Grafana Enterprise on Grafana Labs

Grafana Enterprise license

Fri, 03 Apr 2026 20:44:05 +0000

Grafana Enterprise license

To run Grafana Enterprise, you need a valid license. Contact a Grafana Labs representative to obtain the license. For information on how to activate your license, refer to Activate an Enterprise license.

Fine-grained access control

Fri, 03 Apr 2026 20:44:05 +0000

Fine-grained access control

Note: Fine-grained access control is in beta, and you can expect changes in future releases.

Fine-grained access control provides a standardized way of granting, changing, and revoking access when it comes to viewing and modifying Grafana resources, such as users and reports. Fine-grained access control works alongside the current Grafana permissions, and it allows you granular control of users’ actions.

To learn more about how fine-grained access control works, refer to Roles and Permissions. To use the fine-grained access control system, refer to Fine-grained access control usage scenarios.

Access management

Fine-grained access control considers a) who has an access (identity), and b) what they can do and on which Grafana resource (role).

You can grant, change, or revoke access to users (identity). When an authenticated user tries to access a Grafana resource, the authorization system checks the required fine-grained permissions for the resource and determines whether or not the action is allowed. Refer to Fine-grained permissions for a complete list of available permissions.

To grant or revoke access to your users, create or remove built-in role assignments. For more information, refer to Built-in role assignments.

Resources with fine-grained permissions

Fine-grained access control is currently available for Reporting and Managing Users. To learn more about specific endpoints where you can use access control, refer to Permissions and to the relevant API guide:

Enable fine-grained access control

Fine-grained access control is available behind the accesscontrol feature toggle in Grafana Enterprise 8.0+. You can enable it either in a config file or by configuring an environment variable.

Enable in config file

In your config file, add accesscontrol as a feature_toggle.

[feature_toggles]
# enable features, separated by spaces
enable = accesscontrol

Enable with an environment variable

You can use GF_FEATURE_TOGGLES_ENABLE = accesscontrol environment variable to override the config file configuration and enable fine-grained access control.

Refer to Configuring with environment variables for more information.

Verify if enabled

You can verify if fine-grained access control is enabled or not by sending an HTTP request to the Check endpoint.

Usage insights

Fri, 03 Apr 2026 20:44:05 +0000

Usage insights

Usage insights allow you to have a better understanding of how your Grafana instance is used.

The usage insights feature collects a number of aggregated data and stores them in the database:

Dashboard views (aggregated and per user)
Data source errors
Data source queries

These aggregated data give you access to several features:

This feature also generates detailed logs that can be exported to Loki. Refer to Export logs of usage insights.

Query caching

Fri, 03 Apr 2026 20:44:05 +0000

Query caching

When query caching is enabled, Grafana temporarily stores the results of data source queries. When you or another user submit the exact same query again, the results will come back from the cache instead of from the data source (like Splunk or ServiceNow) itself.

Query caching works for all backend data sources, and queries sent through the data source proxy. You can enable the cache globally and configure the cache duration (also called Time to Live, or TTL).

The following cache backends are available: in-memory, Redis, and Memcached.

Note: Storing cached queries in-memory can increase Grafana’s memory footprint. In production environments, a Redis or Memcached backend is highly recommended.

When a panel queries a cached data source, the time until this query fetches fresh data is determined by the panel’s interval. This means that wider panels and dashboards with shorter time ranges fetch new data more frequently than narrower panels and dashboards with longer time ranges.

Interval is visible in a panel’s query options. It is calculated like this: (max data points) / time range. Max data points are calculated based on the width of the panel. For example, a full-width panel on a dashboard with a time range of last 7 days will retrieve fresh data every 10 minutes. In this example, cached data for this panel will be served for up to 10 minutes before Grafana queries the data source again and returns new data.

You can make a panel retrieve fresh data more frequently by increasing the Max data points setting in the panel’s query options.

Query caching benefits

Faster dashboard load times, especially for popular dashboards.
Reduced API costs.
Reduced likelihood that APIs will rate-limit or throttle requests.

Data sources that work with query caching

Query caching works for all Enterprise data sources, and it works for the following built-in data sources:

CloudWatch Metrics
Google Cloud Monitoring
InfluxDB
Microsoft SQL Server
MySQL
Postgres
Tempo

Some data sources, such as Elasticsearch, Prometheus, and Loki, cache queries themselves, so Grafana query caching does not improve performance.

Query caching also works for all data sources that include a backend. More specifically, caching works with data sources that extend the DataSourceWithBackend class in the plugins SDK.

To tell if a data source works with query caching, follow the instructions below to Enable and Configure query caching. If caching is enabled in Grafana but the Caching tab is not visible for the given data source, then query caching is not available for that data source.

Enable and configure query caching

You must be an Org admin or Grafana admin to enable query caching for a data source. For more information on Grafana roles and permissions, visit the Permissions page.

By default, data source queries are not cached. To enable query caching for a single data source:

On the side menu, click Configuration > Data Sources.
In the data source list, click the data source that you want to turn on caching for.
In the Cache tab, click Enable.
Open the Cache tab.
Press the Enable button.
(Optional) Choose a custom TTL for that data source. If you skip this step, then Grafana uses the default TTL.

Note: If query caching is enabled and the Cache tab is not visible in a data source’s settings, then query caching is not available for that data source.

To configure global settings for query caching, refer the the Query caching section of Enterprise Configuration.

Disable query caching

To disable query caching for a single data source:

On the side menu, click Configuration > Data Sources.
In the data source list, click the data source that you want to turn off caching for.
In the Cache tab, click Disable.

To disable query caching for an entire Grafana instance, set the enabled flag to false in the Query caching section of Enterprise Configuration. You will no longer see the Cache tab on any data sources, and no data source queries will be cached.

Sending a request without cache

If a data source query request contains an X-Cache-Skip header, then Grafana skips the caching middleware, and does not search the cache for a response. This can be particularly useful when debugging data source queries using cURL.

Request security

Fri, 03 Apr 2026 20:44:05 +0000

Request security

Note: Available in Grafana Enterprise v7.4 and later versions.

Request security makes it possible to limit requests from the Grafana server, and it targets requests that are generated by users.

For example:

Data source metric queries
Alert notifications

This can be used to limit access to internal systems that the server Grafana runs on can access but that users of Grafana should not be able to access. This feature does not affect traffic from the Grafana users browser.

Note: Although request security works with backend plugins, you can create a backend plugin that bypasses this security.

IP and hostname blocking

You can limit requests based on a hostname, an IP address, or both.

Deny list

Grafana blocks any request to a hostname or IP address on the deny list.

Allow list

If there is at least one entry on the list, then any request to a hostname or IP address not on the list is denied.

For example:

[security.egress]
# A list of hostnames or IP addresses separated by spaces for which requests are blocked.
host_deny_list = supersecret.internal 192.168.1.10
# a list of hostnames or IP addresses separated by spaces for which requests will be allowed, all other requests will be blocked
host_allow_list = prometheus.internal

Drop headers and cookies

You can set a list of cookies or headers that are to be dropped from outgoing requests.

Example:

[security.egress]
# a list of headers that will be stripped from outgoing datasource and alerting requests
header_drop_list = user
# a list of cookies that will be stripped from outgoing datasource requests (case sensitive)
cookie_drop_list = session_id

Data source permissions

Fri, 03 Apr 2026 20:44:05 +0000

Data source permissions

Data source permissions allow you to restrict access for users to query a data source. For each data source there is a permission page that allows you to enable permissions and restrict query permissions to specific Users and Teams.

