我的书签
添加书签
移除书签Auditing
Auditing allows you to track important changes to your Grafana instance. By default, audit logs are logged to file but the auditing feature also supports sending logs directly to Loki.
Audit logs are JSON objects representing user actions like:
- Modifications to resources such as dashboards and data sources.
- A user failing to log in.
Audit logs contain the following fields. The fields followed by * are always available, the others depend on the type of action logged.
The additionalData field can contain the following information:
| Field name | Action | Description |
|---|---|---|
loginUsername | login | Login used in the Grafana authentication form. |
extUserInfo | login | User information provided by the external system that was used to log in. |
authTokenCount | login | Number of active authentication tokens for the user that logged in. |
terminationReason | The reason why the user logged out, such as a manual logout or a token expiring. |
The audit logs include records about the following categories of actions. Each action is distinguished by the action and resources[...].type fields in the JSON record.
For example, creating an API key produces an audit log like this:
Sessions
| Action | Distinguishing fields |
|---|---|
| Log in | {“action”: “login-AUTH-MODULE”} |
| Log out * | {“action”: “logout”} |
| Force logout for user | {“action”: “logout-user”} |
| Remove user authentication token | {“action”: “revoke-auth-token”, “resources”: [{“type”: “auth-token”}, {“type”: “user”}]} |
| Create API key | {“action”: “create”, “resources”: [{“type”: “api-key”}]} |
| Delete API key | {“action”: “delete”, “resources”: [{“type”: “api-key”}]} |
* Where AUTH-MODULE is the name of the authentication module: grafana, saml, ldap, etc.
** Includes manual log out, token expired/revoked, and SAML Single Logout.
User management
| Action | Distinguishing fields |
|---|---|
| Create user | {“action”: “create”, “resources”: [{“type”: “user”}]} |
| Update user | {“action”: “update”, “resources”: [{“type”: “user”}]} |
| Delete user | {“action”: “delete”, “resources”: [{“type”: “user”}]} |
| Disable user | {“action”: “disable”, “resources”: [{“type”: “user”}]} |
| Enable user | {“action”: “enable”, “resources”: [{“type”: “user”}]} |
| Update password | {“action”: “update-password”, “resources”: [{“type”: “user”}]} |
| Send password reset email | {“action”: “send-reset-email”} |
| Reset password | {“action”: “reset-password”} |
| Update permissions | {“action”: “update-permissions”, “resources”: [{“type”: “user”}]} |
| Send signup email | {“action”: “signup-email”} |
| Click signup link | {“action”: “signup”} |
| Reload LDAP configuration | {“action”: “ldap-reload”} |
| Get user in LDAP | {“action”: “ldap-search”} |
| Sync user with LDAP | {“action”: “ldap-sync”, “resources”: [{“type”: “user”}] |
Team and organization management
| Action | Distinguishing fields |
|---|---|
| Add team | {“action”: “create”, “requestUri”: “/api/teams”} |
| Update team | {“action”: “update”, “requestUri”: “/api/teams/TEAM-ID”} |
| Delete team | {“action”: “delete”, “requestUri”: “/api/teams/TEAM-ID”} |
| Add external group for team | {“action”: “create”, “requestUri”: “/api/teams/TEAM-ID/groups”} |
| Remove external group for team | {“action”: “delete”, “requestUri”: “/api/teams/TEAM-ID/groups/GROUP-ID”} |
| Add user to team | {“action”: “create”, “resources”: [{“type”: “user”}, {“type”: “team”}]} |
| Update team member permissions | {“action”: “update”, “resources”: [{“type”: “user”}, {“type”: “team”}]} |
| Remove user from team | {“action”: “delete”, “resources”: [{“type”: “user”}, {“type”: “team”}]} |
| Create organization | {“action”: “create”, “resources”: [{“type”: “org”}]} |
| Update organization | {“action”: “update”, “resources”: [{“type”: “org”}]} |
| Delete organization | {“action”: “delete”, “resources”: [{“type”: “org”}]} |
| Add user to organization | {“action”: “create”, “resources”: [{“type”: “org”}, {“type”: “user”}]} |
| Change user role in organization | {“action”: “update”, “resources”: [{“type”: “user”}, {“type”: “org”}]} |
| Remove user from organization | {“action”: “delete”, “resources”: [{“type”: “user”}, {“type”: “org”}]} |
| Invite external user to organization | {“action”: “org-invite”, “resources”: [{“type”: “org”}, {“type”: “user”}]} |
| Revoke invitation | {“action”: “revoke-org-invite”, “resources”: [{“type”: “org”}]} |
* Where TEAM-ID is the ID of the affected team, and GROUP-ID (if present) is the ID of the external group.
