mage-os / module-admin-activity-log
mage-os/module-admin-activity-log
The Admin Activity extension makes it easy to track all admin activity with comprehensive audit logging.
Mage-OS Admin Activity Log
A comprehensive admin activity logging extension for Mage-OS and Magento 2 that provides complete audit trails for
administrative actions, login attempts, and page visits.
Huge thanks to KiwiCommerce for publishing this extension, and for their support and contributions. This extension is a
fork of the original Magento Admin Activity Log by KiwiCommerce.
✨ Key Features
- Admin Action Logging: Track all admin activities including add, edit, delete, print, view, and mass update operations
- Login Monitoring: Record successful and failed login attempts with detailed information
- Field-Level Changes: Track specific field modifications with before/after values
- IP Address Logging: Capture IP addresses and user agent information for security analysis
- Extensible Configuration: Customize tracked entities and skip fields via XML configuration
📋 Requirements
| Component | Version |
|---|---|
| Magento Open Source | 2.4.x |
| Mage-OS | 1.0+ |
| PHP | 8.1+ |
🚀 Installation
composer require mage-os/module-admin-activity-log
php bin/magento setup:upgrade
⚙️ Configuration
Basic Configuration
Navigate to Stores → Configuration → Advanced → Admin → Admin Activity
General Settings
- Enable Admin Activity Logs: Enable/disable the extension
- Record Login Activity: Track login and logout activities
- Record Page Visits: Monitor admin page navigation
- Clear Admin Activity Logs After: Set how many days to keep logs (default: 90 days)
📖 Usage Guide
Viewing Activity Logs
Navigate to System → Admin Activity → Admin Activity Logs
Click View on any log entry to see detailed info.
Login Activity Monitoring
Go to System → Admin Activity → Admin Login Logs
Architecture
The module is built around interface-driven services for clean extensibility:
| Interface | Description |
|---|---|
ActivityConfigInterface |
Configuration settings (enabled state, log retention) |
FieldTrackerInterface |
Tracks field-level changes with before/after values |
ModelResolverInterface |
Resolves and loads models for activity logging |
ActivityRepositoryInterface |
CRUD operations for activity log entries |
LoginRepositoryInterface |
CRUD operations for login log entries |
All interfaces are marked @api and can be customized via DI preferences.
Extensibility
Customizing Tracked Entities
The module uses adminactivity.xml to define which entities are tracked and which fields are skipped during logging.
Third-party modules can extend this configuration by creating their own etc/adminactivity.xml file.
Example configuration to add a custom entity:
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:module:MageOS_AdminActivityLog:etc/adminactivity.xsd">
<modules>
<module name="customer_group">
<label translate="true">Customer Group</label>
<models>
<class name="Magento\Customer\Model\Group" />
</models>
<events>
<event controller_action="customer_group_save" action_alias="save" />
<event controller_action="customer_group_delete" action_alias="delete" />
</events>
<config>
<skip_fields>
<field>customer_group_id</field>
<field>check_if_is_new</field>
</skip_fields>
<configpath constant="MODULE_CUSTOMER" />
<editurl url="{{module}}/{{controller}}/edit/id/{{id}}" />
<itemfield field="customer_group_code" />
</config>
</module>
</modules>
</config>
Skip Fields
To exclude specific fields from being logged (e.g., timestamps, internal IDs), add them to the skip_fields node for the relevant module in your adminactivity.xml.
Protected Fields
Sensitive fields (passwords, tokens, payment data) are automatically excluded from logging. To add custom protected fields:
<type name="MageOS\AdminActivityLog\Model\FieldChecker">
<arguments>
<argument name="protectedFields" xsi:type="array">
<item name="my_secret_field" xsi:type="string">my_secret_field</item>
</argument>
</arguments>
</type>
Security
- Model Allowlist: Only explicitly allowed model classes can be loaded during activity logging, preventing arbitrary class instantiation.
- Protected Fields: Sensitive data (passwords, API keys, tokens, payment info) is never logged, configured via DI.