Only available in Grafana Enterprise.

Enable data source permissions

By default, data sources in an organization can be queried by any user in that organization. For example, a user with the Viewer role can issue any possible query to a data source, not just queries that exist on dashboards they have access to.

When permissions are enabled for a data source in an organization, you restrict admin and query access for that data source to admin users in that organization.

Enable permissions for a data source:

Navigate to Configuration > Data Sources.
Select the data source you want to enable permissions for.
On the Permissions tab, click Enable.

Caution: Enabling permissions for the default data source makes users not listed in the permissions unable to invoke queries. Panels using default data source will return Access denied to data source error for those users.

Allow users and teams to query a data source

After you have enabled permissions for a data source you can assign query permissions to users and teams which will allow access to query the data source.

Assign query permission to users and teams:

Navigate to Configuration > Data Sources.
Select the data source you want to assign query permissions for.
On the Permissions tab, click Add Permission.
Select Team or User.
Select the entity you want to allow query access and then click Save.

Disable data source permissions

If you have enabled permissions for a data source and want to return data source permissions to the default, then you can disable permissions with a click of a button.

Note that all existing permissions created for the data source will be deleted.

Disable permissions for a data source:

Navigate to Configuration > Data Sources.
Select the data source you want to disable permissions for.
On the Permissions tab, click Disable Permissions.

Settings updates at runtime

Fri, 03 Apr 2026 20:44:05 +0000

Settings updates at runtime

Note: Available in Grafana Enterprise v8.0+.

Settings updates at runtime allows you to update Grafana settings with no need to restart the Grafana server.

Updates that happen at runtime are stored in the database and override settings from the other sources (arguments, environment variables, settings file, etc). Therefore, every time a specific setting key is removed at runtime, the value used for that key is the inherited one from the other sources in the reverse order of precedence (arguments > environment variables > settings file), being the application default the value used when no one provided through one of these, at least.

Currently, it only supports updates on the auth.saml section.

Update settings via the API

You can update settings through the Admin API.

When you submit a settings update via API, Grafana verifies if the given settings updates are allowed and valid. If they are, then Grafana stores the settings in the database and reloads Grafana services with no need to restart the instance.

So, the payload of a PUT request to the update settings endpoint (/api/admin/settings) should contain (either one or both):

An updates map with a key, and a value per section you want to set.
A removals list with keys per section you want to unset.

For example, if you provide the following updates:

{
  "updates": {
    "auth.saml": {
      "enabled": "true",
      "single_logout": "false"
    }
  }
}

it would enable SAML and disable single logouts. And, if you provide the following removals:

{
  "auth.saml": ["allow_idp_initiated"]
}

it would remove the key/value setting identified by allow_idp_initiated within the auth.saml. So, the SAML service would be reloaded and that value would be inherited for either (settings .ini file, environment variable, command line arguments or any other accepted mechanism to provide configuration).

Therefore, the complete HTTP payload would looks like:

{
  "updates": {
    "auth.saml": {
      "enabled": "true",
      "single_logout": "false"
    }
  },
  "removals": {
    "auth.saml": ["allow_idp_initiated"]
  }
}

In case any of these settings cannot be overridden nor valid, it would return an error and these settings won’t be persisted into the database.

Background job (high availability set-ups)

Grafana Enterprise has a built-in scheduled background job that looks into the database every minute for settings updates. If there are updates, it reloads the Grafana services affected by the detected changes.

The background job synchronizes settings between instances in high availability set-ups. So, after you perform some changes through the HTTP API, then the other instances are synchronized through the database and the background job.

Control access with fine-grained access control

If you have Fine-grained access Control enabled, you can control who can read or update settings. Refer to the Admin API for more information.

Enhanced LDAP Integration

Fri, 03 Apr 2026 20:44:05 +0000

Enhanced LDAP integration

The enhanced LDAP integration adds additional functionality on top of the LDAP integration available in the open source edition of Grafana.

Enhanced LDAP integration is only available in Grafana Cloud Advanced and in Grafana Enterprise.

Refer to Fine-grained access control in Grafana Enterprise to understand how you can control access with fine-grained permissions.

LDAP group synchronization for teams

With enhanced LDAP integration, you can set up synchronization between LDAP groups and teams. This enables LDAP users that are members of certain LDAP groups to automatically be added or removed as members to certain teams in Grafana.

Grafana keeps track of all synchronized users in teams, and you can see which users have been synchronized from LDAP in the team members list, see LDAP label in screenshot. This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership changes. This mechanism also allows you to manually add a user as member of a team, and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.

Learn more about team sync.

Active LDAP synchronization

In the open source version of Grafana, user data from LDAP is synchronized only during the login process when authenticating using LDAP.

With active LDAP synchronization, available in Grafana Enterprise v6.3+, you can configure Grafana to actively sync users with LDAP servers in the background. Only users that have logged into Grafana at least once are synchronized.

Users with updated role and team membership will need to refresh the page to get access to the new features.

Removed users are automatically logged out and their account disabled. These accounts are displayed in the Server Admin > Users page with a disabled label. Disabled users keep their custom permissions on dashboards, folders, and data sources, so if you add them back in your LDAP database, they have access to the application with the same custom permissions as before.

[auth.ldap]
...

# You can use the Cron syntax or several predefined schedulers -
# @yearly (or @annually) | Run once a year, midnight, Jan. 1st        | 0 0 0 1 1 *
# @monthly               | Run once a month, midnight, first of month | 0 0 0 1 * *
# @weekly                | Run once a week, midnight between Sat/Sun  | 0 0 0 * * 0
# @daily (or @midnight)  | Run once a day, midnight                   | 0 0 0 * * *
# @hourly                | Run once an hour, beginning of hour        | 0 0 * * * *
sync_cron = "0 0 1 * * *" # This is default value (At 1 am every day)
# This cron expression format uses 6 space-separated fields (including seconds), for example
# sync_cron = "* */10 * * * *"
# This will run the LDAP Synchronization every 10th minute, which is also the minimal interval between the Grafana sync times i.e. you cannot set it for every 9th minute

# You can also disable active LDAP synchronization
active_sync_enabled = true # enabled by default

Single bind configuration (as in the Single bind example) is not supported with active LDAP synchronization because Grafana needs user information to perform LDAP searches.

Enterprise configuration

Fri, 03 Apr 2026 20:44:05 +0000

Grafana Enterprise configuration

This page describes Grafana Enterprise-specific configuration options that you can specify in a .ini configuration file or using environment variables. Refer to Configuration for more information about available configuration options.

[enterprise]

license_path

Local filesystem path to Grafana Enterprise’s license file. Defaults to <paths.data>/license.jwt.

license_text

Note: Available in Grafana Enterprise v7.4+.

When set to the text representation (i.e. content of the license file) of the license, Grafana will evaluate and apply the given license to the instance.

auto_refresh_license

Note: Available in Grafana Enterprise v7.4+.

When enabled, Grafana will send the license and usage statistics to the license issuer. If the license has been updated on the issuer’s side to be valid for a different number of users or a new duration, your Grafana instance will be updated with the new terms automatically. Defaults to true.

