This is documentation for the next version of Grafana documentation. For the latest stable release, go to the latest version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Set upbreadcrumb arrow Configure securitybreadcrumb arrow Audit a Grafana instance
Grafana Cloud Enterprise

Audit a Grafana instance

Auditing allows you to track important changes to your Grafana instance. Depending on your deployment, you can send audit logs to a file, a Loki-compatible endpoint, or the Grafana default logger.

Note

Available in Grafana Enterprise and Grafana Cloud.

Only API requests or UI actions that trigger an API request generate an audit log.

  • Grafana Enterprise supports all three exporters: file, Loki, and console.
  • Grafana Cloud uses the Loki exporter. To enable audit logs for your Grafana Cloud instance, file a support ticket. Standard ingest and retention rates apply.

Understand audit logs

Audit logs are JSON objects representing user actions like:

  • Modifications to resources such as dashboards and data sources.
  • A user failing to log in.

Review the audit log format

Audit logs contain the following fields. The fields followed by * are always available, the others depend on the type of action logged.

Field nameTypeDescription
timestamp*stringThe date and time the request was made, in coordinated universal time (UTC) using the RFC3339 format.
user*objectInformation about the user that made the request. Either one of the UserID or ApiKeyID fields contains content if isAnonymous=false.
user.userIdnumberID of the Grafana user that made the request.
user.orgId*numberCurrent organization of the user that made the request.
user.orgRolestringCurrent role of the user that made the request.
user.namestringName of the Grafana user that made the request.
user.authTokenIdnumberID of the user authentication token.
user.apiKeyIdnumberID of the Grafana API key used to make the request.
user.isAnonymous*booleanIf an anonymous user made the request, true. Otherwise, false.
action*stringThe request action. For example, create, update, or manage-permissions.
request*objectInformation about the HTTP request.
request.paramsobjectRequest’s path parameters.
request.queryobjectRequest’s query parameters.
request.bodystringRequest’s body. Filled with <non-marshalable format> when it isn’t a valid JSON.
result*objectInformation about the HTTP response.
result.statusTypestringIf the request action was successful, success. Otherwise, failure.
result.statusCodenumberHTTP status of the request.
result.failureMessagestringHTTP error message.
result.bodystringResponse body. Filled with <non-marshalable format> when it isn’t a valid JSON.
resourcesarrayInformation about the resources that the request action affected. This field can be null for non-resource actions such as login or logout.
resources[x].id*numberID of the resource.
resources[x].type*stringThe type of the resource that was logged: alert, alert-notification, annotation, api-key, auth-token, dashboard, datasource, folder, org, panel, playlist, report, team, user, or version.
requestUri*stringRequest URI.
ipAddress*stringIP address that the request was made from.
userAgent*stringAgent through which the request was made.
grafanaVersion*stringCurrent version of Grafana when this log is created.
additionalDataobjectAdditional information that can be provided about the request.

The additionalData field can contain the following information:

Field nameActionDescription
loginUsernameloginLogin used in the Grafana authentication form.
extUserInfologinUser information provided by the external system that was used to log in.
authTokenCountloginNumber of active authentication tokens for the user that logged in.
terminationReasonlogoutThe reason why the user logged out, such as a manual logout or a token expiring.
billing_rolebilling-informationThe billing role associated with the billing information being sent.

Identify recorded actions

The audit logs include records about the following categories of actions. Each action is distinguished by the action and resources[...].type fields in the JSON record.

For example, creating an API key produces an audit log like this:

JSON 
{
  "action": "create",
  "resources": [
    {
      "id": 1,
      "type": "api-key"
    }
  ],
  "timestamp": "2021-11-12T22:12:36.144795692Z",
  "user": {
    "userId": 1,
    "orgId": 1,
    "orgRole": "Admin",
    "username": "admin",
    "isAnonymous": false,
    "authTokenId": 1
  },
  "request": {
    "body": "{\"name\":\"example\",\"role\":\"Viewer\",\"secondsToLive\":null}"
  },
  "result": {
    "statusType": "success",
    "statusCode": 200,
    "responseBody": "{\"id\":1,\"name\":\"example\"}"
  },
  "resources": [
    {
      "id": 1,
      "type": "api-key"
    }
  ],
  "requestUri": "/api/auth/keys",
  "ipAddress": "127.0.0.1:54652",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0",
  "grafanaVersion": "8.3.0-pre"
}

Some actions can only be distinguished by their requestUri fields. For those actions, the relevant pattern of the requestUri field is given.

