the Admin Panel
- Audit Logs — Administrative action logs
- Security Settings — Brute-force protection and IP restrictions
- User Management — View user sessions and force logout
- Authentication Settings — Configure login methods