[white_labeling]

app_title

Set to your company name to override application title.

login_logo

Set to complete URL to override login logo.

login_background

Set to complete CSS background expression to override login background. Example:

[white_labeling]
login_background = url(http://www.bhmpics.com/wallpapers/starfield-1920x1080.jpg)

menu_logo

Set to complete URL to override menu logo.

fav_icon

Set to complete URL to override fav icon (icon shown in browser tab).

apple_touch_icon

Set to complete URL to override Apple/iOS icon.

footer_links

List the link IDs to use here. Grafana will look for matching link configurations, the link IDs should be space-separated and contain no whitespace.

[usage_insights.export]

By exporting usage logs, you can directly query them and create dashboards of the information that matters to you most, such as dashboard errors, most active organizations, or your top-10 most-used queries.

enabled

Enable the usage insights export feature.

storage

Specify a storage type. Defaults to loki.

[usage_insights.export.storage.loki]

type

Set the communication protocol to use with Loki, which is either grpc or http. Defaults to grpc.

url

Set the address for writing logs to Loki (format must be host:port).

tls

Decide whether or not to enable the TLS (Transport Layer Security) protocol when establishing the connection to Loki. Defaults to true.

[analytics.summaries]

buffer_write_interval

Interval for writing dashboard usage stats buffer to database.

buffer_write_timeout

Timeout for writing dashboard usage stats buffer to database.

rollup_interval

Interval for trying to roll up per dashboard usage summary. Only rolled up at most once per day.

rollup_timeout

Timeout for trying to rollup per dashboard usage summary.

[analytics.views]

recent_users_age

Age for recent active users.

[reporting]

rendering_timeout

Timeout for each panel rendering request.

concurrent_render_limit

Maximum number of concurrent calls to the rendering service.

image_scale_factor

Scale factor for rendering images. Value 2 is enough for monitor resolutions, 4 would be better for printed material. Setting a higher value affects performance and memory.

max_attachment_size_mb

Set the maximum file size in megabytes for the CSV attachments.

fonts_path

Path to the directory containing font files.

font_regular

Name of the TrueType font file with regular style.

font_bold

Name of the TrueType font file with bold style.

font_italic

Name of the TrueType font file with italic style.

[auditing]

Auditing allows you to track important changes to your Grafana instance. By default, audit logs are logged to file but the auditing feature also supports sending logs directly to Loki.

enabled

Enable the auditing feature. Defaults to false.

loggers

List of enabled loggers.

log_dashboard_content

Keep dashboard content in the logs (request or response fields). This can significantly increase the size of your logs.

[auditing.logs.file]

path

Path to logs folder.

max_files

Maximum log files to keep.

max_file_size_mb

Max size in megabytes per log file.

[auditing.logs.loki]

url

Set the URL for writing logs to Loki.

tls

If true, it establishes a secure connection to Loki. Defaults to true.

[auth.saml]

enabled

If true, the feature is enabled. Defaults to false.

certificate

Base64-encoded public X.509 certificate. Used to sign requests to the IdP.

certificate_path

Path to the public X.509 certificate. Used to sign requests to the IdP.

private_key

Base64-encoded private key. Used to decrypt assertions from the IdP.

private_key_path

Path to the private key. Used to decrypt assertions from the IdP.

idp_metadata

Base64-encoded IdP SAML metadata XML. Used to verify and obtain binding locations from the IdP.

idp_metadata_path

Path to the SAML metadata XML. Used to verify and obtain binding locations from the IdP.

idp_metadata_url

URL to fetch SAML IdP metadata. Used to verify and obtain binding locations from the IdP.

max_issue_delay

Time since the IdP issued a response and the SP is allowed to process it. Defaults to 90 seconds.

metadata_valid_duration

How long the SPs metadata is valid. Defaults to 48 hours.

assertion_attribute_name

Friendly name or name of the attribute within the SAML assertion to use as the user name.

assertion_attribute_login

Friendly name or name of the attribute within the SAML assertion to use as the user login handle.

assertion_attribute_email

Friendly name or name of the attribute within the SAML assertion to use as the user email.

assertion_attribute_groups

Friendly name or name of the attribute within the SAML assertion to use as the user groups.

assertion_attribute_role

Friendly name or name of the attribute within the SAML assertion to use as the user roles.

assertion_attribute_org

Friendly name or name of the attribute within the SAML assertion to use as the user organization.

allowed_organizations

List of comma- or space-separated organizations. Each user must be a member of at least one organization to log in.

org_mapping

List of comma- or space-separated Organization:OrgId mappings.

role_values_editor

List of comma- or space-separated roles that will be mapped to the Editor role.

role_values_admin

List of comma- or space-separated roles that will be mapped to the Admin role.

role_values_grafana_admin

List of comma- or space-separated roles that will be mapped to the Grafana Admin (Super Admin) role.

[keystore.vault]

url

Location of the Vault server.

namespace

Vault namespace if using Vault with multi-tenancy.

auth_method

Method for authenticating towards Vault. Vault is inactive if this option is not set. Current possible values: token.

token

Secret token to connect to Vault when auth_method is token.

lease_renewal_interval

Time between checking if there are any secrets which needs to be renewed.

lease_renewal_expires_within

Time until expiration for tokens which are renewed. Should have a value higher than lease_renewal_interval.

lease_renewal_increment

New duration for renewed tokens. Vault may be configured to ignore this value and impose a stricter limit.

[security.egress]

Note: Available in Grafana Enterprise v7.4 and later versions.

Security egress makes it possible to control outgoing traffic from the Grafana server.

host_deny_list

A list of hostnames or IP addresses separated by spaces for which requests are blocked.

host_allow_list

A list of hostnames or IP addresses separated by spaces for which requests are allowed. All other requests are blocked.

header_drop_list

A list of headers that are stripped from the outgoing data source and alerting requests.

cookie_drop_list

A list of cookies that are stripped from the outgoing data source and alerting requests.

[caching]

Note: Available in Grafana Enterprise v7.5 and later versions.

When query caching is enabled, Grafana can temporarily store the results of data source queries and serve cached responses to similar requests.

backend

The caching backend to use when storing cached queries. Options: memory, redis, and memcached.

The default is memory.

enabled

Setting ’enabled’ to true allows users to configure query caching for data sources.

This value is true by default.

Note: This setting enables the caching feature, but it does not turn on query caching for any data source. To turn on query caching for a data source, update the setting on the data source configuration page. For more information, refer to the query caching docs.

ttl

Time to live (TTL) is the time that a query result is stored in the caching system before it is deleted or refreshed. This setting defines the time to live for query caching, when TTL is not configured in data source settings. The default value is 1m (1 minute).

max_ttl

The max duration that a query result is stored in the caching system before it is deleted or refreshed. This value will override ttl config option or data source setting if the ttl value is greater than max_ttl. To disable this constraint, set this value to 0s.

The default is 0s (disabled).

Note: Disabling this constraint is not recommended in production environments.

max_value_mb

This value limits the size of a single cache value. If a cache value (or query result) exceeds this size, then it is not cached. To disable this limit, set this value to 0.

The default is 1.

connection_timeout

This setting defines the duration to wait for a connection to the caching backend.

The default is 5s.

read_timeout

This setting defines the duration to wait for the caching backend to return a cached result. To disable this timeout, set this value to 0s.

The default is 0s (disabled).

