Event Logging and Telemetry

Relevant source files

• frontend/src/App.jsx
• frontend/src/AuthContext.jsx
• frontend/src/components/SettingsSidebar/index.jsx
• frontend/src/models/system.js
• frontend/src/utils/paths.js
• server/endpoints/admin.js
• server/endpoints/api/admin/index.js
• server/endpoints/system.js

Purpose and Scope: This document describes the event logging and telemetry systems in AnythingLLM. Event logging provides an audit trail of administrative actions and security events, while telemetry collects optional usage statistics. For authentication-specific details, see Authentication System. For multi-user management actions that generate events, see Multi-User Management.

---

Overview

AnythingLLM implements two separate tracking systems:

1. Event Logging - A persistent, queryable audit trail of system events stored in the database. Used for security monitoring, compliance, and troubleshooting.
2. Telemetry - Optional anonymous usage statistics sent to external services for product analytics.

Event logs are always enabled and stored locally, while telemetry is opt-in and sends data externally.

---

Event Logging Architecture

System Flow

Sources: server/endpoints/system.js1-1400 frontend/src/models/system.js629-651

EventLogs Model

The EventLogs model provides the primary interface for logging events. It is imported from server/models/eventLogs and used throughout the backend.

Core Methods:

Method	Signature	Purpose
logEvent	(eventType, metadata, userId?)	Records a new event with optional metadata and user context
whereWithData	({}, limit, offset, orderBy)	Queries event logs with pagination and sorting
count	()	Returns total count of event logs
delete	({})	Clears all event logs (admin only)

Sources: server/endpoints/system.js44 server/endpoints/admin.js3

---

Event Types and Logging Points

Authentication Events

Authentication Event Logging:

• failed_login_invalid_username - Logged when username doesn't exist. Metadata includes ip and attempted username.

  • server/endpoints/system.js203-210

• failed_login_invalid_password - Logged when password doesn't match. Metadata includes ip and username.

  • server/endpoints/system.js220-228

• failed_login_account_suspended - Logged when user account is suspended. Metadata includes ip and username.

  • server/endpoints/system.js239-246

• login_event - Logged on successful authentication. Metadata includes ip and username. Also logged for multi-user mode status.

  • server/endpoints/system.js262-269 (multi-user)
  • server/endpoints/system.js317-320 (single-user)

• failed_login_invalid_temporary_auth_token - Logged when SSO temporary token validation fails.

  • server/endpoints/system.js345-348

Sources: server/endpoints/system.js183-377

User Management Events

User Management Event Details:

• user_created - Logged when a new user is created. Metadata: userName, createdBy (admin username).

  • server/endpoints/admin.js67-74

• user_deleted - Logged when a user is deleted. Metadata: userName, deletedBy (admin username).

  • server/endpoints/admin.js142-149

• invite_created - Logged when an invite code is generated. Metadata: inviteCode, createdBy.

  • server/endpoints/admin.js188-195

• invite_deleted - Logged when an invite is deactivated. Metadata: deletedBy.

  • server/endpoints/admin.js211-215

Sources: server/endpoints/admin.js49-221

API Key Events

API key creation and deletion generate audit events:

• api_key_created - Logged when a new API key is generated. Metadata: createdBy (username, if available).

  • server/endpoints/system.js1039-1043 (single-user mode)
  • server/endpoints/admin.js460-464 (multi-user mode)

• api_key_deleted - Logged when an API key is deleted. Metadata: deletedBy (username).

  • server/endpoints/system.js1071-1075
  • server/endpoints/admin.js485-489

• api_user_deleted - Logged when a user is deleted via API. Metadata: userName.

  • server/endpoints/api/admin/index.js259-261

Sources: server/endpoints/system.js1029-1082 server/endpoints/admin.js453-495 server/endpoints/api/admin/index.js215-267

System Configuration Events

• multi_user_mode_enabled - Logged when multi-user mode is activated. No specific metadata beyond the enabling user.

  • server/endpoints/system.js633

• event_logs_cleared - Logged when an administrator clears the event log history. Creates a meta-log entry.

  • server/endpoints/system.js1132-1136

Sources: server/endpoints/system.js591-644 server/endpoints/system.js1126-1143

---

Event Log Data Structure

Each event log entry contains:

Field	Type	Description
id	Integer	Auto-incrementing primary key
eventType	String	Event type identifier (e.g., "login_event")
metadata	JSON	Arbitrary JSON object with event-specific data
userId	Integer (nullable)	Associated user ID, if applicable
createdAt	Timestamp	When the event was recorded

The metadata field is flexible and varies by event type. Common fields include:

• ip - IP address (for authentication events)
• username - Username involved in the event
• createdBy / deletedBy - Admin who performed the action

Sources: server/endpoints/system.js203-320

---

Querying Event Logs

Backend Querying

The EventLogs.whereWithData() method supports paginated queries:

Parameters:

• filters - Object with filtering criteria (typically empty {} for all logs)
• limit - Number of records per page (default: 10)
• offset - Starting position (page * limit)
• orderBy - Sort order object (e.g., { id: "desc" } for newest first)

Sources: server/endpoints/system.js1106-1123

Frontend API

The frontend System model provides methods to interact with event logs:

API Endpoints:

• POST /system/event-logs - Fetch paginated event logs
• DELETE /system/event-logs - Clear all event logs

