Activity Log Tab
The Activity Log tab provides a complete, chronological audit trail of all actions taken on a user's account. Think of it as the security camera footage for this user profile - every change, update, login, and modification recorded with timestamps and administrator details.
This tab is essential for accountability, compliance, investigations, security audits, and answering questions about when and how changes occurred.
To view the Activity Log tab, you need both the View Users permission AND the View Activity Log permission assigned to your role. If you lack View Activity Log permission, this tab won't be visible.
Understanding Activity Log
Think of the activity log as a complete change history - an uneditable, permanent record of everything that happened to this user account from creation to present.
What the activity log shows:
- User account creation
- Profile information changes (name, grade, email, etc.)
- Login activity (successful logins, failed attempts)
- Device checkouts and check-ins
- Incident creation and updates
- Invoice creation and payment records
- Status changes (active to inactive, etc.)
- Who made each change (administrator name)
- When changes occurred (date and timestamp)
- Where changes came from (IP address)
What the activity log doesn't show:
- Detailed content of changes (e.g., what the name changed FROM and TO - just that name was changed)
- Activity on devices themselves (see device Activity Log)
- System-wide events not specific to this user
Why the activity log is important:
- Accountability - Know who made what changes when
- Security - Detect unauthorized access or suspicious activity
- Compliance - Meet audit and regulatory requirements
- Investigation - Research timeline of events for disputes
- Troubleshooting - Understand what changed before an issue appeared
- Verification - Confirm actions were completed
What You'll See on the Tab
The Activity Log tab displays a chronological list of all recorded events for this user:
Activity Log Entry Fields
Each log entry contains:
| Field | What It Shows |
|---|---|
| Date/Time | When the action occurred (precise timestamp) |
| Event Type | Category of action (Login, Profile Updated, Checkout, etc.) |
| Description | What happened (e.g., "User grade changed") |
| Performed By | Administrator who performed the action, or "System" for automated actions |
| IP Address | Network location where action originated (if applicable) |
| Details | Additional context (may include before/after values) |
Example entries:
Date/Time: 11/20/2024 2:35 PM
Event Type: Profile Updated
Description: User grade changed
Performed By: Jane Doe
IP Address: 192.168.1.45
Details: Grade changed from "9" to "10"
Date/Time: 11/20/2024 10:15 AM
Event Type: Login
Description: Successful login to student portal
Performed By: User (self)
IP Address: 10.50.200.15
Details: Login successful
Date/Time: 11/19/2024 3:20 PM
Event Type: Device Checkout
Description: Chromebook checked out
Performed By: John Smith
IP Address: 192.168.1.50
Details: Device Serial #ABC123, Asset Tag CR-7890
Types of Activity Logged
The activity log captures many different event types:
User Account Actions
Account creation:
- User account created (manual or import)
- Created by which administrator
- Initial account settings
Profile modifications:
- Name changed
- Email updated
- Username modified
- Building/grade changed
- Status changed (active/inactive)
- Password reset
- Custom field updates
Login Activity
Successful logins:
- When user logged into student/staff portal
- IP address of login
- Device/browser used (if tracked)
Failed login attempts:
- Failed password attempts
- Account lockouts
- Suspicious login activity
Device-Related Actions
Checkouts:
- Device checked out to user
- Who performed checkout
- Device details (serial, asset tag)
- Loaner status
Check-ins:
- Device returned/checked in
- Who performed check-in
- Return condition notes (if applicable)
Incident Actions
Incident creation:
- Incident created
- Type of incident (damage, loss, etc.)