Note: Disabling this timeout is not recommended in production environments.

write_timeout

This setting defines the number of seconds to wait for the caching backend to store a result. To disable this timeout, set this value to 0s.

The default is 0s (disabled).

Note: Disabling this timeout is not recommended in production environments.

[caching.encryption]

enabled

When ’enabled’ is true, query values in the cache are encrypted.

The default is false.

encryption_key

A string used to generate a key for encrypting the cache. For the encrypted cache data to persist between Grafana restarts, you must specify this key. If it is empty when encryption is enabled, then the key is automatically generated on startup, and the cache clears upon restarts.

The default is "".

[caching.memory]

gc_interval

When storing cache data in-memory, this setting defines how often a background process cleans up stale data from the in-memory cache. More frequent “garbage collection” can keep memory usage from climbing but will increase CPU usage.

The default is 1m.

max_size_mb

The maximum size of the in-memory cache in megabytes. Once this size is reached, new cache items are rejected. For more flexible control over cache eviction policies and size, use the Redis or Memcached backend.

To disable the maximum, set this value to 0.

The default is 25.

Note: Disabling the maximum is not recommended in production environments.

[caching.redis]

url

The full Redis URL of your Redis server. Example: redis://localhost:6739/0.

The default is "redis://localhost:6379".

cluster

A comma-separated list of Redis cluster members in host:port format. For example, localhost:7000, localhost: 7001, localhost:7002.

Note: If you have specify cluster, the value for url is ignored.

prefix

A string that prefixes all Redis keys. This value must be set if using a shared database in Redis. If prefix is empty, then one will not be used.

The default is "grafana".

[caching.memcached]

memcached_servers

A space-separated list of memcached servers. Example: memcached-server-1:11211 memcached-server-2:11212 memcached-server-3:11211. Or if there’s only one server: memcached-server:11211.

The default is "localhost:11211".

Reporting

Fri, 03 Apr 2026 20:44:05 +0000

Reporting

Reporting allows you to automatically generate PDFs from any of your dashboards and have Grafana email them to interested parties on a schedule. This is available in Grafana Cloud Pro and Advanced and in Grafana Enterprise.

If you have Fine-grained access Control enabled, for some actions you would need to have relevant permissions. Refer to specific guides to understand what permissions are required.

Any changes you make to a dashboard used in a report are reflected the next time the report is sent. For example, if you change the time range in the dashboard, then the time range in the report changes as well.

Requirements

SMTP must be configured for reports to be sent. Refer to SMTP in Configuration for more information.
The Image Renderer plugin must be installed or the remote rendering service must be set up. Refer to Image rendering for more information.

Access control

When Fine-grained access control is enabled, you need to have the relevant Permissions to create and manage reports.

Create or update a report

Only organization admins can create reports by default. You can customize who can create reports with fine-grained access control.

Click on the reports icon in the side menu. The Reports tab allows you to view, create, and update your reports.
Enter report information. All fields are required unless otherwise indicated.
- Report name - Name of the report as you want it to appear in the Reports list. It’s also used as the email subject.
- Recipients - Enter the emails of the people or teams that you want to receive the report, separated by commas or semicolons.
- Reply to - (optional) The address that will appear in the Reply to field of the email.
- Message - (optional) Message body in the email with the report.
- Include a dashboard link - Include a link to the dashboard from within the report email.
- Source dashboard - Select the dashboard to generate the report from.
- Time range - (optional) Use custom time range for the report. For more information check Report time range.
Select an orientation for the report: Portrait or Landscape.
Select a layout for the generated report: Simple or Grid. The simple layout renders each panel as full-width across the PDF. The grid layout renders the PDF with the same panel arrangement and width as the source dashboard.
Add a CSV file of table panel data: check this box to attach a CSV file to the report email for each table panel on the dashboard.
Preview PDF View a rendered PDF with the options you have selected.
Enter scheduling information. Options vary depending on the frequency you select.
Save the report.
Send test email to verify that the whole configuration is working as expected. You can choose to send this email to the recipients configured for the report, or to a different set of email addresses only used for testing.

Choose template variables

Note: Available in Grafana Enterprise version 7.5+ (behind reportVariables feature flag) and Grafana Enterprise version 8+ without a feature flag.

You can configure report-specific template variables for the dashboard on the report page. The variables that you select will override the variables from the dashboard, and they are used when rendering a PDF file of the report. For detailed information about using template variables, refer to the Templates and variables section.

Note: The query variables saved with a report might go out of date if the results of that query change. For example, if your template variable queries for a list of hostnames and a new hostname is added, then it will not be included in the report. If that happens, the selected variables will need to be manually updated in the report. If you select the All value for the template variable or if you keep the dashboard’s original variable selection, then the report will stay up-to-date as new values are added.

Render a report with panels or rows set to repeat by a variable

Note: Available in Grafana Enterprise v8+.

You can include dynamic dashboards with panels or rows, set to repeat by a variable, into reports. For detailed information about setting up repeating panels or rows in dashboards, refer to the Repeat panels or rows section.

Caveats:

Rendering repeating panels for dynamic variable types (e.g. query variables) with selected All value is currently not supported. As a workaround, it is possible to individually select all the values instead.
If you select different template variables in a report for a dashboard with repeating rows, you might see empty space or missing values at the bottom of the report. This is because the dimensions of the panels from the dashboard are used to generate the report. To avoid this issue, use the dashboard’s original template variables for the report, or make a copy of the dashboard, select the new set of template variables, and generate a report based on the copied dashboard.
Rendering of the repeating panels inside collapsed rows in reports is not supported.

Report time range

Setting custom report time range is available in Grafana Enterprise v7.2+.

By default, reports use the saved time range of the dashboard. Changing the time range of the report can be done by:

Saving a modified time range to the dashboard.
Setting a time range via Time range field in the report form. If specified, then this custom time range overrides the one from the report’s dashboard.

The page header of the report displays the time range for the dashboard’s data queries. Dashboards set to use the browser’s time zone will use the time zone on the Grafana server.

If the time zone is set differently between your Grafana server and its remote image renderer, then the time ranges in the report might be different between the page header and the time axes in the panels. To avoid this, set the time zone to UTC for dashboards when using a remote renderer. Each dashboard’s time zone setting is visible in the time range controls.

Layout and orientation

We’re actively working on developing new report layout options. Contact us if you would like to get involved in the design process.

Layout	Orientation	Support	Description
Simple	Portrait	v6.4+	Generates an A4 page in portrait mode with three panels per page.
Simple	Landscape	v6.7+	Generates an A4 page in landscape mode with a single panel per page.
Grid	Portrait	v7.2+	Generates an A4 page in portrait mode with panels arranged in the same way as at the original dashboard.
Grid	Landscape	v7.2+	Generates an A4 page in landscape mode with panels arranged in the same way as at the original dashboard.

CSV export

Note: Only available in Grafana Enterprise v8.0+, with the Grafana image renderer plugin v3.0+.

You can attach a CSV file to the report email for each table panel on the selected dashboard, along with the PDF report. By default, CSVs larger than 10Mb won’t be sent to avoid email servers to reject the email. You can increase or decrease this limit in the reporting configuration.

This feature relies on the same plugin that supports the image rendering features.

When the CSV file is generated, it is temporarily written to the csv folder in the Grafana data folder.

