Audit log
Dieser Inhalt ist noch nicht in deiner Sprache verfügbar.
The Audit log page (/admin/audit) lists security-relevant events from across the server — authentication, admin actions, license changes, group changes, encryption configuration. Events are stored in the AuditEntries table and surfaced via the IAuditLogger service.
Event format
Section titled “Event format”Every entry has:
- Event — dotted name like
Login.Failed,User.RoleChanged,Group.MemberAdded,License.Updated. - Actor — the email of the principal performing the action (admin or end user).
systemwhen the actor is the server itself. - Target — the affected user / group / object, where applicable.
- IP and User-Agent — captured from the request when relevant.
- Timestamp — UTC.
- Payload — small JSON blob with event-specific context.
Filtering
Section titled “Filtering”The page provides two filters:
- Event type — substring match on the event name (e.g.
Login.for all login events). - Actor email — substring match on the email of the user who performed the action.
Filters apply server-side; the page paginates results virtually.
Login anomalies
Section titled “Login anomalies”The /admin/anomalies page is a separate, opinionated view backed by the same audit data. It surfaces signals like:
- Repeated failed logins from the same IP in a short window.
- Successful logins from geographically improbable locations (impossible-travel).
- A successful login immediately following a burst of failures.
Each anomaly has an Acknowledge action that records the admin’s decision in the audit log. By default the page hides acknowledged items; toggle “Unacknowledged only” off to see history.
Outbound notifications
Section titled “Outbound notifications”Pia Server does not send email notifications for admin alerts. If you want alerts off-server, scrape the audit log via SQL or build a watcher around the IAuditLogger interface — there’s no built-in webhook today.