Admin Activity Log – Audit Log, Diff & GDPR Export

Über die Erweiterung

Who changed what in the backend – and when?

Kommora Admin Activity Log answers this question completely – for GDPR data-subject requests, internal audits, ISO 27001 evidence, or simply when troubleshooting in a team.

Every action in the Shopware admin is logged automatically: product edits, order changes, customer updates, plugin installs, configuration changes, and logins. You see not only that something was changed but exactly what – with full before/after diff for every modification.

Why this plugin?

• Effortless compliance. GDPR-ready audit log out of the box. Configurable retention, daily auto-purge. IP capture is disabled by default – data minimisation by default.
• Market gap. The Shopware Store currently has no comparable audit log plugin. No cloud service, no external server – all data stays in your Shopware database.
• Before/after diff. Every change is stored with old and new value. Passwords, tokens, and API keys are masked automatically.
• Category system instead of noise. Customers, orders, catalog, users, flows, plugins & co. are automatically sorted into 14 categories – one click filters the view.

Features at a glance

? Automatic logging

• Create/update/delete tracking for every entity modified through the admin backend
• Before/after diff as structured JSON per entry
• Automatic masking of fields: password, token, secret, apiKey, etc.
• Actor capture: user ID, username, type (admin/integration/system)
• Timestamp with millisecond precision

? Login tracking

• Successful admin logins
• Failed login attempts (brute-force detection)
• Logout events
• IP address and user-agent optional (opt-in, GDPR)

? Plugin lifecycle

• Installs and uninstalls
• Activations and deactivations
• Plugin updates
• Perfect for audit evidence after a functional failure

?️ Category system (14 categories)

• Customers: customers, addresses, customer groups, wishlists
• Orders: orders, line items, deliveries, transactions
• Catalog: products, categories, properties, manufacturers, prices, tax
• Content: CMS pages, media, email templates
• Admin users: users, roles, ACL, integrations
• Channels: sales channels, payment and shipping methods
• Rules & flows: rules, flow builder, flow templates
• Other: promotions, newsletters, system config, authentication

? Export

• CSV export – Excel-compatible, semicolon-separated, UTF-8 BOM
• HTML/PDF export – print-ready with Kommora layout
• Filter by time range and category
• Export directly from the admin module via button

⏱️ Automatic retention (GDPR)

• Configurable retention period (default: 365 days)
• Scheduled task kommora_activity_log.purge removes old entries daily
• Data minimisation by default: IP + user agent only with explicit opt-in

Typical use cases

• A customer requests a GDPR Art. 15 disclosure about who modified their data and when
• A product was accidentally set to 0 € and it's unclear who or when
• An external contractor has backend access and you want to trace which areas were touched
• Onboarding a new staff member and your compliance officer asks for evidence
• Something broke after a plugin update and you want to see what changed
• Detecting and documenting brute-force login attempts

For whom?

• Shops with multiple backend users or external contractors
• B2C and B2B shops with GDPR / ISO 27001 obligations
• Agencies offering their clients documented backend access
• Shops with data protection officers expecting audit evidence
• High-value shops where accidental changes quickly become expensive

GDPR & privacy

• Opt-in for IP addresses and user agents (default: off)
• Automatic masking of sensitive fields
• Configurable retention with automatic purging
• Complete uninstall including all data (user's choice)
• No external services, no cloud, no API calls