An audit log is available for actions on the Admin API path. This captures any HTTP requests against /admin/api/* and outputs them to the standard logger, tagged with level=audit for filtering.

The following fields may be present on each log line depending on the API endpoint called:

  • traceID: The jaeger-trace-id if configured.
  • requestURI: The URI of the incoming request.
  • httpMethod: The HTTP method of the incoming request.
  • remoteIPAddress: The IP address of the requesting client, either the address of the proxy in front of this admin API instance (if there is one), or the original source of the request if it connects directly to this admin API instance.
  • forwardedIPAddress: The forwarded IP address if X-Forwarded-For is set by a proxy.
  • requestBody: The HTTP body sent with the request.
  • httpStatus: The HTTP response code sent back to the client.
  • reason: If available, the reason for the specific httpStatus. For example, failed authentication.
  • authorization: The method used for authorization.
  • authFromCache: true if successful authentication came from a cache check, otherwise false.
  • tokenID: The token ID of the authenticated user, or the Subject if using OAuth integration.
  • accessPolicyID: The access policy ID of the requesting token.
  • webauth-user: The username as set by the header configured by user_header_name.
  • X-Grafana-Org-Id and X-Grafana-User: The respective headers as sent by the requesting client. Grafana can be configured to send this information about the user interacting with the API.


Audit logs are disabled by default. They can be configured under the admin_api section of the GEM configuration file.

For example:

    enabled: true

Request body logging

By default, when Admin API audit logging is enabled, the body of the HTTP request is also logged.

As the body could potentially be large, the size of the request body is limited by the value of the -admin-api.max-request-body-size-bytes flag (default 10MiB). If this limit is exceeded, the request will be rejected with an HTTP 413 response.

Alternatively, you can disable logging the request body with the -admin-api.log-request-body flag.

Example log output

level=audit ts=2023-05-26T12:07:03.859986132Z traceID=45a25b15f51938d0 requestURI=/admin/api/v3/tenants httpMethod=POST remoteIPAddress= requestBody="{\n  \"name\": \"acme\",\n  \"display_name\": \"Acme Co.\",\n  \"created_at\": \"2023-04-13T17:37:59.341728283Z\",\n  \"status\": \"active\",\n  \"cluster\": \"enterprise-metrics\",\n  \"limits\": {\n    \"ruler_max_rule_groups_per_tenant\": 1\n  }\n}" httpStatus=200 authorization=bearer authFromCache=false tokenID=myuser accessPolicyID=admin-ap