Compliance Audit Log turns your WHMCS install into a regulator-ready system of record. It silently captures every meaningful admin and client action across eight categories — authentication, clients, financial events, tickets, services, domains, configuration changes, and module activity — and stores them with full actor, target, IP, severity, and field-level before/after metadata.

Why Compliance Audit Log

WHMCS already has a basic activity log, but it is fragmented across screens, hard to filter, easy to wipe, and missing critical fields like change diffs and severity. When a regulator, auditor, or paying customer asks "who changed this and when?", you need a single, tamper-resistant source of truth — not a dozen scattered logs. Compliance Audit Log gives you that source of truth, with HMAC-SHA256 chain integrity, NIS2 reports, SIEM export, and configurable alert rules built in.

Eight Event Categories Captured Automatically

Every admin action and meaningful client action is recorded the moment it happens, no manual configuration required:

• Authentication — admin login, logout, failed login, password reset
• Clients — create, edit (with field diff), status change, contact updates
• Financial — invoice paid, refund, credit added, transaction created
• Tickets — open, reply, close, status change, department transfer
• Services — provision, suspend, unsuspend, terminate, upgrade, downgrade
• Domains — register, renew, transfer, modify nameservers
• Configuration — admin role changes, gateway updates, system settings edits
• Modules — addon module activation, deactivation, configuration changes

Rich Metadata on Every Entry

Each record carries the full context an auditor needs:

• Actor — admin username and ID (or "client" with client ID, or "system" for cron jobs)
• Target — primary object the action affected (client ID, invoice number, ticket ID, etc.)
• IP address — accurate even behind Cloudflare or load balancers (see Trusted-Proxy CIDR below)
• Severity — info, notice, warning, critical
• Timestamp — UTC plus admin-timezone display
• Before / after diff — for client edits, ticket status changes, and configuration changes, every modified field is captured with its previous and new value

Real-Time Dashboard

Open the addon and you immediately see Total Events, Critical Events, and Today's Events counters, plus the latest entries in a sortable table. The dashboard supports multi-filter search: category dropdown, severity dropdown, free-text search across actor / target / changes, and date range picker. Click any row to open a detail drawer showing the full change list and metadata.

Pro Tier: HMAC Hash Chain (Tamper-Proof Integrity)

Every Pro-tier entry is signed with HMAC-SHA256 and linked to the previous entry's hash, forming a cryptographic chain. If anyone modifies or deletes a single record — even with database access — the chain breaks. One click on "Verify Chain Integrity" in admin tells you exactly which entry was tampered with and when. This is the difference between "we log things" and "we can prove what happened" when a regulator asks.

Pro Tier: NIS2 Compliance Reports

One click generates a printable HTML report mapped to NIS2 Article 21 controls (logging, integrity, incident handling, access control, retention). Drop it straight into your annual compliance package. The report header can be customized with your organization name.

Pro Tier: SIEM-Ready JSON Export & Alert Rules

Export all entries (or filtered subsets) as JSON ready for Splunk, ELK, Datadog, or any SIEM pipeline. Build alert rules with severity threshold, time window, and action-pattern wildcards (for example, trigger when three or more critical client events occur within ten minutes). Alerts are delivered by email through WHMCS PHPMailer (SMTP-aware, with mail() fallback).

Pro Tier: Retention Policy & Trusted-Proxy CIDR

Configure retention from 30 to 3650 days; a daily cron prunes older entries automatically. Add your Cloudflare or load balancer CIDR ranges to the Trusted-Proxy list and the IP column will resolve the real client IP rather than the proxy's address.

Free vs Pro at a Glance

Free

• Auto event capture across 8 categories
• Actor / target / IP / severity metadata on every entry
• Field-level before/after change tracking
• Real-time dashboard with counters
• Searchable audit log with multi-filter
• Detail drawer
• CSV export (UTF-8 BOM, Excel-compatible)
• 30-day auto-retention
• Two-step purge & uninstall (Danger Zone)
• CSRF-protected admin actions
• Multi-language (EN / ZH-CN / ZH-TW)

Pro (79 USD/year or 279 USD buyout)

• Everything in Free
• HMAC-SHA256 hash chain (tamper-proof)
• One-click chain integrity verification
• JSON / SIEM export (Splunk / ELK ready)
• NIS2 Article 21 compliance report
• Alert rules (severity threshold + time window + action wildcards)
• Email alert delivery via WHMCS PHPMailer
• Configurable retention policy (30–3650 days)
• Custom organization name on compliance reports
• Trusted-proxy CIDR list

Requirements

• WHMCS 8.6 or newer
• PHP 7.1 or newer
• OpenSSL extension (for HMAC chain)
• cURL extension (for email alert delivery)
• ionCube Loader

Languages

Admin UI ships in English, Simplified Chinese, and Traditional Chinese. Severity and category labels are fully translated; event payload field names remain in their original WHMCS naming for SIEM correlation.

Support

Pre-sales questions and technical support reach us through our contact page (form, email, and Telegram, no login or account required). Every purchase is covered by a 7-day money-back guarantee.