- Who created it
Incident updates:
- Status changes
- Cost assessment added
- Resolution documented
Billing Actions
Invoice creation:
- Invoice created
- Amount and line items
- Associated incident (if applicable)
Payment recording:
- Payment applied
- Amount paid
- Payment method
- Who recorded payment
Administrative Actions
Permission changes:
- User role modified
- Access level changed
Compliance updates:
- AUP signed
- Fee paid status updated
- Insurance enrollment
Bulk operations:
- User updated via CSV import
- Automated SIS sync update
Filtering and Searching Activity
Most activity log implementations provide filtering to help find specific events:
Filter by Event Type
Common filters:
- Show only Login events
- Show only Profile Updates
- Show only Device Checkouts
- Show only Billing activity
Use case: "Show me all times this user's profile was modified"
Filter by Date Range
Common ranges:
- Last 7 days
- Last 30 days
- Last 90 days
- Custom date range
- Specific date
Use case: "Show me all activity during September 2024"
Filter by Administrator
Filter options:
- Show actions by specific administrator
- Show system-generated events only
- Show user self-service actions only
Use case: "Show me what changes Admin Smith made to this user"
Search by Keyword
Search for:
- Specific terms in descriptions
- IP addresses
- Device serial numbers
- Incident numbers
- Invoice numbers
Use case: "Find when device serial ABC123 was checked out"
Common Use Cases
Scenario 1: Investigating Unauthorized Profile Change
Principal reports a student's grade was incorrectly changed:
- Open student's user profile
- Click Activity Log tab
- Filter by "Profile Updated" event type
- Review recent profile modifications:
- 11/15/2024 2:30 PM: User grade changed from "10" to "11"
- Performed By: Secretary Smith
- IP Address: 192.168.1.45
- Contact Secretary Smith
- Determine: Accidental click while editing different student
- Correct grade back to "10"
- New activity log entry documents the correction
Result: Identified who made change, when, and how to prevent recurrence.
Scenario 2: Security Audit - Failed Login Attempts
District security officer notices multiple failed login attempts:
- Open student's user profile
- Click Activity Log tab
- Filter by "Login" event type
- Review login history:
- 11/18 8:00 AM: Failed login attempt, IP: 203.45.67.89 (external)
- 11/18 8:05 AM: Failed login attempt, IP: 203.45.67.89 (external)
- 11/18 8:10 AM: Failed login attempt, IP: 203.45.67.89 (external)
- 11/18 8:15 AM: Account locked due to repeated failures
- Note: IP address is external, not district network
- Decision: Possible credential compromise attempt
- Actions: Reset password, notify user and parent, document security incident
Result: Security threat identified and mitigated using activity log.
Scenario 3: Verifying Checkout for Accountability
Parent disputes that student checked out device on specific date:
- Open student's user profile
- Click Activity Log tab
- Filter by "Device Checkout" event type
- Find relevant checkout:
- Date: 08/15/2024 9:45 AM
- Event: Device checked out
- Device: Chromebook Serial #ABC123
- Performed By: Mrs. Johnson (school secretary)
- IP Address: 192.168.1.50 (office computer)
- Cross-reference with Checkout History tab for additional details
- Tell parent: "Records show the Chromebook was checked out on August 15th at 9:45 AM by our office secretary, Mrs. Johnson."
Result: Definitive record settles dispute about checkout date.
Scenario 4: Compliance Audit - AUP Signature Verification
Auditor asks for proof of when AUP was signed:
- Open student's user profile
- Click Activity Log tab
- Filter by "Compliance" or "Profile Updated" event type
- Find AUP signature event:
- Date: 08/01/2024 3:15 PM
- Event: AUP signed
- Performed By: Parent (self-service portal)
- IP Address: 24.56.78.90 (parent's home)
- Document for audit: AUP digitally signed on 08/01/2024 via parent portal
- Export activity log entry as proof
Result: Compliance requirement documented and verified.
Scenario 5: Troubleshooting Profile Issue
User reports they can no longer log in, but swears they didn't change anything:
- Open user's profile
- Click Activity Log tab
- Review recent activity:
- 11/10/2024 2:00 PM: Username changed from "jsmith" to "johnsmith"
- Performed By: IT Admin Jones
- 11/10/2024 2:01 PM: Email address updated
- Performed By: IT Admin Jones
- Contact IT Admin Jones
- Determine: Part of district-wide username standardization project
- Inform user: "Your username was changed to 'johnsmith' as part of our new naming convention. Use that to log in now."
Result: Issue identified through activity log, user informed of change.