A background job runs every 10 minutes and removes temporary CSV files. You can configure how long a CSV file should be stored before being removed by configuring the temp-data-lifetime setting. This setting also affects how long a renderer PNG file should be stored.

Scheduling

Note: Scheduler has been significantly changed in Grafana Enterprise v8.1.

Scheduled reports can be sent once or repeatedly on an hourly, daily, weekly, or monthly basis, or at custom intervals. You can also disable scheduling by selecting Never: for example, if you want to send the report via the API.

Send now or schedule for later

Send now sends the report immediately after you save it. To stop sending the report at some point in the future, add an end date. If you leave the end date empty, the report is sent out indefinitely.
Send later schedules a report for a later date. Thus, the start date and time are required fields. If you leave the end date empty, the report is sent out indefinitely.

Send only from Monday to Friday

For reports that have an hourly or daily frequency, you can choose to send them only from Monday to Friday.

Send on the last day of the month

When you schedule a report with a monthly frequency, and set the start date between the 29th and the 31st of the month, the report is only sent during the months that have those dates. If you want the report to be sent every month, select the Send on the last day of the month option instead. This way, the report is sent on the last day of every month regardless of how many days there are in any given month.

Send test email

Only available in Grafana Enterprise v7.0+.

In the report, click Send test email.
In the Email field, enter the email address or addresses that you want to test, separated by semicolon. If you want to use email addresses from the report, then select the Use emails from report check box.
Click Send.

The last saved version of the report will be sent to selected emails. You can use this to verify emails are working and to make sure the report is generated and displayed as you expect.

Pause report

Note: Available in Grafana Enterprise v8+.

You can pause sending of reports from the report list view by clicking the pause icon. The report will not be sent according to its schedule until it is resumed by clicking the resume button on the report row.

Send report via the API

You can send reports programmatically with the send report endpoint in the HTTP APIs.

Rendering configuration

When generating reports, each panel renders separately before being collected in a PDF. The per panel rendering timeout and number of concurrently rendered panels can be configured.

To make a panel more legible, you can set a scale factor for the rendered images. However, a higher scale factor increases the file size of the generated PDF.

You can also specify custom fonts that support different Unicode scripts. The DejaVu font is the default used for PDF rendering.

These options are available in the configuration file.

[reporting]
# Set timeout for each panel rendering request
rendering_timeout = 10s
# Set maximum number of concurrent calls to the rendering service
concurrent_render_limit = 4
# Set the scale factor for rendering images. 2 is enough for monitor resolutions
# 4 would be better for printed material. Setting a higher value affects performance and memory
image_scale_factor = 2
# Set the maximum file size in megabytes for the CSV attachments
max_attachment_size_mb = 10
# Path to the directory containing font files
fonts_path =
# Name of the TrueType font file with regular style
font_regular = DejaVuSansCondensed.ttf
# Name of the TrueType font file with bold style
font_bold = DejaVuSansCondensed-Bold.ttf
# Name of the TrueType font file with italic style
font_italic = DejaVuSansCondensed-Oblique.ttf

Reports settings

Note: Available in Grafana Enterprise v7.2+.

You can configure organization-wide report settings in the Settings tab on the Reporting page. Settings are applied to all the reports for current organization.

You can customize the branding options.

Report branding: Company logo URL - Company logo displayed in the report PDF. Defaults to the Grafana logo.

Email branding:

Company logo URL - Company logo displayed in the report PDF. Defaults to the Grafana logo.
Email footer - Toggle to enable report email footer. Select Sent by or None.
Footer link text - Text for the link in the report email footer. Defaults to “Grafana”.
Footer link URL - Link for the report email footer.

Troubleshoot reporting

To troubleshoot and get more log information, enable debug logging in the configuration file. Refer to Configuration for more information.

[log]
filters = report:debug

SAML Authentication

Fri, 03 Apr 2026 20:44:05 +0000

SAML authentication

SAML authentication integration allows your Grafana users to log in by using an external SAML 2.0 Identity Provider (IdP). To enable this, Grafana becomes a Service Provider (SP) in the authentication flow, interacting with the IdP to exchange user information.

The SAML single sign-on (SSO) standard is varied and flexible. Our implementation contains a subset of features needed to provide a smooth authentication experience into Grafana.

Only available in Grafana Enterprise v6.3+. If you encounter any problems with our implementation, please don’t hesitate to contact us.

Supported SAML

Grafana supports the following SAML 2.0 bindings:

From the Service Provider (SP) to the Identity Provider (IdP):
- HTTP-POST binding
- HTTP-Redirect binding
From the Identity Provider (IdP) to the Service Provider (SP):
- HTTP-POST binding

In terms of security:

Grafana supports signed and encrypted assertions.
Grafana does not support signed or encrypted requests.

In terms of initiation:

Grafana supports SP-initiated requests.
Grafana does not support IdP-initiated request.

Set up SAML authentication

The table below describes all SAML configuration options. Continue reading below for details on specific options. Like any other Grafana configuration, you can apply these options as environment variables.

Setting	Required	Description	Default
`enabled`	No	Whether SAML authentication is allowed	`false`
`single_logout`	No	Whether SAML Single Logout enabled	`false`
`allow_idp_initiated`	No	Whether SAML IdP-initiated login is allowed	`false`
`certificate` or `certificate_path`	Yes	Base64-encoded string or Path for the SP X.509 certificate
`private_key` or `private_key_path`	Yes	Base64-encoded string or Path for the SP private key
`signature_algorithm`	No	Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
`idp_metadata`, `idp_metadata_path`, or `idp_metadata_url`	Yes	Base64-encoded string, Path or URL for the IdP SAML metadata XML
`max_issue_delay`	No	Duration, since the IdP issued a response and the SP is allowed to process it	`90s`
`metadata_valid_duration`	No	Duration, for how long the SP metadata is valid	`48h`
`relay_state`	No	Relay state for IdP-initiated login. Should match relay state configured in IdP
`assertion_attribute_name`	No	Friendly name or name of the attribute within the SAML assertion to use as the user name	`displayName`
`assertion_attribute_login`	No	Friendly name or name of the attribute within the SAML assertion to use as the user login handle	`mail`
`assertion_attribute_email`	No	Friendly name or name of the attribute within the SAML assertion to use as the user email	`mail`
`assertion_attribute_groups`	No	Friendly name or name of the attribute within the SAML assertion to use as the user groups
`assertion_attribute_role`	No	Friendly name or name of the attribute within the SAML assertion to use as the user roles
`assertion_attribute_org`	No	Friendly name or name of the attribute within the SAML assertion to use as the user organization
`allowed_organizations`	No	List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
`org_mapping`	No	List of comma- or space-separated Organization:OrgId mappings
`role_values_editor`	No	List of comma- or space-separated roles which will be mapped into the Editor role
`role_values_admin`	No	List of comma- or space-separated roles which will be mapped into the Admin role
`role_values_grafana_admin`	No	List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role

Enable SAML authentication

To use the SAML integration, in the auth.saml section of in the Grafana custom configuration file, set enabled to true.

Refer to Configuration for more information about configuring Grafana.

Certificate and private key

The SAML SSO standard uses asymmetric encryption to exchange information between the SP (Grafana) and the IdP. To perform such encryption, you need a public part and a private part. In this case, the X.509 certificate provides the public part, while the private key provides the private part.

Grafana supports two ways of specifying both the certificate and private_key.

