Skip to content

Audit log

What it's for

Admin → Audit Log answers "who did what, when": admin actions like activating a client, killing a tunnel, changing a policy, or rotating the API key are recorded with the acting user and timestamp.

How to use it

Browse or filter the list when reconstructing an incident ("who disconnected this machine on Tuesday?") or reviewing changes. Each entry names the actor, the action, the affected object, and the time.

One kind of entry has no human actor: "Auto-detected disconnect" Pro means the VPN server noticed a device had silently dropped off (crash, network loss) and the backend marked it disconnected. It's logged precisely because nobody clicked anything — otherwise the state change would be invisible.

Pitfalls

  • The audit log records actions, not presence. "When did this device go online/offline?" is answered by the client's History tab, not here — except for the auto-detected disconnects above.
  • Auto-detected disconnects are normal in moderation. Laptops get closed mid-session. A burst of them across many devices at once, though, usually means a network problem on the VPN server side.