Configure security on Grafana Labs

Configure authentication

Fri, 06 Mar 2026 03:17:14 +0100

Configure authentication

Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user permissions and org memberships.

The following table shows all supported authentication providers and the features available for them. Team sync and active sync are only available in Grafana Enterprise.

Provider	Support	Role mapping	Team sync (Enterprise only)	Active sync (Enterprise only)
Auth Proxy	v2.1+	-	v6.3+	-
Azure AD OAuth	v6.7+	v6.7+	v6.7+	-
Generic OAuth	v4.0+	v6.5+	-	-
GitHub OAuth	v2.0+	-	v6.3+	-
GitLab OAuth	v5.3+	-	v6.4+	-
Google OAuth	v2.0+	-	-	-
JWT	v8.0+	-	-	-
LDAP	v2.1+	v2.1+	v5.3+	v6.3+
Okta OAuth	v7.0+	v7.0+	v7.0+	-
SAML (Enterprise only)	v6.3+	v7.0+	v7.0+	-

Grafana Auth

Grafana of course has a built in user authentication system with password authentication enabled by default. You can disable authentication by enabling anonymous access. You can also hide login form and only allow login through an auth provider (listed above). There are also options for allowing self sign up.

The following applies when using Grafana’s built in user authentication, LDAP (without Auth proxy) or OAuth integration.

Grafana are using short-lived tokens as a mechanism for verifying authenticated users. These short-lived tokens are rotated each token_rotation_interval_minutes for an active authenticated user.

An active authenticated user that gets it token rotated will extend the login_maximum_inactive_lifetime_duration time from “now” that Grafana will remember the user. This means that a user can close its browser and come back before now + login_maximum_inactive_lifetime_duration and still being authenticated. This is true as long as the time since user login is less than login_maximum_lifetime_duration.

Remote logout

You can logout from other devices by removing login sessions from the bottom of your profile page. If you are a Grafana admin user you can also do the same for any user from the Server Admin / Edit User view.

Settings

Example:

[auth]

# Login cookie name
login_cookie_name = grafana_session


# The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation (token_rotation_interval_minutes).
login_maximum_inactive_lifetime_duration =


# The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).
login_maximum_lifetime_duration =

# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
token_rotation_interval_minutes = 10

# The maximum lifetime (seconds) an API key can be used. If it is set all the API keys should have limited lifetime that is lower than this value.
api_key_max_seconds_to_live = -1

# Enforce user lookup based on email instead of the unique ID provided by the IdP.
oauth_allow_insecure_email_lookup = false

Anonymous authentication

You can make Grafana accessible without any login required by enabling anonymous access in the configuration file.

Example:

[auth.anonymous]
enabled = true

# Organization name that should be used for unauthenticated users
org_name = Main Org.

# Role for unauthenticated users, other valid values are `Editor` and `Admin`
org_role = Viewer

If you change your organization name in the Grafana UI this setting needs to be updated to match the new name.

Basic authentication

Basic auth is enabled by default and works with the built in Grafana user password authentication system and LDAP authentication integration.

To disable basic auth:

[auth.basic]
enabled = false

You can hide the Grafana login form using the below configuration settings.

[auth]
disable_login_form = true

Enable email lookup

Enable user lookup based on email in addition to using unique ID provided by IdPs.

By default, Grafana relies on the user unique ID provided by the identity provider. Looking up users by email can be safe for some identity providers (for example, when they are single tenants and unique non-editable, validated emails are provided), as well as in some infrastructures.

We strongly recommend against enabling email lookups, however it is possible to do with the following configuration.

[auth]
oauth_allow_insecure_email_lookup = true

Set to true to attempt login with OAuth automatically, skipping the login screen. This setting is ignored if multiple OAuth providers are configured. Defaults to false.

[auth]
oauth_auto_login = true

To sign in with a username and password and avoid automatic OAuth login, add the disableAutoLogin parameter to your login URL. For example: grafana.example.com/login?disableAutoLogin or grafana.example.com/login?disableAutoLogin=true

Set the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy or JWT authentication.

[auth]
disable_signout_menu = true

URL redirect after signing out

URL to redirect the user to after signing out from Grafana. This can for example be used to enable signout from OAuth provider.

[auth]
signout_redirect_url =

Protected roles

Note: Available in Grafana Enterprise and Grafana Cloud Advanced.

