defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Terraform
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • Activity & Audit logs
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • Access Control List
        • ACL Aliases
        • Implementation Details
      • Audit Log Streaming to SIEM systems
        • Supported SIEM systems integrations
          • Vector integration guide
          • Logstash integration guide
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
      • REST API
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Release cycle
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Viewing Activity log events
  • Overview
  • Modules
  • Filtering
  • Sorting
  • Search
  • Permissions
  • Events tracked in Activity Log
  • Streaming to external SIEM systems

Was this helpful?

Edit on GitHub
  1. Admin & features
  2. Features & configuration

Activity & Audit logs

PreviousVaultNextSMTP for email notifications

Last updated 2 days ago

Was this helpful?

This feature is available starting from version 1.4

The Activity Log provides a comprehensive view of user interactions within your defguard instance. This allows you to monitor user behavior, troubleshoot issues, and maintain an audit trail of important activities.

Viewing Activity log events

Activity log is available as a dedicated page in defguard core Web UI that's used to manage your instance.

To access it click the Activity log button in the navbar.

Overview

Activity log page displays a chronological list of user-initiated events. By default most recent events are on top.

Each entry in the list contains following fields:

  • Date - timestamp of when an event has occurred

  • User - which user triggered the event

  • IP - location from which the action was performed

  • Event - brief description of the event

  • Module - which module given event belongs to

  • Device - device (or more specifically user agent) from which the action was performed

Modules

Events are grouped into modules based on the part of the system they are related to.

Currently there are four modules:

  • Defguard - operations performed in the core Web UI (e.g. adding users, modifying devices, managing groups etc.)

  • Client - actions performed by desktop client applications

  • VPN - events related to VPN clients (e.g. client connecting to a location)

Filtering

By clicking the Filter button above the list you can narrow down the displayed events based on following criteria:

  • Event

  • Module

  • Users

For each of those you can select multiple options.

Filtering by date can be done by clicking the Time range button above the list.

Sorting

By default the Activity log is sorted in reverse chronological order (most recent event on top).

To change the order you can click on the header of the Date column.

Search

You can also use the Search input above the list to look for specific events.

You can search by:

  • Username

  • Module

  • Event

  • Device

The search is case-insensitive and will match partial text.

Note that filtering & searching are composable operations, so if you've already applied some filters the search will be performed only among those filtered events.

Permissions

Access to the Activity log is controlled by user permissions.

Each user can always view their own activities (events triggered by themselves).

Additionally administrators can view events related to all users.

Events tracked in Activity Log

At the moment following events are tracked in the Activity log:

  • Defguard module

    • User login

    • User login failed

    • User MFA login

    • User MFA login failed

    • Recovery code used

    • User logout

    • User added

    • User modified

    • User removed

    • MFA disabled

    • MFA TOTP enabled

    • MFA TOTP disabled

    • MFA email enabled

    • MFA email disabled

    • MFA security key added

    • MFA security key removed

    • Device added

    • Device modified

    • Device removed

    • Network device added

    • Network device modified

    • Network device removed

    • Activity log stream device added

    • Activity log stream device modified

    • Activity log stream device removed

  • Client module

  • Enrollment module

  • VPN module

    • VPN client connected

    • VPN client disconnected

Streaming to external SIEM systems

Enrollment - events related to the process

Please note, that enterprise version supports streaming of audit logs to e.

user enrollment
xternal SIEM systems. More on this topic in dedicated documentation section
Activity log page
Event filter modal
Time range filter modal