Without a suffix (certificate or private_key), the configuration assumes you’ve supplied the base64-encoded file contents.
With the _path suffix (certificate_path or private_key_path), then Grafana treats the value entered as a file path and attempts to read the file from the file system.

You can only use one form of each configuration option. Using multiple forms, such as both certificate and certificate_path, results in an error.

Signature algorithm

Only available in Grafana v7.3+

The SAML standard recommends using a digital signature for some types of messages, like authentication or logout requests. If the signature_algorithm option is configured, Grafana will put a digital signature into SAML requests. Supported signature types are rsa-sha1, rsa-sha256, rsa-sha512. This option should match your IdP configuration, otherwise, signature validation will fail. Grafana uses key and certificate configured with private_key and certificate options for signing SAML requests.

IdP metadata

You also need to define the public part of the IdP for message verification. The SAML IdP metadata XML defines where and how Grafana exchanges user information.

Grafana supports three ways of specifying the IdP metadata.

Without a suffix idp_metadata, Grafana assumes base64-encoded XML file contents.
With the _path suffix, Grafana assumes a file path and attempts to read the file from the file system.
With the _url suffix, Grafana assumes a URL and attempts to load the metadata from the given location.

Maximum issue delay

Prevents SAML response replay attacks and internal clock skews between the SP (Grafana) and the IdP. You can set a maximum amount of time between the IdP issuing a response and the SP (Grafana) processing it.

The configuration options is specified as a duration, such as max_issue_delay = 90s or max_issue_delay = 1h.

Metadata valid duration

SP metadata is likely to expire at some point, perhaps due to a certificate rotation or change of location binding. Grafana allows you to specify for how long the metadata should be valid. Leveraging the validUntil field, you can tell consumers until when your metadata is going to be valid. The duration is computed by adding the duration to the current time.

The configuration option is specified as a duration, such as metadata_valid_duration = 48h.

Identity provider (IdP) registration

For the SAML integration to work correctly, you need to make the IdP aware of the SP.

The integration provides two key endpoints as part of Grafana:

The /saml/metadata endpoint, which contains the SP metadata. You can either download and upload it manually, or you make the IdP request it directly from the endpoint. Some providers name it Identifier or Entity ID.
The /saml/acs endpoint, which is intended to receive the ACS (Assertion Customer Service) callback. Some providers name it SSO URL or Reply URL.

IdP-initiated Single Sign-On (SSO)

Only available in Grafana v7.3+

By default, Grafana allows only service provider (SP) initiated logins (when the user logs in with SAML via Grafana’s login page). If you want users to log in into Grafana directly from your identity provider (IdP), set the allow_idp_initiated configuration option to true and configure relay_state with the same value specified in the IdP configuration.

IdP-initiated SSO has some security risks, so make sure you understand the risks before enabling this feature. When using IdP-initiated SSO, Grafana receives unsolicited SAML requests and can’t verify that login flow was started by the user. This makes it hard to detect whether SAML message has been stolen or replaced. Because of this, IdP-initiated SSO is vulnerable to login cross-site request forgery (CSRF) and man in the middle (MITM) attacks. We do not recommend using IdP-initiated SSO and keeping it disabled whenever possible.

Single logout

Only available in Grafana v7.3+

SAML’s single logout feature allows users to log out from all applications associated with the current IdP session established via SAML SSO. If the single_logout option is set to true and a user logs out, Grafana requests IdP to end the user session which in turn triggers logout from all other applications the user is logged into using the same IdP session (applications should support single logout). Conversely, if another application connected to the same IdP logs out using single logout, Grafana receives a logout request from IdP and ends the user session.

Assertion mapping

During the SAML SSO authentication flow, Grafana receives the ACS callback. The callback contains all the relevant information of the user under authentication embedded in the SAML response. Grafana parses the response to create (or update) the user within its internal database.

For Grafana to map the user information, it looks at the individual attributes within the assertion. You can think of these attributes as Key/Value pairs (although, they contain more information than that).

Grafana provides configuration options that let you modify which keys to look at for these values. The data we need to create the user in Grafana is Name, Login handle, and email.

Configure team sync

Team sync support for SAML only available in Grafana v7.0+

To use SAML Team sync, set assertion_attribute_groups to the attribute name where you store user groups. Then Grafana will use attribute values extracted from SAML assertion to add user into the groups with the same name configured on the External group sync tab.

Learn more about Team Sync

Configure role sync

Only available in Grafana v7.0+

Role sync allows you to map user roles from an identity provider to Grafana. To enable role sync, configure role attribute and possible values for the Editor, Admin and Grafana Admin roles.

In the configuration file, set assertion_attribute_role option to the attribute name where the role information will be extracted from.
Set the role_values_editor option to the values mapped to the Editor role.
Set the role_values_admin option to the values mapped to the organization Admin role.
Set the role_values_grafana_admin option to the values mapped to the Grafana Admin role.

If a user role doesn’t match any of configured values, then the Viewer role will be assigned.

Refer to Organization roles for more information about roles and permissions in Grafana.

Example configuration:

[auth.saml]
assertion_attribute_role = role
role_values_editor = editor, developer
role_values_admin = admin, operator
role_values_grafana_admin = superadmin

Important: When role sync is configured, any changes of user roles and organization membership made manually in Grafana will be overwritten on next user login. Assign user organizations and roles in the IdP instead.

Configure organization mapping

Only available in Grafana v7.0+

Organization mapping allows you to assign users to particular organization in Grafana depending on attribute value obtained from identity provider.

In configuration file, set assertion_attribute_org to the attribute name you store organization info in.
Set org_mapping option to the comma-separated list of Organization:OrgId pairs to map organization from IdP to Grafana organization specified by id.

For example, use following configuration to assign users from Engineering organization to the Grafana organization with id 2 and users from Sales - to the org with id 3, based on Org assertion attribute value:

[auth.saml]
assertion_attribute_org = Org
org_mapping = Engineering:2, Sales:3

You can specify multiple organizations both for the IdP and Grafana:

org_mapping = Engineering:2, Sales:2 to map users from Engineering and Sales to 2 in Grafana.
org_mapping = Engineering:2, Engineering:3 to assign Engineering to both 2 and 3 in Grafana.

Configure allowed organizations

Only available in Grafana v7.0+

With the allowed_organizations option you can specify a list of organizations where the user must be a member of at least one of them to be able to log in to Grafana.

Example SAML configuration

[auth.saml]
enabled = true
certificate_path = "/path/to/certificate.cert"
private_key_path = "/path/to/private_key.pem"
idp_metadata_path = "/my/metadata.xml"
max_issue_delay = 90s
metadata_valid_duration = 48h
assertion_attribute_name = displayName
assertion_attribute_login = mail
assertion_attribute_email = mail

assertion_attribute_groups = Group
assertion_attribute_role = Role
assertion_attribute_org = Org
role_values_editor = editor, developer
role_values_admin = admin, operator
role_values_grafana_admin = superadmin
org_mapping = Engineering:2, Sales:3
allowed_organizations = Engineering, Sales

Set up SAML with Okta

This guide will follow you through the steps of configuring SAML authentication in Grafana with Okta. You need to be an admin in your Okta organization to access Admin Console and create SAML integration. You also need permissions to edit Grafana config file and restart Grafana server.

Configure the SAML integration in Okta

To configure SAML integration with Okta, create integration inside the Okta organization first.