Sources: frontend/src/models/system.js629-651

---

Telemetry System

Telemetry vs. Event Logs

Key Differences:

Aspect	Event Logs	Telemetry
Status	Always enabled	Optional (opt-in)
Storage	Local database	External service
Purpose	Audit trail, security	Product analytics
Data Retention	Permanent (until cleared)	N/A (sent externally)
Visibility	Admin UI accessible	Not accessible to users
Privacy	Contains identifying info	Anonymous

Sources: server/endpoints/system.js256-260 server/endpoints/system.js316

Telemetry Implementation

The Telemetry model is imported from server/models/telemetry and provides a single method:

Telemetry Events Sent:

1. login_event - Sent on successful login (both single and multi-user modes)

   • Metadata: { multiUserMode: boolean }
   • server/endpoints/system.js256-260
   • server/endpoints/system.js316
   • server/endpoints/system.js356-360

2. enabled_multi_user_mode - Sent when multi-user mode is first enabled

   • Metadata: { multiUserMode: true }
   • server/endpoints/system.js630-632

Telemetry is intentionally limited to high-level feature usage tracking and does not include sensitive data like usernames, passwords, IP addresses, or document content.

Sources: server/endpoints/system.js183-644

---

Event Log UI

Settings Page

Event logs are accessible from the admin settings interface:

Navigation Path: Settings → Tools → Event Logs

Route: /settings/event-logs (defined as paths.settings.logs())

Access Control: Admin role only (ROLES.admin)

Sources: frontend/src/components/SettingsSidebar/index.jsx366-369 frontend/src/utils/paths.js152-154

UI Features

The event log viewer displays:

• Event Type - The event identifier
• Metadata - JSON object with event-specific data
• User - Associated user (if applicable)
• Timestamp - When the event occurred

Pagination is controlled by offset, with 10 events per page by default.

Sources: server/endpoints/system.js1106-1123 frontend/src/models/system.js629-651

Clearing Event Logs

When an administrator clears event logs:

1. DELETE /system/event-logs endpoint is called
2. EventLogs.delete() removes all existing logs
3. A new event_logs_cleared event is logged (meta-event)
4. Returns { success: true } on completion

This creates a permanent record that logs were cleared, preventing tampering without evidence.

Sources: server/endpoints/system.js1126-1143 frontend/src/models/system.js641-651

---

API Integration

Developer API Endpoints

Event logs are also accessible via the API:

POST /v1/admin/workspace-chats - While named for workspace chats, this endpoint demonstrates the pagination pattern used for event logs.

Parameters:

Response:

Event logs follow the same pattern with logs, hasPages, and totalLogs fields.

Sources: server/endpoints/api/admin/index.js662-716 server/endpoints/system.js1106-1123

---

Security Considerations

Event Log Integrity

Event logs are designed to provide tamper-evident audit trails:

1. Immutable Records - Individual logs cannot be modified, only deleted in bulk
2. Clearing is Logged - The event_logs_cleared event ensures deletion is recorded
3. User Attribution - Most events include the acting user's ID or username
4. IP Tracking - Authentication events capture IP addresses

Access Control

Event log access is strictly controlled:

• Viewing Logs - Admin role only (flexUserRoleValid([ROLES.admin]))
• Clearing Logs - Admin role only
• Frontend Access - Requires valid JWT token with admin role

Sources: server/endpoints/system.js1108 server/endpoints/system.js1128 frontend/src/components/SettingsSidebar/index.jsx366-369

Privacy and Compliance

Event logs may contain personally identifiable information (PII):

• Usernames
• IP addresses
• User IDs

Administrators should:

• Implement log retention policies
• Consider GDPR/privacy requirements when storing logs
• Regularly review and clear old logs if necessary

Sources: server/endpoints/system.js203-320

---

Event Logging Best Practices

When to Log Events

Events should be logged for:

1. Authentication actions - Login attempts, password changes
2. User management - User creation, deletion, role changes
3. Security events - Suspended account access attempts, API key operations
4. Configuration changes - System settings updates (though not all are currently logged)
5. Privilege escalation - Actions requiring admin rights

Metadata Guidelines

Effective event metadata includes:

• Actor identification - createdBy, deletedBy, username
• Context - ip, workspaceId, documentId
• Outcome - success, error (for auditing failed operations)
• Specifics - Entity IDs, names, or other relevant identifiers

Avoid logging:

• Passwords or password hashes
• API keys or tokens
• Sensitive document content
• Personally identifiable information beyond what's necessary

Sources: server/endpoints/system.js203-320 server/endpoints/admin.js67-215

---

Summary

Feature	Implementation	Purpose
Event Logs	EventLogs model, event_logs table	Audit trail and security monitoring
Telemetry	Telemetry model, external service	Anonymous usage analytics
Event Types	15+ predefined events	Authentication, user management, API operations
Frontend UI	/settings/event-logs	Admin interface for viewing/clearing logs
API Access	POST/DELETE /system/event-logs	Programmatic log access
Access Control	Admin role required	Prevents unauthorized log access

Event logging provides comprehensive audit capabilities for AnythingLLM instances, while telemetry offers opt-in product analytics without compromising privacy.

Sources: server/endpoints/system.js1-1400 server/endpoints/admin.js1-500 frontend/src/models/system.js629-651 frontend/src/components/SettingsSidebar/index.jsx366-369