By default, after you configure an authorization provider, Grafana will adopt existing users into the new authentication scheme. For example, if you have created a user with basic authentication having the login jsmith@example.com, then set up SAML authentication where jsmith@example.com is an account, the user’s authentication type will be changed to SAML if they perform a SAML sign-in.

You can disable this user adoption for certain roles using the protected_roles property:

[auth.security]
protected_roles = server_admins org_admins

The value of protected_roles should be a list of roles to protect, separated by spaces. Valid roles are viewers, editors, org_admins, server_admins, and all (a superset of the other roles).

Configure database encryption

Fri, 06 Mar 2026 03:17:14 +0100

Configure database encryption

Grafana’s database contains secrets, which are used to query data sources, send alert notifications, and perform other functions within Grafana.

Grafana encrypts these secrets before they are written to the database, by using a symmetric-key encryption algorithm called Advanced Encryption Standard (AES). These secrets are signed using a secret key that you can change when you configure a new Grafana instance.

Note: Grafana v9.0 and newer use envelope encryption by default, which adds a layer of indirection to the encryption process that introduces an implicit breaking change for older versions of Grafana.

For further details about how to operate a Grafana instance with envelope encryption, see the Operational work section.

Note: In Grafana Enterprise, you can also encrypt secrets in AES-GCM (Galois/Counter Mode) instead of the default AES-CFB (Cipher FeedBack mode).

Envelope encryption

Note: Since Grafana v9.0, you can turn envelope encryption off by adding the feature toggle disableEnvelopeEncryption to your Grafana configuration.

Instead of encrypting all secrets with a single key, Grafana uses a set of keys called data encryption keys (DEKs) to encrypt them. These data encryption keys are themselves encrypted with a single key encryption key (KEK), configured through the secret_key attribute in your Grafana configuration or with a key management service (KMS) integration.

Implicit breaking change

Envelope encryption introduces an implicit breaking change to versions of Grafana prior to v9.0, because it changes how secrets stored in the Grafana database are encrypted. Grafana administrators can upgrade to Grafana v9.0 with no action required from the database encryption perspective, but must be extremely careful if they need to roll an upgrade back to Grafana v8.5 or earlier because secrets created or modified after upgrading to Grafana v9.0 can’t be decrypted by previous versions.

Grafana v8.5 implemented envelope encryption behind an optional feature toggle. Grafana administrators who need to downgrade to Grafana v8.5 can enable envelope encryption as a workaround by adding the feature toggle envelopeEncryption to the Grafana configuration.

Operational work

From the database encryption perspective, Grafana administrators can:

Re-encrypt secrets: re-encrypt secrets with envelope encryption and a fresh data key.
Roll back secrets: decrypt secrets encrypted with envelope encryption and re-encrypt them with legacy encryption.
Re-encrypt data keys: re-encrypt data keys with a fresh key encryption key and a KMS integration.
Rotate data keys: disable active data keys and stop using them for encryption in favor of a fresh one.

Re-encrypt secrets

You can re-encrypt secrets in order to:

Move already existing secrets’ encryption forward from legacy to envelope encryption.
Re-encrypt secrets after a data keys rotation.

To re-encrypt secrets, use the Grafana CLI by running the grafana-cli admin secrets-migration re-encrypt command or the /encryption/reencrypt-secrets endpoint of the Grafana Admin API. It’s safe to run more than once, more recommended under maintenance mode.

Roll back secrets

You can roll back secrets encrypted with envelope encryption to legacy encryption. This might be necessary to downgrade to Grafana versions prior to v9.0 after an unsuccessful upgrade.

To roll back secrets, use the Grafana CLI by running the grafana-cli admin secrets-migration rollback command or the /encryption/rollback-secrets endpoint of the Grafana Admin API. It’s safe to run more than once, more recommended under maintenance mode.

Re-encrypt data keys

You can re-encrypt data keys encrypted with a specific key encryption key (KEK). This allows you to either re-encrypt existing data keys with a new KEK version (see KMS integration rotation) or to re-encrypt them with a completely different KEK.

To re-encrypt data keys, use the Grafana CLI by running the grafana-cli admin secrets-migration re-encrypt-data-keys command or the /encryption/reencrypt-data-keys endpoint of the Grafana Admin API. It’s safe to run more than once, more recommended under maintenance mode.

Rotate data keys

You can rotate data keys to disable the active data key and therefore stop using them for encryption operations. For high-availability setups, you might need to wait until the data keys cache’s time-to-live (TTL) expires to ensure that all rotated data keys are no longer being used for encryption operations.

New data keys for encryption operations are generated on demand.