Almost all recorded actions correspond to API requests or UI actions that trigger an API request. For example, the action {"action": "email", "resources": [{"type": "report"}]} corresponds to a user-initiated email preview of a report, not a scheduled send.

Sessions

ActionDistinguishing fields
Log in{"action": "login-AUTH-MODULE"} *
Log out **{"action": "logout"}
Force logout for user{"action": "logout-user"}
Remove user authentication token{"action": "revoke-auth-token", "resources": [{"type": "auth-token"}, {"type": "user"}]}
Create API key{"action": "create", "resources": [{"type": "api-key"}]}
Delete API key{"action": "delete", "resources": [{"type": "api-key"}]}

* Where AUTH-MODULE is the name of the authentication module: grafana, saml, ldap, etc.
** Includes manual log out, token expired/revoked, and SAML Single Logout.

Service accounts

ActionDistinguishing fields
Create service account{"action": "create", "resources": [{"type": "service-account"}]}
Update service account{"action": "update", "resources": [{"type": "service-account"}]}
Delete service account{"action": "delete", "resources": [{"type": "service-account"}]}
Create service account token{"action": "create", "resources": [{"type": "service-account"}, {"type": "service-account-token"}]}
Delete service account token{"action": "delete", "resources": [{"type": "service-account"}, {"type": "service-account-token"}]}
Hide API keys{"action": "hide-api-keys"}
Migrate API keys{"action": "migrate-api-keys"}
Migrate API key{"action": "migrate-api-keys"}, "resources": [{"type": "api-key"}]}

Access control

ActionDistinguishing fields
Create role{"action": "create", "resources": [{"type": "role"}]}
Update role{"action": "update", "resources": [{"type": "role"}]}
Delete role{"action": "delete", "resources": [{"type": "role"}]}
Assign built-in role{"action": "assign-builtin-role", "resources": [{"type": "role"}, {"type": "builtin-role"}]}
Remove built-in role{"action": "remove-builtin-role", "resources": [{"type": "role"}, {"type": "builtin-role"}]}
Grant team role{"action": "grant-team-role", "resources": [{"type": "team"}]}
Set team roles{"action": "set-team-roles", "resources": [{"type": "team"}]}
Revoke team role{"action": "revoke-team-role", "resources": [{"type": "role"}, {"type": "team"}]}
Grant user role{"action": "grant-user-role", "resources": [{"type": "role"}, {"type": "user"}]}
Set user roles{"action": "set-user-roles", "resources": [{"type": "user"}]}
Revoke user role{"action": "revoke-user-role", "resources": [{"type": "role"}, {"type": "user"}]}
Set user permissions on folder{"action": "set-user-permissions-on-folder", "resources": [{"type": "folder"}, {"type": "user"}]}
Set team permissions on folder{"action": "set-team-permissions-on-folder", "resources": [{"type": "folder"}, {"type": "team"}]}
Set basic role permissions on folder{"action": "set-basic-role-permissions-on-folder", "resources": [{"type": "folder"}, {"type": "builtin-role"}]}
Set user permissions on dashboard{"action": "set-user-permissions-on-dashboards", "resources": [{"type": "dashboard"}, {"type": "user"}]}
Set team permissions on dashboard{"action": "set-team-permissions-on-dashboards", "resources": [{"type": "dashboard"}, {"type": "team"}]}
Set basic role permissions on dashboard{"action": "set-basic-role-permissions-on-dashboards", "resources": [{"type": "dashboard"}, {"type": "builtin-role"}]}
Set user permissions on team{"action": "set-user-permissions-on-teams", "resources": [{"type": "teams"}, {"type": "user"}]}
Set user permissions on service account{"action": "set-user-permissions-on-service-accounts", "resources": [{"type": "service-account"}, {"type": "user"}]}
Set user permissions on datasource{"action": "set-user-permissions-on-data-sources", "resources": [{"type": "datasource"}, {"type": "user"}]}
Set team permissions on datasource{"action": "set-team-permissions-on-data-sources", "resources": [{"type": "datasource"}, {"type": "team"}]}
Set basic role permissions on datasource{"action": "set-basic-role-permissions-on-data-sources", "resources": [{"type": "datasource"}, {"type": "builtin-role"}]}