Folder and dashboard management
Library elements management
| Action | Distinguishing fields |
|---|---|
| Create library element | {“action”: “create”, “resources”: [{“type”: “library-element”}]} |
| Update library element | {“action”: “update”, “resources”: [{“type”: “library-element”}]} |
| Delete library element | {“action”: “delete”, “resources”: [{“type”: “library-element”}]} |
Data sources management
| Action | Distinguishing fields |
|---|---|
| Create datasource | {“action”: “create”, “resources”: [{“type”: “datasource”}]} |
| Update datasource | {“action”: “update”, “resources”: [{“type”: “datasource”}]} |
| Delete datasource | {“action”: “delete”, “resources”: [{“type”: “datasource”}]} |
| Enable permissions for datasource | |
| Disable permissions for datasource | {“action”: “disable-permissions”, “resources”: [{“type”: “datasource”}]} |
| Grant datasource permission to role, team, or user | {“action”: “create”, “resources”: [{“type”: “datasource”}, {“type”: “dspermission”}]}* |
| Remove datasource permission | {“action”: “delete”, “resources”: [{“type”: “datasource”}, {“type”: “dspermission”}]} |
| Enable caching for datasource | {“action”: “enable-cache”, “resources”: [{“type”: “datasource”}]} |
| Disable caching for datasource | {“action”: “disable-cache”, “resources”: [{“type”: “datasource”}]} |
| Update datasource caching configuration | {“action”: “update”, “resources”: [{“type”: “datasource”}]} |
* resources may also contain a third item with "type": set to "user" or "team".
Alerts and notification channels management
| Action | Distinguishing fields |
|---|---|
| Save alert manager configuration | {“action”: “update”, “requestUri”: “/api/alertmanager/RECIPIENT/config/api/v1/alerts”} |
| Reset alert manager configuration | {“action”: “delete”, “requestUri”: “/api/alertmanager/RECIPIENT/config/api/v1/alerts”} |
| Create silence | {“action”: “create”, “requestUri”: “/api/alertmanager/RECIPIENT/api/v2/silences”} |
| Delete silence | {“action”: “delete”, “requestUri”: “/api/alertmanager/RECIPIENT/api/v2/silences/SILENCE-ID”} |
| Create alert | {“action”: “create”, “requestUri”: “/api/ruler/RECIPIENT/api/v2/alerts”} |
| Create or update rule group | {“action”: “create-update”, “requestUri”: “/api/ruler/RECIPIENT/api/v1/rules/NAMESPACE”} |
| Delete rule group | {“action”: “delete”, “requestUri”: “/api/ruler/RECIPIENT/api/v1/rules/NAMESPACE/GROUP-NAME”} |
| Delete namespace | {“action”: “delete”, “requestUri”: “/api/ruler/RECIPIENT/api/v1/rules/NAMESPACE”} |
| Test Grafana managed receivers | {“action”: “test”, “requestUri”: “/api/alertmanager/RECIPIENT/config/api/v1/receivers/test”} |
| Create or update the NGalert configuration of the user’s organization | {“action”: “create-update”, “requestUri”: “/api/v1/ngalert/admin_config”} |
| Delete the NGalert configuration of the user’s organization | {“action”: “delete”, “requestUri”: “/api/v1/ngalert/admin_config”} |
Where the following:
RECIPIENTisgrafanafor requests handled by Grafana or the numeric data source ID for requests forwarded to a data source.NAMESPACEis the string identifier for the rules namespace.GROUP-NAMEis the string identifier for the rules group.SILENCE-IDis the ID of the affected silence.