Note: Data key rotation does not implicitly re-encrypt secrets. Grafana will continue to use rotated data keys to decrypt secrets still encrypted with them. To completely stop using rotated data keys for both encryption and decryption, see secrets re-encryption.

To rotate data keys, use the /encryption/rotate-data-keys endpoint of the Grafana Admin API. It’s safe to call more than once, more recommended under maintenance mode.

Encrypting your database with a key from a key management service (KMS)

If you are using Grafana Enterprise, you can integrate with a key management service (KMS) provider, and change Grafana’s cryptographic mode of operation from AES-CFB to AES-GCM.

You can choose to encrypt secrets stored in the Grafana database using a key from a KMS, which is a secure central storage location that is designed to help you to create and manage cryptographic keys and control their use across many services. When you integrate with a KMS, Grafana does not directly store your encryption key. Instead, Grafana stores KMS credentials and the identifier of the key, which Grafana uses to encrypt the database.

Grafana integrates with the following key management services:

Changing your encryption mode to AES-GCM

Grafana encrypts secrets using Advanced Encryption Standard in Cipher FeedBack mode (AES-CFB). You might prefer to use AES in Galois/Counter Mode (AES-GCM) instead, to meet your company’s security requirements or in order to maintain consistency with other services.

To change your encryption mode, update the algorithm value in the [security.encryption] section of your Grafana configuration file. For further details, refer to Enterprise configuration.

Audit a Grafana instance

Fri, 06 Mar 2026 03:17:14 +0100

Audit a Grafana instance

Auditing allows you to track important changes to your Grafana instance. By default, audit logs are logged to file but the auditing feature also supports sending logs directly to Loki.

Only API requests or UI actions that trigger an API request generate an audit log.

Note: Available in Grafana Enterprise version 7.3 and later, and Grafana Cloud Advanced.

Audit logs

Audit logs are JSON objects representing user actions like:

Modifications to resources such as dashboards and data sources.
A user failing to log in.

Format

Audit logs contain the following fields. The fields followed by * are always available, the others depend on the type of action logged.

Field name	Type	Description
`timestamp`*	string	The date and time the request was made, in coordinated universal time (UTC) using the RFC3339 format.
`user`*	object	Information about the user that made the request. Either one of the `UserID` or `ApiKeyID` fields will contain content if `isAnonymous=false`.
`user.userId`	number	ID of the Grafana user that made the request.
`user.orgId`*	number	Current organization of the user that made the request.
`user.orgRole`	string	Current role of the user that made the request.
`user.name`	string	Name of the Grafana user that made the request.
`user.tokenId`	number	ID of the user authentication token.
`user.apiKeyId`	number	ID of the Grafana API key used to make the request.
`user.isAnonymous`*	boolean	If an anonymous user made the request, `true`. Otherwise, `false`.
`action`*	string	The request action. For example, `create`, `update`, or `manage-permissions`.
`request`*	object	Information about the HTTP request.
`request.params`	object	Request’s path parameters.
`request.query`	object	Request’s query parameters.
`request.body`	string	Request’s body.
`result`*	object	Information about the HTTP response.
`result.statusType`	string	If the request action was successful, `success`. Otherwise, `failure`.
`result.statusCode`	number	HTTP status of the request.
`result.failureMessage`	string	HTTP error message.
`result.body`	string	Response body.
`resources`	array	Information about the resources that the request action affected. This field can be null for non-resource actions such as `login` or `logout`.
`resources[x].id`*	number	ID of the resource.
`resources[x].type`*	string	The type of the resource that was logged: `alert`, `alert-notification`, `annotation`, `api-key`, `auth-token`, `dashboard`, `datasource`, `folder`, `org`, `panel`, `playlist`, `report`, `team`, `user`, or `version`.
`requestUri`*	string	Request URI.
`ipAddress`*	string	IP address that the request was made from.
`userAgent`*	string	Agent through which the request was made.
`grafanaVersion`*	string	Current version of Grafana when this log is created.
`additionalData`	object	Additional information that can be provided about the request.

The additionalData field can contain the following information:

Field name	Action	Description
`loginUsername`	`login`	Login used in the Grafana authentication form.
`extUserInfo`	`login`	User information provided by the external system that was used to log in.
`authTokenCount`	`login`	Number of active authentication tokens for the user that logged in.
`terminationReason`	`logout`	The reason why the user logged out, such as a manual logout or a token expiring.

Recorded actions

The audit logs include records about the following categories of actions. Each action is distinguished by the action and resources[...].type fields in the JSON record.