User management

ActionDistinguishing fields
Create user{"action": "create", "resources": [{"type": "user"}]}
Update user{"action": "update", "resources": [{"type": "user"}]}
Delete user{"action": "delete", "resources": [{"type": "user"}]}
Disable user{"action": "disable", "resources": [{"type": "user"}]}
Enable user{"action": "enable", "resources": [{"type": "user"}]}
Update password{"action": "update-password", "resources": [{"type": "user"}]}
Send password reset email{"action": "send-reset-email"}
Reset password{"action": "reset-password"}
Update permissions{"action": "update-permissions", "resources": [{"type": "user"}]}
Send signup email{"action": "signup-email"}
Click signup link{"action": "signup"}
Reload LDAP configuration{"action": "ldap-reload"}
Get user in LDAP{"action": "ldap-search"}
Sync user with LDAP{"action": "ldap-sync", "resources": [{"type": "user"}]

Team and organization management

ActionDistinguishing fields
Add team{"action": "create", "requestUri": "/api/teams"}
Update team{"action": "update", "requestUri": "/api/teams/TEAM-ID"}*
Delete team{"action": "delete", "requestUri": "/api/teams/TEAM-ID"}*
Add external group for team{"action": "create", "requestUri": "/api/teams/TEAM-ID/groups"}*
Remove external group for team{"action": "delete", "requestUri": "/api/teams/TEAM-ID/groups/GROUP-ID"}*
Add user to team{"action": "create", "resources": [{"type": "user"}, {"type": "team"}]}
Update team member permissions{"action": "update", "resources": [{"type": "user"}, {"type": "team"}]}
Remove user from team{"action": "delete", "resources": [{"type": "user"}, {"type": "team"}]}
Create organization{"action": "create", "resources": [{"type": "org"}]}
Update organization{"action": "update", "resources": [{"type": "org"}]}
Delete organization{"action": "delete", "resources": [{"type": "org"}]}
Add user to organization{"action": "create", "resources": [{"type": "org"}, {"type": "user"}]}
Change user role in organization{"action": "update", "resources": [{"type": "user"}, {"type": "org"}]}
Remove user from organization{"action": "delete", "resources": [{"type": "user"}, {"type": "org"}]}
Invite external user to organization{"action": "org-invite", "resources": [{"type": "org"}, {"type": "user"}]}
Revoke invitation{"action": "revoke-org-invite", "resources": [{"type": "org"}]}

* Where TEAM-ID is the ID of the affected team, and GROUP-ID (if present) is the ID of the external group.

Folder and dashboard management

ActionDistinguishing fields
Create folder{"action": "create", "resources": [{"type": "folder"}]}
Update folder{"action": "update", "resources": [{"type": "folder"}]}
Update folder permissions{"action": "manage-permissions", "resources": [{"type": "folder"}]}
Delete folder{"action": "delete", "resources": [{"type": "folder"}]}
Create/update dashboard{"action": "create-update", "resources": [{"type": "dashboard"}]}
Import dashboard{"action": "create", "resources": [{"type": "dashboard"}]}
Update dashboard permissions{"action": "manage-permissions", "resources": [{"type": "dashboard"}]}
Restore old dashboard version{"action": "restore", "resources": [{"type": "dashboard"}]}
Delete dashboard{"action": "delete", "resources": [{"type": "dashboard"}]}

Library elements management

ActionDistinguishing fields
Create library element{"action": "create", "resources": [{"type": "library-element"}]}
Update library element{"action": "update", "resources": [{"type": "library-element"}]}
Delete library element{"action": "delete", "resources": [{"type": "library-element"}]}