The following legacy alerting actions are still supported:
| Action | Distinguishing fields |
|---|---|
| Test alert rule | {“action”: “test”, “resources”: [{“type”: “panel”}]} |
| Pause alert | {“action”: “pause”, “resources”: [{“type”: “alert”}]} |
| Pause all alerts | {“action”: “pause-all”} |
| Test alert notification channel | {“action”: “test”, “resources”: [{“type”: “alert-notification”}]} |
| Create alert notification channel | {“action”: “create”, “resources”: [{“type”: “alert-notification”}]} |
| Update alert notification channel | {“action”: “update”, “resources”: [{“type”: “alert-notification”}]} |
| Delete alert notification channel | {“action”: “delete”, “resources”: [{“type”: “alert-notification”}]} |
Reporting
Annotations, playlists and snapshots management
| Action | Distinguishing fields |
|---|---|
| Create annotation | {“action”: “create”, “resources”: [{“type”: “annotation”}]} |
| Create Graphite annotation | {“action”: “create-graphite”, “resources”: [{“type”: “annotation”}]} |
| Update annotation | {“action”: “update”, “resources”: [{“type”: “annotation”}]} |
| Patch annotation | {“action”: “patch”, “resources”: [{“type”: “annotation”}]} |
| Delete annotation | {“action”: “delete”, “resources”: [{“type”: “annotation”}]} |
| Delete all annotations from panel | {“action”: “mass-delete”, “resources”: [{“type”: “dashboard”}, {“type”: “panel”}]} |
| Create playlist | {“action”: “create”, “resources”: [{“type”: “playlist”}]} |
| Update playlist | {“action”: “update”, “resources”: [{“type”: “playlist”}]} |
| Delete playlist | {“action”: “delete”, “resources”: [{“type”: “playlist”}]} |
| Create a snapshot | {“action”: “create”, “resources”: [{“type”: “dashboard”}, {“type”: “snapshot”}]} |
| Delete a snapshot | {“action”: “delete”, “resources”: [{“type”: “snapshot”}]} |
Provisioning
| Action | Distinguishing fields |
|---|---|
| Reload provisioned dashboards | {“action”: “provisioning-dashboards”} |
| Reload provisioned datasources | {“action”: “provisioning-datasources”} |
| Reload provisioned plugins | {“action”: “provisioning-plugins”} |
| Reload provisioned notifications | {“action”: “provisioning-notifications”} |
Plugins management
| Action | Distinguishing fields |
|---|---|
| Install plugin | {“action”: “install”} |
| Uninstall plugin | {“action”: “uninstall”} |
Miscellaneous
| Action | Distinguishing fields |
|---|---|
| Set licensing token | {“action”: “create”, “requestUri”: “/api/licensing/token”} |
Configuration
Options are file, loki, and logger. Use spaces to separate multiple modes, such as file loki.
By default, when a user creates or updates a dashboard, its content will not appear in the logs as it can significantly increase the size of your logs. If this is important information for you and you can handle the amount of data generated, then you can enable this option in the configuration.
Each exporter has its own configuration fields.
Audit logs are saved into files. You can configure the folder to use to save these files. Logs are rotated when the file size is exceeded and at the start of a new day.
Audit logs are sent to a service, through HTTP or gRPC.
- host - OS hostname on which the Grafana instance is running.
- kind -
auditing
Audit logs are sent to the Grafana default logger. The audit logs use the logger and are logged on debug-level, learn how to enable debug logging in the section of the documentation. Accessing the audit logs in this way is not recommended for production use.