Log in to the Okta portal.
Go to the Admin Console in your Okta organization by clicking Admin in the upper-right corner. If you are in the Developer Console, then click Developer Console in the upper-left corner and then click Classic UI to switch over to the Admin Console.
In the Admin Console, navigate to Applications > Applications.
Click Add Application.
Click Create New App to start the Application Integration Wizard.
Choose Web as a platform.
Select SAML 2.0 in the Sign on method section.
Click Create.
On the General Settings tab, enter a name for your Grafana integration. You can also upload a logo.

On the Configure SAML tab, enter the SAML information related to your Grafana instance:

In the Single sign on URL field, use the /saml/acs endpoint URL of your Grafana instance, for example, https://grafana.example.com/saml/acs.
In the Audience URI (SP Entity ID) field, use the /saml/metadata endpoint URL, for example, https://grafana.example.com/saml/metadata.
Leave the default values for Name ID format and Application username.

In the ATTRIBUTE STATEMENTS (OPTIONAL) section, enter the SAML attributes to be shared with Grafana, for example:

Attribute name (in Grafana)	Value (in Okta profile)
Login	`user.login`
Email	`user.email`
DisplayName	`user.firstName + " " + user.lastName`

In the GROUP ATTRIBUTE STATEMENTS (OPTIONAL) section, enter a group attribute name (for example, Group) and set filter to Matches regex .* to return all user groups.

Click Next.
On the final Feedback tab, fill out the form and then click Finish.

Edit SAML options in the Grafana config file

Once the application is created, configure Grafana to use it for SAML authentication. Refer to Configuration to get more information about how to configure Grafana.

In the [auth.saml] section in the Grafana configuration file, set enabled to true.
Configure the certificate and private key.
On the Okta application page where you have been redirected after application created, navigate to the Sign On tab and find Identity Provider metadata link in the Settings section.
Set the idp_metadata_url to the URL obtained from the previous step. The URL should look like https://<your-org-id>.okta.com/app/<application-id>/sso/saml/metadata.
Set the following options to the attribute names configured at the step 10 of the SAML integration setup. You can find this attributes on the General tab of the application page (ATTRIBUTE STATEMENTS and GROUP ATTRIBUTE STATEMENTS in the SAML Settings section).
Save the configuration file and and then restart the Grafana server.

When you are finished, the Grafana configuration might look like this example:

[server]
root_url = https://grafana.example.com

[auth.saml]
enabled = true
private_key_path = "/path/to/private_key.pem"
certificate_path = "/path/to/certificate.cert"
idp_metadata_url = "https://my-org.okta.com/app/my-application/sso/saml/metadata"
assertion_attribute_name = DisplayName
assertion_attribute_login = Login
assertion_attribute_email = Email
assertion_attribute_groups = Group

Troubleshoot SAML authentication

To troubleshoot and get more log information, enable SAML debug logging in the configuration file. Refer to Configuration for more information.

[log]
filters = saml.auth:debug

Team sync

Fri, 03 Apr 2026 20:44:05 +0000

Team sync

Team sync lets you set up synchronization between your auth providers teams and teams in Grafana. This enables LDAP, OAuth, or SAML users who are members of certain teams or groups to automatically be added or removed as members of certain teams in Grafana.

Available in Grafana Cloud Pro and Advanced and in Grafana Enterprise.

Grafana keeps track of all synchronized users in teams, and you can see which users have been synchronized in the team members list, see LDAP label in screenshot. This mechanism allows Grafana to remove an existing synchronized user from a team when its group membership changes. This mechanism also enables you to manually add a user as member of a team, and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.

Currently the synchronization only happens when a user logs in, unless LDAP is used with the active background synchronization that was added in Grafana 6.3.

Supported providers

Synchronize a Grafana team with an external group

If you have already grouped some users into a team, then you can synchronize that team with an external group.

In Grafana, navigate to Configuration > Teams.
Select a team.
On the External group sync tab, and click Add group.
Insert the value of the group you want to sync with. This becomes the Grafana GroupID. Examples:
- For LDAP, this is the LDAP distinguished name (DN) of LDAP group you want to synchronize with the team.
- For Auth Proxy, this is the value we receive as part of the custom Groups header.
Click Add group to save.

Auditing

Fri, 03 Apr 2026 20:44:05 +0000

Auditing

Note: Only available in Grafana Enterprise v7.3+.

Auditing allows you to track important changes to your Grafana instance. By default, audit logs are logged to file but the auditing feature also supports sending logs directly to Loki.

Audit logs

Audit logs are JSON objects representing user actions like:

Modifications to resources such as dashboards and data sources.
A user failing to log in.

Format

Audit logs contain the following fields. The fields followed by * are always available, the others depend on the type of action logged.

Field name	Type	Description
`timestamp`*	string	The date and time the request was made, in coordinated universal time (UTC) using the RFC3339 format.
`user`*	object	Information about the user that made the request. Either one of the `UserID` or `ApiKeyID` fields will contain content if `isAnonymous=false`.
`user.userId`	number	ID of the Grafana user that made the request.
`user.orgId`*	number	Current organization of the user that made the request.
`user.orgRole`	string	Current role of the user that made the request.
`user.name`	string	Name of the Grafana user that made the request.
`user.tokenId`	number	ID of the user authentication token.
`user.apiKeyId`	number	ID of the Grafana API key used to make the request.
`user.isAnonymous`*	boolean	If an anonymous user made the request, `true`. Otherwise, `false`.
`action`*	string	The request action. For example, `create`, `update`, or `manage-permissions`.
`request`*	object	Information about the HTTP request.
`request.params`	object	Request’s path parameters.
`request.query`	object	Request’s query parameters.
`request.body`	string	Request’s body.
`result`*	object	Information about the HTTP response.
`result.statusType`	string	If the request action was successful, `success`. Otherwise, `failure`.
`result.statusCode`	number	HTTP status of the request.
`result.failureMessage`	string	HTTP error message.
`result.body`	string	Response body.
`resources`	array	Information about the resources that the request action affected. This field can be null for non-resource actions such as `login` or `logout`.
`resources[x].id`*	number	ID of the resource.
`resources[x].type`*	string	The type of the resource that was logged: `alert`, `alert-notification`, `annotation`, `api-key`, `auth-token`, `dashboard`, `datasource`, `folder`, `org`, `panel`, `playlist`, `report`, `team`, `user`, or `version`.
`requestUri`*	string	Request URI.
`ipAddress`*	string	IP address that the request was made from.
`userAgent`*	string	Agent through which the request was made.
`grafanaVersion`*	string	Current version of Grafana when this log is created.
`additionalData`	object	Additional information that can be provided about the request.

The additionalData field can contain the following information:

Field name	Action	Description
`loginUsername`	`login`	Login used in the Grafana authentication form.
`extUserInfo`	`login`	User information provided by the external system that was used to log in.
`authTokenCount`	`login`	Number of active authentication tokens for the user that logged in.
`terminationReason`	`logout`	The reason why the user logged out, such as a manual logout or a token expiring.

Recorded actions

The audit logs include records about the following categories of actions:

Sessions

Log in.
Log out (manual log out, token expired/revoked, SAML Single Logout).
Revoke a user authentication token.
Create or delete an API key.

User management

Create, update, or delete a user.
Enable or disable a user.
Manage user role and permissions.
LDAP sync or information access.