Data sources management

ActionDistinguishing fields
Create datasource{"action": "create", "resources": [{"type": "datasource"}]}
Update datasource{"action": "update", "resources": [{"type": "datasource"}]}
Delete datasource{"action": "delete", "resources": [{"type": "datasource"}]}
Enable permissions for datasource{"action": "enable-permissions", "resources": [{"type": "datasource"}]}
Disable permissions for datasource{"action": "disable-permissions", "resources": [{"type": "datasource"}]}
Grant datasource permission to role, team, or user{"action": "create", "resources": [{"type": "datasource"}, {"type": "dspermission"}]}*
Remove datasource permission{"action": "delete", "resources": [{"type": "datasource"}, {"type": "dspermission"}]}
Enable caching for datasource{"action": "enable-cache", "resources": [{"type": "datasource"}]}
Disable caching for datasource{"action": "disable-cache", "resources": [{"type": "datasource"}]}
Update datasource caching configuration{"action": "update", "resources": [{"type": "datasource"}]}

* resources may also contain a third item with "type": set to "user" or "team".

Data source query

ActionDistinguishing fields
Query datasource{"action": "query", "resources": [{"type": "datasource"}]}

Reporting

ActionDistinguishing fields
Create report{"action": "create", "resources": [{"type": "report"}, {"type": "dashboard"}]}
Update report{"action": "update", "resources": [{"type": "report"}, {"type": "dashboard"}]}
Delete report{"action": "delete", "resources": [{"type": "report"}]}
Send report by email{"action": "email", "resources": [{"type": "report"}]}
Update reporting settings{"action": "change-settings"}

Annotations, playlists and snapshots management

ActionDistinguishing fields
Create annotation{"action": "create", "resources": [{"type": "annotation"}]}
Create Graphite annotation{"action": "create-graphite", "resources": [{"type": "annotation"}]}
Update annotation{"action": "update", "resources": [{"type": "annotation"}]}
Patch annotation{"action": "patch", "resources": [{"type": "annotation"}]}
Delete annotation{"action": "delete", "resources": [{"type": "annotation"}]}
Delete all annotations from panel{"action": "mass-delete", "resources": [{"type": "dashboard"}, {"type": "panel"}]}
Create playlist{"action": "create", "resources": [{"type": "playlist"}]}
Update playlist{"action": "update", "resources": [{"type": "playlist"}]}
Delete playlist{"action": "delete", "resources": [{"type": "playlist"}]}
Create a snapshot{"action": "create", "resources": [{"type": "dashboard"}, {"type": "snapshot"}]}
Delete a snapshot{"action": "delete", "resources": [{"type": "snapshot"}]}
Delete a snapshot by delete key{"action": "delete", "resources": [{"type": "snapshot"}]}

Provisioning

ActionDistinguishing fields
Reload provisioned dashboards{"action": "provisioning-dashboards"}
Reload provisioned datasources{"action": "provisioning-datasources"}
Reload provisioned plugins{"action": "provisioning-plugins"}
Reload provisioned alerts{"action": "provisioning-alerts"}
Reload provisioned access control{"action": "provisioning-accesscontrol"}

Plugins management

ActionDistinguishing fields
Install plugin{"action": "install"}
Uninstall plugin{"action": "uninstall"}

Miscellaneous

ActionDistinguishing fields
Set licensing token{"action": "create", "requestUri": "/api/licensing/token"}
Save billing information{"action": "billing-information"}

Cloud migration management

ActionDistinguishing fields
Connect to a cloud instance{"action": "connect-instance"}
Disconnect from a cloud instance{"action": "disconnect-instance"}
Build a snapshot{"action": "build", "resources": [{"type": "snapshot"}]}
Upload a snapshot{"action": "upload", "resources": [{"type": "snapshot"}]}

Generic actions

In addition to the actions listed above, any HTTP request (POST, PATCH, PUT, and DELETE) against the API is recorded with one of the following generic actions.

You can also record GET requests. Refer to Configure audit logging to enable this.

ActionDistinguishing fields
POST request{"action": "post-action"}
PATCH request{"action": "partial-update"}
PUT request{"action": "update"}
DELETE request{"action": "delete"}
GET request{"action": "retrieve"}

Configure audit logging

Note

The auditing feature is disabled by default.

Audit logs can be saved into files, sent to a Loki-compatible endpoint, or sent to the Grafana default logger. You can choose which exporter to use in the configuration file.

Options are file, loki, and logger. Use spaces to separate multiple modes, such as file loki.

