---
title: "Audit logging | Grafana Enterprise Metrics documentation"
description: "Admin API Audit logging An audit log is available for actions on the Admin API path. This captures any HTTP requests against /admin/api/* and outputs them to the standard logger, tagged with level=audit for filtering."
---

[Documentation](/docs/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Grafana Enterprise Metrics](/docs/enterprise-metrics/v2.17.x/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [APIs](/docs/enterprise-metrics/v2.17.x/api/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [GEM Admin API](/docs/enterprise-metrics/v2.17.x/api/admin-api/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) Audit logging

Enterprise

## Admin API Audit logging

An audit log is available for actions on the Admin API path. This captures any HTTP requests against `/admin/api/*` and outputs them to the standard logger, tagged with `level=audit` for filtering.

The following fields may be present on each log line depending on the API endpoint called:

- `traceID`: The jaeger-trace-id if [configured](/docs/mimir/latest/configure/configure-tracing/).
- `requestURI`: The URI of the incoming request.
- `httpMethod`: The HTTP method of the incoming request.
- `remoteIPAddress`: The IP address of the requesting client, either the address of the proxy in front of this admin API instance (if there is one), or the original source of the request if it connects directly to this admin API instance.
- `forwardedIPAddress`: The forwarded IP address if `X-Forwarded-For` is set by a proxy.
- `requestBody`: The HTTP body sent with the request.
- `httpStatus`: The HTTP response code sent back to the client.
- `reason`: If available, the reason for the specific `httpStatus`. For example, failed authentication.
- `authorization`: The method used for authorization.
- `authFromCache`: `true` if successful authentication came from a [cache check](/docs/enterprise-metrics/latest/configure/config-gem/reference/#auth), otherwise `false`.
- `tokenID`: The token ID of the authenticated user, or the subject if using [OAuth integration](/docs/enterprise-metrics/latest/manage/oauth/).
- `accessPolicyID`: The access policy ID of the requesting token.
- `webauth-user`: The username as set by the header configured by [user\_header\_name](/docs/enterprise-metrics/latest/configure/config-gem/reference/#admin_api).
- `X-Grafana-Org-Id` and `X-Grafana-User`: The respective headers as sent by the requesting client. [You can configure Grafana](/docs/grafana/latest/setup-grafana/configure-grafana/#send_user_header) to send this information about the user interacting with the API.

## Configuration

Audit logs are disabled by default. They can be configured under the `admin_api` section of the GEM [configuration file](/docs/enterprise-metrics/latest/configure/config-gem/reference/#admin_api).

For example:

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
admin_api:
  auditlogging:
    enabled: true
```

## Request body logging

By default, when Admin API audit logging is enabled, the body of the HTTP request is also logged.

As the body could potentially be large, the size of the request body is limited by the value of the `-admin-api.max-request-body-size-bytes` flag (default 10MiB). If this limit is exceeded, the request will be rejected with an HTTP 413 response.

Alternatively, you can disable logging the request body with the `-admin-api.log-request-body` flag.

## Example log output

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
level=audit ts=2023-05-26T12:07:03.859986132Z traceID=45a25b15f51938d0 requestURI=/admin/api/v3/tenants httpMethod=POST remoteIPAddress=172.20.0.1 requestBody="{\n  \"name\": \"acme\",\n  \"display_name\": \"Acme Co.\",\n  \"created_at\": \"2023-04-13T17:37:59.341728283Z\",\n  \"status\": \"active\",\n  \"cluster\": \"enterprise-metrics\",\n  \"limits\": {\n    \"ruler_max_rule_groups_per_tenant\": 1\n  }\n}" httpStatus=200 authorization=bearer authFromCache=false tokenID=myuser accessPolicyID=admin-ap
```