Activity Log Security and Integrity
Read-Only Audit Trail
Key characteristics:
- Activity log entries cannot be edited
- Activity log entries cannot be deleted (except by database admins in rare cases)
- Entries are automatically generated by system
- Timestamps are server-based (not user-device time, preventing tampering)
Why this matters:
- Provides tamper-proof audit trail
- Ensures trustworthy records for investigations
- Meets compliance requirements for unalterable logs
What Creates Activity Log Entries
Automatic triggers:
- Any profile field change
- Device checkout/check-in
- Login attempts
- Incident/invoice creation
- Status changes
- Permission modifications
Manual actions:
- Administrator edits user
- Administrator performs checkout
- User self-service portal actions
- Bulk import updates
System actions:
- Automated SIS sync
- Scheduled processes
- Account lockouts
- Password expiration
IP Address Tracking
Why IP addresses are logged:
- Identify where action originated
- Detect unusual access patterns
- Support security investigations
- Verify actions came from authorized locations
Example use:
- Normal: Actions from 192.168.1.x (district network)
- Suspicious: Actions from international IP addresses
- Investigation: Cross-reference IP with known admin workstations
Tips for Using Activity Log
✅ Do:
- Review activity log when investigating issues or disputes
- Filter by date range to focus on relevant time periods
- Use event type filters to narrow down specific actions
- Export activity logs for compliance documentation
- Check login activity for security concerns
- Reference activity log when parents question changes
- Document investigation findings based on activity log
❌ Don't:
- Assume activity log shows every single detail (it logs actions, not always full before/after data)
- Try to edit or delete log entries (not possible, by design)
- Overlook failed login attempts (may indicate security issues)
- Ignore unusual IP addresses (investigate external access)
- Share activity log data inappropriately (contains timestamps and administrator names)
- Rely on memory when activity log can provide facts
Common Questions
Q: Can activity log entries be edited or deleted? No. The activity log is designed to be a tamper-proof audit trail. Entries cannot be modified or removed through the normal interface. Only database administrators with direct database access could potentially remove entries, and doing so would typically be against policy.
Q: How long is activity log data retained? Retention depends on district policy and system configuration. Typically, activity logs are kept indefinitely or for several years to meet compliance and audit requirements. Check with your system administrator for specific retention policies.
Q: Why don't I see the Activity Log tab? You're missing the View Activity Log permission. This permission is often restricted to senior administrators, compliance officers, or security staff. Contact your system administrator if you need this access.
Q: What does "Performed By: System" mean? Actions performed automatically by the system rather than a human administrator. Examples include automated SIS sync updates, scheduled processes, or system-triggered events like account lockouts after failed logins.
Q: Can I see what a field changed FROM and TO? This depends on the system configuration. Some activity log implementations show "Field changed from X to Y" while others simply log "Field changed." Check the Details column for before/after values if your system tracks them.
Q: Why are there login entries when the user says they didn't log in? Possibilities:
- User forgot they logged in
- Someone else logged in using user's credentials
- Automatic login from single sign-on (SSO)
- System health check or automated process
Investigate if pattern is suspicious, especially from external IP addresses.
Q: What if the IP address shows as 127.0.0.1 or another internal address?
- 127.0.0.1 = localhost (action performed directly on server)
- 192.168.x.x = internal network (district network)
- 10.x.x.x = internal network
- Other addresses = external or specific network segments
Internal addresses are typically normal. External addresses may warrant investigation depending on context.
Q: Can I export the activity log? Export capabilities depend on system configuration. Typically yes - you can export to CSV or PDF for documentation, compliance, or audit purposes.
Q: Does the activity log show every time someone views the user profile? Usually no. Activity logs typically track changes and actions, not simple view/read operations. Viewing a profile generally doesn't create a log entry unless your system is configured to track all access.
Q: What's the difference between the user Activity Log and device Activity Log?
- User Activity Log - Events related to the user's account (profile changes, logins, checkouts TO this user)
- Device Activity Log - Events related to a specific device (checkouts OF the device, repairs, status changes)
They're complementary - user log shows "what happened to this person," device log shows "what happened to this thing."
Q: Why would there be activity from an administrator who no longer works here? Historical entries preserve the name of the administrator who was active at the time. If Admin Smith edited a user in 2022 and left in 2023, entries from 2022 still show "Admin Smith" for historical accuracy.
Q: Can I filter to show only changes I made? Yes, use the "Performed By" filter and select your own administrator account. This shows all actions you've taken on this user profile.
Q: What if I need to prove when something DIDN'T happen? Activity logs prove what DID happen (positive evidence). Absence of a log entry suggests something didn't happen, but isn't absolute proof (actions might not have been logged, or logs might not capture every possible event type). Document your review: "Activity log reviewed 11/1/2023 to 11/30/2023, no password reset events found."
The Activity Log tab provides a complete, tamper-proof audit trail of all actions taken on a user's account. This permanent record supports accountability, security, compliance, investigations, and troubleshooting while maintaining the integrity required for legal and regulatory purposes.