Domain Security Info
Auditing
Updated May 1, 2026, 8:26 AM
Every action in the admin interface is recorded in the audit log. The log keeps a complete history of who changed what and when. You can use it for security reviews, troubleshooting, and compliance.
What the audit log records#
The audit system tracks three kinds of activity:
- Data changes โ Every time someone creates, edits, or deletes a brand, tag, domain, prefix, or other record.
- User sessions โ When administrators log in, what they do, and when they log out.
- Page views โ Which admin pages were accessed and by whom.
What each log entry contains#
Action details#
| Field | What it records |
|---|---|
| Timestamp | The exact date and time of the action. |
| User email | The email address of the administrator who did it. |
| Action type | What was done: create, read, update, delete, login, logout, export, or import. |
| Entity type | What kind of data was affected: brand, tag, domain, prefix, user, or system. |
| Entity ID | The specific item that was changed. |
| Entity name | A readable name for the item (for example, the brand name or domain). |
| Changes | The previous and new values for each field that changed, stored as JSON. |
| Request method and path | The HTTP method and URL path of the request. |
| Response status | The HTTP status code that was returned. |
| Response time | How long the request took, in milliseconds. |
Security metadata#
Each log entry also captures network and security data from Cloudflare:
| Field | What it records |
|---|---|
| IP address | Where the request came from. |
| User agent | The browser or client that made the request. |
| Country, region, city | The approximate location of the request. |
| Cloudflare Ray ID | A unique identifier for the request, useful for debugging. |
| Bot score | Cloudflare's estimate of whether the request came from a bot (0โ100). Lower scores look more like bots. |
| Threat score | Cloudflare's assessment of how risky the request is. |
| ASN and ASN organization | Which network the request came from. |
| WARP status | Whether the request came through Cloudflare WARP. |
| Device ID | A fingerprint that identifies the device. |
| Authentication method | How the administrator logged in (SAML, OIDC, or service token). |
Risk scoring#
The system automatically calculates a risk score (0โ100) for each action based on patterns in the request. It also applies flags for unusual activity:
| Flag | What it means |
|---|---|
| unusual_ip | The action came from an IP address that this user has not used before. |
| multiple_failed_logins | Several failed login attempts happened before this session. |
| bulk_delete | A large number of items were deleted in a short time. |
| off_hours_activity | The action happened outside normal working hours. |
| rapid_changes | Many changes were made in quick succession. |
Actions with high risk scores are flagged for review. The score combines the flags above with other context, such as the user's bot score and threat score.
User session tracking#
Each time an administrator accesses the admin interface, the system records a session:
| Field | What it records |
|---|---|
| Session ID | A unique identifier for this session. |
| Start time | When the session began. |
| Last activity | When the administrator last did something. |
| End time | When the session ended. |
| Actions count | How many actions the administrator took during the session. |
How to view the audit log#
- Go to Audit Logs under System in the navigation.
- Use the filters to narrow the results:By user โ Show actions from a specific administrator.By action type โ Show only creates, updates, or deletes.By entity type โ Show only changes to a specific data type (such as brands or tags).By date range โ Show actions within a specific time period.
- Click any entry to see its full details, including the before-and-after values.
Understanding change records#
When someone edits a record, the audit log stores both the old and new values. This lets you see exactly what changed.
Example:
{
"field": "color",
"old_value": "#4285F4",
"new_value": "#1A73E8"
}This tells you that someone changed a brand's color from #4285F4 to #1A73E8.
How to use the audit log#
- Security reviews โ Check that only authorized people are making changes, and that no unexpected edits have happened.
- Troubleshooting โ If a domain lookup shows the wrong badge or label, check the audit log to see if someone recently changed a tag or brand.
- Compliance โ Keep a record of all changes for regulatory requirements or internal governance.
- Accountability โ Every change has a person, a timestamp, and a full record of what was different before and after.
Data retention#
Audit logs are kept according to the system's retention policy. Older logs may be archived or removed based on storage limits and compliance requirements.