Audit Visibility: Tracking Grafana Logins in Healthwatch Tile
search cancel

Audit Visibility: Tracking Grafana Logins in Healthwatch Tile

book

Article ID: 432527

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

Compliance and security requirements often mandate the tracking of user authentication events (Login/Logout). While Grafana Enterprise and Grafana Cloud offer a native, structured Audit Logging feature, this capability is absent in the Open Source (OSS) version.

To meet these security requirements without an Enterprise license, a workaround is required to extract user activity from standard application logs. By enabling specific routing logs and parsing the grafana.log file, administrators can successfully identify authentication events.

Environment

 

  • Platform: VMware Tanzu Operations Manager (Ops Manager)

  • Product: Healthwatch for Tanzu (Grafana Tile)

  • Grafana Version: OSS / Standard distribution within Healthwatch

  • Log Location: /var/vcap/sys/log/grafana/grafana.log

 

Resolution

To capture login and logout data, follow these steps to increase log visibility and extract the relevant strings.

Step 1: Enable Enhanced Logging

  1. Log in to the Ops Manager UI.

  2. Navigate to the Healthwatch Tile settings.

  3. Select the Grafana section.

  4. Check the box for "Enable router logging". This ensures that the context and pathing (like /login and /logout) are explicitly recorded in the application logs.

Step 2: Apply Configuration

  1. Go to the Installation Dashboard.

  2. Click Review Pending Changes.

  3. Ensure only the Healthwatch tile is selected to save time.

  4. Click Apply Changes.

Step 3: Extracting the Data

Once the changes are applied, authentication events are recorded in the Grafana VM. You can access the VM via BOSH and run the following commands to view the audit trail.

To view Login events:

Bash
 
grep "your_grafana_url" /var/vcap/sys/log/grafana/grafana.log | grep login

To view Logout events:

Bash
 
grep "your_grafana_url" /var/vcap/sys/log/grafana/grafana.log | grep logout

4. Technical Analysis (Log Breakdown)

When a user authenticates, the log generates a level=info entry. Below is a breakdown of what the extracted data represents:

Field Description
userId / uname Identifies the specific user (e.g., admin).
t The exact timestamp of the event.
remote_addr The IP address of the user initiating the request.
path Shows / for login or /logout for session termination.
status 200 for successful page load; 302 for logout redirection.

Example Login Output:

ogger=context userId=1 orgId=1 uname=admin t=2026-03-10T03:03:56.742792372Z level=info msg="Request Completed" method=GET path=/ status=200 remote_addr=###.###.###.### time_ms=64 duration=64.678022ms size=51540 referer=https://grafana.example.com/login handler=/ status_source=server

logger=context userId=1 orgId=1 uname=admin t=2026-03-10T03:03:47.251723652Z level=info msg="Request Completed" method=GET path=/logout status=302 remote_addr=###.###.###.### time_ms=31 duration=31.396916ms size=82 referer="https://grafana.example.com/?orgId=1&refresh=1m" handler=/logout status_source=server

5. Conclusion

By leveraging the "Router Logging" feature in Ops Manager, administrators can bypass the Enterprise-only restriction for audit logs. While this requires manual parsing or a log aggregator (like Aria Operations for Logs) to filter the grafana.log, it provides the necessary "Who, When, and Where" for security compliance.

Powered by Wolken Software