This is one the ways to monitor what your users are doing with your website.
<ol>
<ol>Create a table in your database to log your user activity.</ol>
</ol>
<ol>
<ol>Define the various activity types that can happen in your App.</ol>
</ol>
Create a common function that logs any activity to that table.
Call that function from anywhere you you perform log-worthy activities in your app.
You can then write a reporting tool that gives your admins access to those logged activities, you can filter by user, time and activity types.
In my log-framework, I specially mark activities which could be seen as malicious actions and assign them different numeric threat-values. If the sum of a user’s thread-value reaches a certain threshold I log-out the user.
Ideally if you write an Application, you write your infrastructure code like logging at the very beginning and then use it in all your business logic code later.