Events Log Track

A comprehensive event logging module that tracks Create, Update, and Delete (CUD) operations performed by users across various Drupal entity types including nodes, users, taxonomy, media, and more.

events_log_track

4,032 sites

drupal.org

gui api

logging audit security monitoring events tracking compliance user activity content tracking entity hooks

Overview

Events Log Track is a powerful auditing and logging module for Drupal that records user actions and system events to a database table. It captures detailed information about who performed what action, when, from which IP address, and on which content.

The module provides a flexible architecture with a base module and multiple submodules, allowing site administrators to selectively enable tracking for specific entity types or operations. Events are stored in the database and can be viewed through a Views-based interface at /admin/reports/events-track with filtering and sorting capabilities.

For enterprise environments and containerized deployments, the module integrates with syslog and stdout for external log aggregation. It also supports automatic cleanup of old log entries via cron, preventing database bloat on high-traffic sites.

The module is easily extensible through a hook-based API, allowing developers to add custom event tracking for any form submission or entity operation.

Features

Tracks user authentication events including login, logout, password reset requests, and failed login attempts
Logs Create, Update, Delete operations on nodes, users, taxonomy terms, media, files, comments, and menu items
Records configuration changes with before/after comparison in YAML format
Tracks workflow state transitions on nodes and groups with Content Moderation
Logs cache clear operations with user attribution
Provides a comprehensive Views-based log viewer with exposed filters for type, operation, user, IP address, description, and date range
Integrates with syslog for external log aggregation using customizable token-based message formats
Supports stdout/stderr output for Docker and containerized environments via the log_stdout module
Automatic cleanup of old log entries via cron with configurable retention period
Token system for event log data enabling flexible log message formatting
CLI operation logging can be enabled/disabled separately
Session counting for authentication events to track concurrent logins
Group module integration for tracking group and group membership operations
Extensible hook-based API for adding custom event handlers

Use Cases

Security Auditing and Compliance

Use Events Log Track to maintain an audit trail of all user actions for security compliance requirements such as SOC 2, HIPAA, or GDPR. Track who accessed what content, when accounts were modified, and identify suspicious activity like failed login attempts from specific IP addresses.

Content Change Tracking

Monitor all content changes on your site by enabling the node, taxonomy, and media submodules. View a complete history of who created, edited, or deleted content, making it easy to identify unauthorized changes or track editorial workflows.

User Activity Monitoring

Track user account management activities including account creation, role assignments, password resets, and login/logout events. Identify accounts with multiple concurrent sessions or unusual login patterns.

Configuration Change Auditing

Enable the config submodule to track all configuration changes with detailed before/after comparisons. Essential for debugging issues after deployments or identifying unauthorized configuration changes.

Docker/Kubernetes Log Aggregation

For containerized deployments, use the stdout submodule to output event logs to stdout/stderr. This integrates with container orchestration logging systems like ELK stack, Splunk, or CloudWatch for centralized log management.

Cache Clear Tracking

Monitor cache clearing operations to identify if performance issues are related to excessive cache clears and determine which users are clearing caches.

Tips

Enable only the submodules you need to minimize database writes and performance overhead
For high-traffic sites, consider using syslog or stdout integration and disabling database logging to prevent database bloat
Set up automatic log cleanup via the settings page to maintain reasonable database size
Use the CLI logging option carefully as it can generate many log entries during migrations or imports
The Views-based log viewer supports all standard Views features including exports, so you can export logs to CSV
Create custom Views to display specific event types or user activity summaries
For security-sensitive sites, consider setting a longer timespan limit to maintain audit history for compliance purposes

Related Projects

Token

Provides token integration for customizing syslog and stdout message formats with event log data tokens.

Syslog Core

Enables integration with system syslog for external log aggregation via the event_log_track_syslog submodule.

log_stdout

Enables stdout/stderr output for containerized environments via the event_log_track_stdout submodule.

Group

Enables tracking of Group entity operations and group membership changes via dedicated submodules.

TFA

Enables tracking of Two-Factor Authentication logins via the event_log_track_tfa submodule.

Views Core

The module provides a Views base table allowing custom Views to be created from event log data.

Technical Details

Event log track /admin/config/system/events-log-track

Configure settings for the Events Log Track module including log retention, database logging, and CLI logging options.

Event Log Track /admin/reports/events-track

View and filter all tracked events. Displays a table with sortable columns for LID, Type, Operation, Name, ID, Description, User, IP, and Created date. Includes exposed filters for filtering by event type, operation, user, description, IP address, reference values, and date range.

Logging and errors (Syslog settings) /admin/config/development/logging

When the Events Log Track Syslog submodule is enabled, additional fields are added to configure the syslog message format using tokens.

Access event log track

Allows a user to access the logged events at /admin/reports/events-track. Users with this permission can view all tracked events in the system.

hook_event_log_track_handlers

Registers event handlers that define which form submissions or entity operations should be tracked. Each handler specifies the event type, form IDs to watch, callbacks, and available operations.

hook_event_log_track_handlers_alter

Allows modules to alter the registered event handlers.

hook_event_log_track_alter

Allows modules to alter log entry data before it is saved to the database or sent to syslog.

Event logs may contain sensitive information about user activities and should be access-restricted appropriately
The 'access event log track' permission should only be granted to trusted administrators
IP addresses are logged and may be subject to privacy regulations in some jurisdictions
Consider your data retention requirements when configuring the timespan limit for automatic deletion
Syslog messages may contain user information - ensure your syslog destination is appropriately secured