Quick start

Compliance Audit Log adds a tamper-proof compliance layer to WHMCS: 8 event categories (auth / client / financial / ticket / service / domain / config / module) with full before/after diffs, purpose-built for NIS2 and CRA compliance. This guide covers install, viewing logs, and Pro features (HMAC chain / alert rules / NIS2 report).

For EU hosting providers, MSPs, and any WHMCS instance with audit/compliance requirements.

1. Install and activate

1. Download the ZIP matching your PHP version (e.g. compliance_audit_log_v1.x.x_php8.1.zip) and extract into your WHMCS root.
2. WHMCS admin → Setup → Apps & Integrations → Compliance Audit Log → Activate.
3. Configuration → Addon Modules → Compliance Audit Log → tick admin roles allowed access (Full Administrator recommended) + paste your license key (Pro features only) + Save.
4. Top menu Addons → Compliance Audit Log opens the console.

After activation, hooks auto-write events into mod_compliance_audit_log_entries. WHMCS business flow is not modified.

2. Dashboard

The dashboard shows:

• Stat cards: total events, critical events, today's events (30-day window)
• Filter bar: filter by event category / severity / date range / keyword
• Log list: paginated; click a row to open the right-side detail drawer
• Detail drawer: actor / target / IP / timestamp plus before/after JSON diff

3. Event categories

Every record includes actor / target / IP / timestamp plus before/after for high-value fields.

4. CSV export

After filtering, click "Export CSV":

• Filename contains the date range (e.g. compliance_audit_2026-04-01_2026-05-01.csv)
• UTF-8 BOM for Excel compatibility
• Columns: id, category, action, actor, target, IP, severity, timestamp, details

5. HMAC tamper-proof chain (Pro)

Every record gets hmac_hash = HMAC_SHA256(secret, current_record + prev_hash). Any modification breaks the chain.

The "Verify integrity" button scans the entire table:

• Shows scan progress
• Reports break position (row ID + timestamp)
• Counts affected records

Useful for regulatory audits or incident forensics.

6. Alert rules (Pro)

The Alert Rules panel configures email alert triggers:

• Bulk deletion: e.g. ≥ 10 client deletions within 5 minutes
• Permission changes: admin role / API token modifications
• Off-hours access: admin login outside 09:00-18:00
• Repeated login failures: ≥ 5 failures from same IP within 5 minutes

Notification email is configurable per rule (defaults to WHMCS system admin). Each rule can be toggled independently.

7. NIS2 report (Pro)

"Generate NIS2 report" produces a one-click NIS2 Article 21 compliance report (PDF-ready HTML):

• Covers Art.21(2)(b)(g)(i)(j)
• Compliance status score
• Hash chain verification status
• Severity distribution chart
• Print to PDF for handover to auditors

8. Settings and retention (Pro)

The Settings panel:

• Retention days: 90 / 180 / 365 (free tier fixed at 30)
• Archive policy: auto-archive or delete on expiry
• Alert email: override default recipient
• HMAC secret rotation: rotate periodically (already-written chain stays signed with old secret; new records use new secret)

9. FAQ

Q: What's free vs Pro? A: Free: 8-category capture + dashboard + filters + CSV export + 30-day retention. Pro: HMAC chain, JSON export, NIS2 report, alert rules, up to 12-month retention.

Q: Will frequent writes hurt performance? A: Single INSERT via WHMCS Capsule with covering indexes for common queries; HMAC computation is synchronous and < 1ms per record.

Q: Can I repair a broken hash chain? A: No (by design). A broken chain pinpoints tampering but the original content is unrecoverable — that's the integrity guarantee.

Q: External SIEM integration? A: v1.x supports CSV / JSON manual export; v1.1 roadmap adds SIEM webhook + Syslog real-time forwarding.

For deeper docs (hook list, table schema, report field map) see the "Full documentation" link on your store dashboard card.