Overview
An audit log is available for actions on the Admin API path. This captures any HTTP requests against
/admin/api/*
and outputs them to the standard logger, tagged with level=audit
for filtering.
The following fields may be present on each log line depending on the API endpoint called:
traceID
: The jaeger-trace-id if configured.requestURI
: The URI of the incoming request.httpMethod
: The HTTP method of the incoming request.remoteIPAddress
: The IP address of the requesting client, either the address of the proxy in front of this admin API instance (if there is one), or the original source of the request if it connects directly to this admin API instance.forwardedIPAddress
: The forwarded IP address ifX-Forwarded-For
is set by a proxy.requestBody
: The HTTP body sent with the request.httpStatus
: The HTTP response code sent back to the client.reason
: If available, the reason for the specifichttpStatus
. For example, failed authentication.authorization
: The method used for authorization.authFromCache
:true
if successful authentication came from a cache check, otherwisefalse
.tokenID
: The token ID of the authenticated user, or the Subject if using OAuth integration.accessPolicyID
: The access policy ID of the requesting token.webauth-user
: The username as set by the header configured by user_header_name.X-Grafana-Org-Id
andX-Grafana-User
: The respective headers as sent by the requesting client. Grafana can be configured to send this information about the user interacting with the API.
Configuration
Audit logs are disabled by default. They can be configured under the admin_api
section of the GEM
configuration file.
For example:
admin_api:
audit_logging:
enabled: true
Request body logging
By default, when Admin API audit logging is enabled, the body of the HTTP request is also logged.
As the body could potentially be large, the size of the request body is limited by the value of the -admin-api.max-request-body-size-bytes
flag (default 10MiB).
If this limit is exceeded, the request will be rejected with an HTTP 413 response.
Alternatively, you can disable logging the request body with the -admin-api.log-request-body
flag.
Example log output
level=audit ts=2023-05-26T12:07:03.859986132Z traceID=45a25b15f51938d0 requestURI=/admin/api/v3/tenants httpMethod=POST remoteIPAddress=172.20.0.1 requestBody="{\n \"name\": \"acme\",\n \"display_name\": \"Acme Co.\",\n \"created_at\": \"2023-04-13T17:37:59.341728283Z\",\n \"status\": \"active\",\n \"cluster\": \"enterprise-metrics\",\n \"limits\": {\n \"ruler_max_rule_groups_per_tenant\": 1\n }\n}" httpStatus=200 authorization=bearer authFromCache=false tokenID=myuser accessPolicyID=admin-ap