For example, creating an API key produces an audit log like this:

{
  "action": "create",
  "resources": [
    {
      "id": 1,
      "type": "api-key"
    }
  ],
  "timestamp": "2021-11-12T22:12:36.144795692Z",
  "user": {
    "userId": 1,
    "orgId": 1,
    "orgRole": "Admin",
    "username": "admin",
    "isAnonymous": false,
    "authTokenId": 1
  },
  "request": {
    "body": "{\"name\":\"example\",\"role\":\"Viewer\",\"secondsToLive\":null}"
  },
  "result": {
    "statusType": "success",
    "statusCode": 200,
    "responseBody": "{\"id\":1,\"name\":\"example\"}"
  },
  "resources": [
    {
      "id": 1,
      "type": "api-key"
    }
  ],
  "requestUri": "/api/auth/keys",
  "ipAddress": "127.0.0.1:54652",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0",
  "grafanaVersion": "8.3.0-pre"
}

Some actions can only be distinguished by their requestUri fields. For those actions, the relevant pattern of the requestUri field is given.

Sessions

Action	Distinguishing fields
Log in	`{"action": "login-AUTH-MODULE"}` *
Log out **	`{"action": "logout"}`
Force logout for user	`{"action": "logout-user"}`
Remove user authentication token	`{"action": "revoke-auth-token", "resources": [{"type": "auth-token"}, {"type": "user"}]}`
Create API key	`{"action": "create", "resources": [{"type": "api-key"}]}`
Delete API key	`{"action": "delete", "resources": [{"type": "api-key"}]}`

* Where AUTH-MODULE is the name of the authentication module: grafana, saml, ldap, etc.
** Includes manual log out, token expired/revoked, and SAML Single Logout.

User management

Action	Distinguishing fields
Create user	`{"action": "create", "resources": [{"type": "user"}]}`
Update user	`{"action": "update", "resources": [{"type": "user"}]}`
Delete user	`{"action": "delete", "resources": [{"type": "user"}]}`
Disable user	`{"action": "disable", "resources": [{"type": "user"}]}`
Enable user	`{"action": "enable", "resources": [{"type": "user"}]}`
Update password	`{"action": "update-password", "resources": [{"type": "user"}]}`
Send password reset email	`{"action": "send-reset-email"}`
Reset password	`{"action": "reset-password"}`
Update permissions	`{"action": "update-permissions", "resources": [{"type": "user"}]}`
Send signup email	`{"action": "signup-email"}`
Click signup link	`{"action": "signup"}`
Reload LDAP configuration	`{"action": "ldap-reload"}`
Get user in LDAP	`{"action": "ldap-search"}`
Sync user with LDAP	`{"action": "ldap-sync", "resources": [{"type": "user"}]`

Team and organization management

Action	Distinguishing fields
Add team	`{"action": "create", "requestUri": "/api/teams"}`
Update team	`{"action": "update", "requestUri": "/api/teams/TEAM-ID"}`*
Delete team	`{"action": "delete", "requestUri": "/api/teams/TEAM-ID"}`*
Add external group for team	`{"action": "create", "requestUri": "/api/teams/TEAM-ID/groups"}`*
Remove external group for team	`{"action": "delete", "requestUri": "/api/teams/TEAM-ID/groups/GROUP-ID"}`*
Add user to team	`{"action": "create", "resources": [{"type": "user"}, {"type": "team"}]}`
Update team member permissions	`{"action": "update", "resources": [{"type": "user"}, {"type": "team"}]}`
Remove user from team	`{"action": "delete", "resources": [{"type": "user"}, {"type": "team"}]}`
Create organization	`{"action": "create", "resources": [{"type": "org"}]}`
Update organization	`{"action": "update", "resources": [{"type": "org"}]}`
Delete organization	`{"action": "delete", "resources": [{"type": "org"}]}`
Add user to organization	`{"action": "create", "resources": [{"type": "org"}, {"type": "user"}]}`
Change user role in organization	`{"action": "update", "resources": [{"type": "user"}, {"type": "org"}]}`
Remove user from organization	`{"action": "delete", "resources": [{"type": "user"}, {"type": "org"}]}`
Invite external user to organization	`{"action": "org-invite", "resources": [{"type": "org"}, {"type": "user"}]}`
Revoke invitation	`{"action": "revoke-org-invite", "resources": [{"type": "org"}]}`

* Where TEAM-ID is the ID of the affected team, and GROUP-ID (if present) is the ID of the external group.