- ACL Permissions: Control access to activity logs via permission rules.
- CSRF Protection: All admin actions are protected with form keys.
Performance Notes
- Page Visit Logging: Disabled by default. Enable only if needed, as it creates a log entry for every admin page view.
- Database Indexes: The module includes indexes on frequently queried columns for optimal filtering performance.
- Bulk Operations: Log cleanup and activity logging use bulk database operations to minimize overhead.
- Field Truncation: Large values are truncated at ~64KB to prevent database bloat.
Contributing
Issues and pull requests welcome on GitHub.
License
This module is licensed under the Open Software License 3.0.
Support
For bugs or feature requests, please open an issue in the GitHub repository.
No changelog yet
The vendor hasn't published a changelog. Tagged releases appear in the Versions tab.
| Version | Stability | QA Status | Compatibility | Released |
|---|---|---|---|---|
| 2.0.1 | stable | Fail | Magento 2.4.7-2.4.8 Details | 2026-05-19 14:30:34 |
| 2.0.0 | stable | Not tested | Not yet tested Details | 2026-04-24 03:25:22 |
| 2.0.0-rc2 | RC | Not tested | Not yet tested Details | 2026-04-19 20:16:50 |
| 2.0.0-rc1 | RC | Not tested | Not yet tested Details | 2026-04-13 04:09:01 |
| 2.0.0-beta9 | beta | Not tested | Not yet tested Details | 2026-04-09 04:13:51 |
| 2.0.0-beta8 | beta | Not tested | Not yet tested Details | 2026-03-26 01:45:48 |
| 2.0.0-beta7 | beta | Not tested | Not yet tested Details | 2026-03-10 03:00:21 |
| 2.0.0-beta6 | beta | Not tested | Not yet tested Details | 2026-01-28 04:29:11 |
| 2.0.0-beta5 | beta | Not tested | Not yet tested Details | 2026-01-20 07:09:49 |
| 2.0.0-beta4 | beta | Not tested | Not yet tested Details | 2026-01-13 14:59:01 |
| 2.0.0-beta3 | beta | Not tested | Not yet tested Details | 2026-01-07 01:27:56 |
| 2.0.0-beta2 | beta | Not tested | Not yet tested Details | 2025-12-29 15:14:34 |
| 2.0.0-beta1 | beta | Not tested | Not yet tested Details | 2025-12-29 02:49:30 |
Requires 6
| Package | Constraint |
|---|---|
| php | >=8.2 |
| magento/framework | >=100.0.0 |
| magento/module-backend | >=100.0.0 |
| magento/module-store | >=100.0.0 |
| magento/module-user | >=100.0.0 |
| magento/module-ui | >=100.0.0 |
Requires-dev 1
| Package | Constraint |
|---|---|
| phpunit/phpunit | ^9.5||^10.0 |
Replaces 1
| Package | Constraint |
|---|---|
| kiwicommerce/module-admin-activity | 1.0.8 |
Compatibility
Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.
Code Quality
Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge — a phpcs finding can't make a module incompatible.
Static analysis
Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.
| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Fail | 247 | 4 errors, 243 warnings (ruleset: Magento2) — 93 auto-fixable with phpcbf |
| PHPMD | Warning | 39 | 39 rule violations (MissingImport:15, CyclomaticComplexity:5, TooManyPublicMethods:5, TooManyMethods:3, ExcessiveClassComplexity:3) |
| Cpd | Warning | 1 | 1 duplicated chunk spanning 32 total lines (min-lines=5, min-tokens=70) |
| Composer validate | Info | 5 | valid; 5 advisory notes (composer validate --strict) |
PHPStan
Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases. Cell → details modal.
Tests
Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.
Unit tests
Integration tests
| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | ||
| 2.4.8 | N/A | N/A | ||
| 2.4.9 | N/A | N/A |
Security
Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.
More from mage-os
View vendorGCP event sinks for mage-os/mageos-async-events
Combine the power of LLM and domain knowledge to improve admin experience though a chatbot UI.
Turn an existing module into recurring revenue.
If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.