Not all exporters are available in every deployment:

ExporterGrafana EnterpriseGrafana Cloud
FileYes (default)No
LokiYesYes (default)
ConsoleYesNo

By default, dashboard content doesn’t appear in audit logs because it can significantly increase log size. To include dashboard content, enable the log_dashboard_content option.

Data source query request and response bodies are also excluded by default. Enabling log_datasource_query_request_body or log_datasource_query_response_body significantly increases log volume and may expose sensitive data such as query parameters, credentials, or personally identifiable information.

ini 
[auditing]
# Enable the auditing feature
enabled = false
# List of enabled loggers
loggers = file
# Keep dashboard content in the logs (request or response fields); this can significantly increase the size of your logs.
log_dashboard_content = false
# Whether to record data source queries' request body. This can significantly increase the size of your logs. Disabled by default.
log_datasource_query_request_body = false
# Whether to record data source queries' response body. This can significantly increase the size of your logs. Disabled by default.
log_datasource_query_response_body = false
# Keep requests and responses body; this can significantly increase the size of your logs.
verbose = false
# Write an audit log for every status code.
# By default it only logs the following ones: 2XX, 3XX, 401, 403 and 500.
log_all_status_codes = false
# Maximum response body (in bytes) to be audited; 500KiB by default.
# May help reducing the memory footprint caused by auditing.
max_response_size_bytes = 512000

Each exporter has its own configuration fields.

File exporter

Note

The file exporter is only available in Grafana Enterprise.

Audit logs are saved into files. You can configure the folder to use to save these files. Logs are rotated when the file size is exceeded and at the start of a new day.

ini 
[auditing.logs.file]
# Path to logs folder
path = data/log
# Maximum log files to keep
max_files = 5
# Max size in megabytes per log file
max_file_size_mb = 256

Loki exporter

Audit logs are sent to a Loki-compatible endpoint through HTTP or gRPC. You can use this exporter to send logs to Grafana Cloud Logs, a self-hosted Loki instance, or any other service that accepts the Loki push API.

Note

The HTTP option for the Loki exporter is available only in Grafana Enterprise version 7.4 and later.

ini 
[auditing.logs.loki]
# Set the communication protocol to use with Loki (can be grpc or http)
type = grpc
# Set the address for writing logs to Loki
url = localhost:9095
# Defaults to true. If true, it establishes a secure connection to Loki
tls = true
# Set the tenant ID for Loki communication, which is disabled by default.
# The tenant ID is required to interact with Loki running in multi-tenant mode.
tenant_id =
# Only available for the HTTP client. Disabled by default.
# How long to wait before sending a request to Loki with the batch of events. Uses duration format, for example, 5s, 1m
# Whichever threshold is hit first between `batch_wait_duration` and `batch_size_bytes` triggers the batch to be sent to Loki.
# If the wait duration is very long and the `batch_size_bytes` is very high, events might take a long time to be sent.
# To enable batching, you must also set the `batch_size_bytes` configuration option.
batch_wait_duration =
# Only available for the HTTP client. Disabled by default.
# How many events, in bytes, to accumulate in a single batch before sending it to Loki.
# Whichever threshold is hit first between `batch_wait_duration` and `batch_size_bytes` triggers the batch to be sent to Loki.
# If you want to always wait for the `batch_wait_duration`, set `batch_size_bytes` to a very high number.
# To enable batching, you must also set the `batch_wait_duration` configuration option.
batch_size_bytes =

If you have multiple Grafana instances sending logs to the same Loki service or if you use Loki for non-audit logs, audit logs come with additional labels to help identify them:

LabelValue
hostOS hostname on which the Grafana instance is running
grafana_instanceApplication URL
kindauditing

If your Loki instance requires basic authentication, specify credentials in the URL field. For example:

ini 
# Set the communication protocol to use with Loki (can be grpc or http)
type = http
# Set the address for writing logs to Loki
url = user:password@localhost:3000

Console exporter

Note

The console exporter is only available in Grafana Enterprise.

Audit logs are sent to the Grafana default logger. The audit logs use the auditing.console logger and are logged on debug-level. To learn how to enable debug logging, refer to the log configuration section. Accessing the audit logs in this way isn’t recommended for production use.