Folder and dashboard management

Action	Distinguishing fields
Create folder	`{"action": "create", "resources": [{"type": "folder"}]}`
Update folder	`{"action": "update", "resources": [{"type": "folder"}]}`
Update folder permissions	`{"action": "manage-permissions", "resources": [{"type": "folder"}]}`
Delete folder	`{"action": "delete", "resources": [{"type": "folder"}]}`
Create/update dashboard	`{"action": "create-update", "resources": [{"type": "dashboard"}]}`
Import dashboard	`{"action": "create", "resources": [{"type": "dashboard"}]}`
Update dashboard permissions	`{"action": "manage-permissions", "resources": [{"type": "dashboard"}]}`
Restore old dashboard version	`{"action": "restore", "resources": [{"type": "dashboard"}]}`
Delete dashboard	`{"action": "delete", "resources": [{"type": "dashboard"}]}`

Library elements management

Action	Distinguishing fields
Create library element	`{"action": "create", "resources": [{"type": "library-element"}]}`
Update library element	`{"action": "update", "resources": [{"type": "library-element"}]}`
Delete library element	`{"action": "delete", "resources": [{"type": "library-element"}]}`

Data sources management

Action	Distinguishing fields
Create datasource	`{"action": "create", "resources": [{"type": "datasource"}]}`
Update datasource	`{"action": "update", "resources": [{"type": "datasource"}]}`
Delete datasource	`{"action": "delete", "resources": [{"type": "datasource"}]}`
Enable permissions for datasource	`{"action": "enable-permissions", "resources": [{"type": "datasource"}]}`
Disable permissions for datasource	`{"action": "disable-permissions", "resources": [{"type": "datasource"}]}`
Grant datasource permission to role, team, or user	`{"action": "create", "resources": [{"type": "datasource"}, {"type": "dspermission"}]}`*
Remove datasource permission	`{"action": "delete", "resources": [{"type": "datasource"}, {"type": "dspermission"}]}`
Enable caching for datasource	`{"action": "enable-cache", "resources": [{"type": "datasource"}]}`
Disable caching for datasource	`{"action": "disable-cache", "resources": [{"type": "datasource"}]}`
Update datasource caching configuration	`{"action": "update", "resources": [{"type": "datasource"}]}`

* resources may also contain a third item with "type": set to "user" or "team".

Alerts and notification channels management

Action	Distinguishing fields
Save alert manager configuration	`{"action": "update", "requestUri": "/api/alertmanager/RECIPIENT/config/api/v1/alerts"}`
Reset alert manager configuration	`{"action": "delete", "requestUri": "/api/alertmanager/RECIPIENT/config/api/v1/alerts"}`
Create silence	`{"action": "create", "requestUri": "/api/alertmanager/RECIPIENT/api/v2/silences"}`
Delete silence	`{"action": "delete", "requestUri": "/api/alertmanager/RECIPIENT/api/v2/silences/SILENCE-ID"}`
Create alert	`{"action": "create", "requestUri": "/api/ruler/RECIPIENT/api/v2/alerts"}`
Create or update rule group	`{"action": "create-update", "requestUri": "/api/ruler/RECIPIENT/api/v1/rules/NAMESPACE"}`
Delete rule group	`{"action": "delete", "requestUri": "/api/ruler/RECIPIENT/api/v1/rules/NAMESPACE/GROUP-NAME"}`
Delete namespace	`{"action": "delete", "requestUri": "/api/ruler/RECIPIENT/api/v1/rules/NAMESPACE"}`
Test Grafana managed receivers	`{"action": "test", "requestUri": "/api/alertmanager/RECIPIENT/config/api/v1/receivers/test"}`
Create or update the NGalert configuration of the user’s organization	`{"action": "create-update", "requestUri": "/api/v1/ngalert/admin_config"}`
Delete the NGalert configuration of the user’s organization	`{"action": "delete", "requestUri": "/api/v1/ngalert/admin_config"}`

Where the following:

RECIPIENT is grafana for requests handled by Grafana or the data source UID for requests forwarded to a data source.
NAMESPACE is the string identifier for the rules namespace.
GROUP-NAME is the string identifier for the rules group.
SILENCE-ID is the ID of the affected silence.

The following legacy alerting actions are still supported:

Action	Distinguishing fields
Test alert rule	`{"action": "test", "resources": [{"type": "panel"}]}`
Pause alert	`{"action": "pause", "resources": [{"type": "alert"}]}`
Pause all alerts	`{"action": "pause-all"}`
Test alert notification channel	`{"action": "test", "resources": [{"type": "alert-notification"}]}`
Create alert notification channel	`{"action": "create", "resources": [{"type": "alert-notification"}]}`
Update alert notification channel	`{"action": "update", "resources": [{"type": "alert-notification"}]}`
Delete alert notification channel	`{"action": "delete", "resources": [{"type": "alert-notification"}]}`

Reporting

Action	Distinguishing fields
Create report	`{"action": "create", "resources": [{"type": "report"}, {"type": "dashboard"}]}`
Update report	`{"action": "update", "resources": [{"type": "report"}, {"type": "dashboard"}]}`
Delete report	`{"action": "delete", "resources": [{"type": "report"}]}`
Send report by email	`{"action": "email", "resources": [{"type": "report"}]}`
Update reporting settings	`{"action": "change-settings"}`

Annotations, playlists and snapshots management

Action	Distinguishing fields
Create annotation	`{"action": "create", "resources": [{"type": "annotation"}]}`
Create Graphite annotation	`{"action": "create-graphite", "resources": [{"type": "annotation"}]}`
Update annotation	`{"action": "update", "resources": [{"type": "annotation"}]}`
Patch annotation	`{"action": "patch", "resources": [{"type": "annotation"}]}`
Delete annotation	`{"action": "delete", "resources": [{"type": "annotation"}]}`
Delete all annotations from panel	`{"action": "mass-delete", "resources": [{"type": "dashboard"}, {"type": "panel"}]}`
Create playlist	`{"action": "create", "resources": [{"type": "playlist"}]}`
Update playlist	`{"action": "update", "resources": [{"type": "playlist"}]}`
Delete playlist	`{"action": "delete", "resources": [{"type": "playlist"}]}`
Create a snapshot	`{"action": "create", "resources": [{"type": "dashboard"}, {"type": "snapshot"}]}`
Delete a snapshot	`{"action": "delete", "resources": [{"type": "snapshot"}]}`

Provisioning

Action	Distinguishing fields
Reload provisioned dashboards	`{"action": "provisioning-dashboards"}`
Reload provisioned datasources	`{"action": "provisioning-datasources"}`
Reload provisioned plugins	`{"action": "provisioning-plugins"}`
Reload provisioned notifications	`{"action": "provisioning-notifications"}`

Plugins management

Action	Distinguishing fields
Install plugin	`{"action": "install"}`
Uninstall plugin	`{"action": "uninstall"}`

Miscellaneous

Action	Distinguishing fields
Set licensing token	`{"action": "create", "requestUri": "/api/licensing/token"}`

Configuration

Note: The auditing feature is disabled by default.

Audit logs can be saved into files, sent to a Loki instance or sent to the Grafana default logger. By default, only the file exporter is enabled. You can choose which exporter to use in the configuration file.

Options are file, loki, and logger. Use spaces to separate multiple modes, such as file loki.

By default, when a user creates or updates a dashboard, its content will not appear in the logs as it can significantly increase the size of your logs. If this is important information for you and you can handle the amount of data generated, then you can enable this option in the configuration.

[auditing]
# Enable the auditing feature
enabled = false
# List of enabled loggers
loggers = file
# Keep dashboard content in the logs (request or response fields); this can significantly increase the size of your logs.
log_dashboard_content = false
# Log all GET requests and always include request body for generic POST/PUT/PATCH requests.
verbose = false
# By default Grafana logs requests even if the status code indicates that no changes to the system were made.
# Set to false to only log requests with 2xx, 3xx, 401, 403, 500 responses.
log_all_status_codes = true

Each exporter has its own configuration fields.

File exporter

Audit logs are saved into files. You can configure the folder to use to save these files. Logs are rotated when the file size is exceeded and at the start of a new day.

[auditing.logs.file]
# Path to logs folder
path = data/log
# Maximum log files to keep
max_files = 5
# Max size in megabytes per log file
max_file_size_mb = 256

Loki exporter

Audit logs are sent to a Loki service, through HTTP or gRPC.

Note: The HTTP option for the Loki exporter is available only in Grafana Enterprise version 7.4 and later.

[auditing.logs.loki]
# Set the communication protocol to use with Loki (can be grpc or http)
type = grpc
# Set the address for writing logs to Loki (format must be host:port)
url = localhost:9095
# Defaults to true. If true, it establishes a secure connection to Loki
tls = true

If you have multiple Grafana instances sending logs to the same Loki service or if you are using Loki for non-audit logs, audit logs come with additional labels to help identifying them:

host - OS hostname on which the Grafana instance is running.
grafana_instance - Application URL.
kind - auditing

Console exporter

Audit logs are sent to the Grafana default logger. The audit logs use the auditing.console logger and are logged on debug-level, learn how to enable debug logging in the log configuration section of the documentation. Accessing the audit logs in this way is not recommended for production use.

Export logs of usage insights

Fri, 06 Mar 2026 03:17:14 +0100

Export logs of usage insights

Note: Available in Grafana Enterprise version 7.4 and later, and Grafana Cloud Pro and Advanced.

By exporting usage logs to Loki, you can directly query them and create dashboards of the information that matters to you most, such as dashboard errors, most active organizations, or your top-10 most-used queries. This configuration is done for you in Grafana Cloud, with provisioned dashboards. Read about them in the Grafana Cloud documentation.

Usage insights logs

Usage insights logs are JSON objects that represent certain user activities, such as:

A user opens a dashboard.
A query is sent to a data source.

Scope

A log is created every time a user opens a dashboard or when a query is sent to a data source in the dashboard view. A query that is performed via Explore does not generate a log.

Format

Logs of usage insights contain the following fields, where the fields followed by * are always available, and the others depend on the logged event:

Field name	Type	Description
`eventName`*	string	Type of the event, which can be either `data-request` or `dashboard-view`.
`folderName`*	string	Name of the dashboard folder.
`dashboardName`*	string	Name of the dashboard where the event happened.
`dashboardId`*	number	ID of the dashboard where the event happened.
`datasourceName`	string	Name of the data source that was queried.
`datasourceType`	string	Type of the data source that was queried. For example, `prometheus`, `elasticsearch`, or `loki`.
`datasourceId`	number	ID of the data source that was queried.
`panelId`	number	ID of the panel of the query.
`panelName`	string	Name of the panel of the query.
`error`	string	Error returned by the query.
`duration`	number	Duration of the query.
`source`	string	Source of the query. For example, `dashboard` or `explore`.
`orgId`*	number	ID of the user’s organization.
`orgName`*	string	Name of the user’s organization.
`timestamp`*	string	The date and time that the request was made, in Coordinated Universal Time (UTC) in RFC3339 format.
`tokenId`*	number	ID of the user’s authentication token.
`username`*	string	Name of the Grafana user that made the request.
`userId`*	number	ID of the Grafana user that made the request.
`totalQueries`*	number	Number of queries executed for the data request.
`cachedQueries`*	number	Number of fetched queries that came from the cache.

Configuration

To export your logs, enable the usage insights feature and configure an export location in the configuration file:

[usage_insights.export]
# Enable the usage insights export feature
enabled = true
# Storage type
storage = loki

The options for storage type are loki and logger (added in Grafana Enterprise 8.2).

If the storage type is set to loki you’ll need to also configure Grafana to export to a Loki ingestion server. To do this, you’ll need Loki installed. Refer to Install Loki for instructions on how to install Loki.

[usage_insights.export.storage.loki]
# Set the communication protocol to use with Loki (can be grpc or http)
type = grpc
# Set the address for writing logs to Loki (format must be host:port)
url = localhost:9095
# Defaults to true. If true, it establishes a secure connection to Loki
tls = true

Using logger will print usage insights to your Grafana server log. There is no option for configuring the logger storage type.

Visualize Loki usage insights in Grafana

If you export logs into Loki, you can build Grafana dashboards to understand your Grafana instance usage.

Add Loki as a data source. Refer to Grafana fundamentals tutorial.
Import one of the following dashboards:
- Usage insights
- Usage insights datasource details
Play with usage insights to understand them:
- In Explore, you can use the query {datasource="gdev-loki",kind="usage_insights"} to retrieve all logs related to your gdev-loki data source.
- In a dashboard, you can build a table panel with the query topk(10, sum by (error) (count_over_time({kind="usage_insights", datasource="gdev-prometheus"} | json | error != "" [$__interval]))) to display the 10 most common errors your users see using the gdev-prometheus data source.
- In a dashboard, you can build a graph panel with the queries sum by(host) (count_over_time({kind="usage_insights"} | json | eventName="data-request" | error != "" [$__interval])) and sum by(host) (count_over_time({kind="usage_insights"} | json | eventName="data-request" | error = "" [$__interval])) to show the evolution of the data request count over time. Using by (host) allows you to have more information for each Grafana server you have if you have set up Grafana for high availability.

Configure Team Sync

Fri, 06 Mar 2026 03:17:14 +0100

Configure Team Sync

Team sync lets you set up synchronization between your auth providers teams and teams in Grafana. This enables LDAP, OAuth, or SAML users who are members of certain teams or groups to automatically be added or removed as members of certain teams in Grafana.

Note: Available in Grafana Enterprise and Grafana Cloud Advanced.

Grafana keeps track of all synchronized users in teams, and you can see which users have been synchronized in the team members list, see LDAP label in screenshot. This mechanism allows Grafana to remove an existing synchronized user from a team when its group membership changes. This mechanism also enables you to manually add a user as member of a team, and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.

Currently the synchronization only happens when a user logs in, unless LDAP is used with the active background synchronization that was added in Grafana 6.3.

Supported providers

Synchronize a Grafana team with an external group

If you have already grouped some users into a team, then you can synchronize that team with an external group.

In Grafana, navigate to Configuration > Teams.
Select a team.
On the External group sync tab, and click Add group.
Insert the value of the group you want to sync with. This becomes the Grafana GroupID. Examples:
- For LDAP, this is the LDAP distinguished name (DN) of LDAP group you want to synchronize with the team.
- For Auth Proxy, this is the value we receive as part of the custom Groups header.
Click Add group to save.

Group matching is case insensitive.

LDAP specific: wildcard matching

When using LDAP, you can use a wildcard (*) in the common name attribute (CN) to match any group in the corresponding Organizational Unit (OU).

Ex: cn=*,ou=groups,dc=grafana,dc=org can be matched by cn=users,ou=groups,dc=grafana,dc=org

Configure request security

Fri, 06 Mar 2026 03:17:14 +0100

Configure request security

Request security allows you to limit requests from the Grafana server by targeting requests generated by users, such as data source metric queries and alert notifications.

This can be used to limit access to internal systems that the server Grafana runs on can access but that users of Grafana should not be able to access. This feature does not affect traffic from the Grafana users browser.

Note: Available in Grafana Enterprise version 7.4 and later, and Grafana Cloud Pro and Advanced.

Note: Although request security works with backend plugins, you can create a backend plugin that bypasses this security.

IP and hostname blocking

You can limit requests based on a hostname, an IP address, or both.

Deny list

Grafana blocks any request to a hostname or IP address on the deny list.

Allow list

If there is at least one entry on the list, then any request to a hostname or IP address not on the list is denied.

For example:

[security.egress]
# A list of hostnames or IP addresses separated by spaces for which requests are blocked.
host_deny_list = supersecret.internal 192.168.1.10
# a list of hostnames or IP addresses separated by spaces for which requests will be allowed, all other requests will be blocked
host_allow_list = prometheus.internal

Drop headers and cookies

You can set a list of cookies or headers that are to be dropped from outgoing requests.

Example:

[security.egress]
# a list of headers that will be stripped from outgoing datasource and alerting requests
header_drop_list = user
# a list of cookies that will be stripped from outgoing datasource requests (case sensitive)
cookie_drop_list = session_id

Configure security on Grafana Labs

Configure authentication

Configure authentication

Grafana Auth

Login and short-lived tokens

Remote logout

Settings

Anonymous authentication

Basic authentication

Disable login form

Enable email lookup

Automatic OAuth login

Avoid automatic OAuth login

Hide sign-out menu

URL redirect after signing out

Protected roles

Configure database encryption

Configure database encryption

Envelope encryption

Implicit breaking change

Operational work

Re-encrypt secrets

Roll back secrets

Re-encrypt data keys

Rotate data keys

Encrypting your database with a key from a key management service (KMS)

Changing your encryption mode to AES-GCM

Audit a Grafana instance

Audit a Grafana instance

Audit logs

Format

Recorded actions

Sessions

User management

Team and organization management

Folder and dashboard management

Library elements management

Data sources management

Alerts and notification channels management

Reporting

Annotations, playlists and snapshots management

Provisioning

Plugins management

Miscellaneous

Configuration

File exporter

Loki exporter

Console exporter

Export logs of usage insights

Export logs of usage insights

Usage insights logs

Scope

Format

Configuration

Visualize Loki usage insights in Grafana

Configure Team Sync

Configure Team Sync

Supported providers

Synchronize a Grafana team with an external group

LDAP specific: wildcard matching

Configure request security

Configure request security

IP and hostname blocking

Deny list

Allow list

Drop headers and cookies