Team and organization management

Create, update, or delete a team or organization.
Add or remove a member of a team or organization.
Manage organization members roles.
Manage team members permissions.
Invite an external member to an organization.
Revoke a pending invitation to an organization.
Add or remove an external group to sync with a team.

Folder and dashboard management

Create, update, or delete a folder.
Manage folder permissions.
Create, import, update, or delete a dashboard.
Restore an old dashboard version.
Manage dashboard permissions.

Data sources management

Create, update, or delete a data source.
Manage data source permissions.

Alerts and notification channels management

Create, update, or delete a notification channel.
Test an alert or a notification channel.
Pause an alert.

Reporting

Create, update, or delete a report.
Update reporting settings.
Send reporting email.

Annotations, playlists and snapshots management

Create, update, or delete an annotation.
Create, update, or delete a playlist.
Create or delete a snapshot.

Configuration

Note: The auditing feature is disabled by default.

Audit logs can be saved into files, sent to a Loki instance or sent to the Grafana default logger. By default, only the file exporter is enabled. You can choose which exporter to use in the configuration file.

Options are file, loki, and console. Use spaces to separate multiple modes, such as file loki.

By default, when a user creates or updates a dashboard, its content will not appear in the logs as it can significantly increase the size of your logs. If this is important information for you and you can handle the amount of data generated, then you can enable this option in the configuration.

[auditing]
# Enable the auditing feature
enabled = false
# List of enabled loggers
loggers = file
# Keep dashboard content in the logs (request or response fields); this can significantly increase the size of your logs.
log_dashboard_content = false

Each exporter has its own configuration fields.

File exporter

Audit logs are saved into files. You can configure the folder to use to save these files. Logs are rotated when the file size is exceeded and at the start of a new day.

[auditing.logs.file]
# Path to logs folder
path = data/log
# Maximum log files to keep
max_files = 5
# Max size in megabytes per log file
max_file_size_mb = 256

Loki exporter

Audit logs are sent to a Loki service, through HTTP or gRPC.

The HTTP option for the Loki exporter is only available in Grafana Enterprise v7.4+.

[auditing.logs.loki]
# Set the communication protocol to use with Loki (can be grpc or http)
type = grpc
# Set the address for writing logs to Loki (format must be host:port)
url = localhost:9095
# Defaults to true. If true, it establishes a secure connection to Loki
tls = true

If you have multiple Grafana instances sending logs to the same Loki service or if you are using Loki for non-audit logs, audit logs come with additional labels to help identifying them:

host - OS hostname on which the Grafana instance is running.
grafana_instance - Application URL.
kind - auditing

Console exporter

Audit logs are sent to the Grafana default logger. The audit logs use the auditing.console logger and are logged on debug-level, learn how to enable debug logging in the log configuration section of the documentation. Accessing the audit logs in this way is not recommended for production use.

Vault

Fri, 03 Apr 2026 20:44:05 +0000

Vault integration

Only available in Grafana Enterprise v7.1+.

If you manage your secrets with Hashicorp Vault, you can use them for Configuration and Provisioning.

Note: If you have Grafana set up for high availability, then we advise not to use dynamic secrets for provisioning files. Each Grafana instance is responsible for renewing its own leases. Your data source leases might expire when one of your Grafana servers shuts down.

Configuration

Before using Vault, you need to activate it by providing a URL, authentication method (currently only token), and a token for your Vault service. Grafana automatically renews the service token if it is renewable and set up with a limited lifetime.

If you’re using short-lived leases, then you can also configure how often Grafana should renew the lease and for how long. We recommend keeping the defaults unless you run into problems.

[keystore.vault]
# Location of the Vault server
;url =
# Vault namespace if using Vault with multi-tenancy
;namespace =
# Method for authenticating towards Vault. Vault is inactive if this option is not set
# Possible values: token
;auth_method =
# Secret token to connect to Vault when auth_method is token
;token =
# Time between checking if there are any secrets which needs to be renewed.
;lease_renewal_interval = 5m
# Time until expiration for tokens which are renewed. Should have a value higher than lease_renewal_interval
;lease_renewal_expires_within = 15m
# New duration for renewed tokens. Vault may be configured to ignore this value and impose a stricter limit.
;lease_renewal_increment = 1h

Example for vault server -dev:

[keystore.vault]
url = http://127.0.0.1:8200 # HTTP should only be used for local testing
auth_method = token
token = s.sAZLyI0r7sFLMPq6MWtoOhAN # replace with your key

Using the Vault expander

After you configure Vault, you must set the configuration or provisioning files you wish to use Vault. Vault configuration is an extension of configuration’s variable expansion and follows the $__vault{<argument>} syntax.

The argument to Vault consists of three parts separated by a colon:

The first part specifies which secrets engine should be used.
The second part specifies which secret should be accessed.
The third part specifies which field of that secret should be used.

For example, if you place a Key/Value secret for the Grafana admin user in secret/grafana/admin_defaults the syntax for accessing it’s password field would be $__vault{kv:secret/grafana/admin_defaults:password}.

Secrets engines

Vault supports many secrets engines which represents different methods for storing or generating secrets when requested by an authorized user. Grafana supports a subset of these which are most likely to be relevant for a Grafana installation.

Key/Value

Grafana supports Vault’s K/V version 2 storage engine which is used to store and retrieve arbitrary secrets as kv.

$__vault{kv:secret/grafana/smtp:username}

Databases

The Vault databases secrets engines is a family of secret engines which shares a similar syntax and grants the user dynamic access to a database. You can use this both for setting up Grafana’s own database access and for provisioning data sources.

$__vault{database:database/creds/grafana:username}

Examples

The following examples show you how to set your configuration or provisioning files to use Vault to retrieve configuration values.

Configuration

The following is a partial example for using Vault to set up a Grafana configuration file’s email and database credentials. Refer to Configuration for more information.

[smtp]
enabled = true
host = $__vault{kv:secret/grafana/smtp:hostname}:587
user = $__vault{kv:secret/grafana/smtp:username}
password = $__vault{kv:secret/grafana/smtp:password}

[database]
type = mysql
host = mysqlhost:3306
name = grafana
user = $__vault{database:database/creds/grafana:username}
password = $__vault{database:database/creds/grafana:password}

Provisioning

The following is a full examples of a provisioning YAML file setting up a MySQL data source using Vault’s database secrets engine. Refer to Provisioning for more information.

provisioning/custom.yaml

apiVersion: 1

datasources:
  - name: statistics
    type: mysql
    url: localhost:3306
    database: stats
    user: $__vault{database:database/creds/ro/stats:username}
    secureJsonData:
      password: $__vault{database:database/creds/ro/stats:password}

White labeling

Fri, 03 Apr 2026 20:44:05 +0000

White labeling

White labeling allows you to replace the Grafana brand and logo with your own corporate brand and logo.

Only available in Grafana Enterprise v6.6+.

Grafana Enterprise has white labeling options in the grafana.ini file. As with all configuration options, you can also set them with environment variables.

You can change the following elements:

Application title
Login background
Login logo
Side menu top logo
Footer and help menu links
Fav icon (shown in browser tab)
Login title (will not appear if a login logo is set, Grafana v7.0+)
Login subtitle (will not appear if a login logo is set, Grafana v7.0+)
Login box background (Grafana v7.0+)
Loading logo

You will have to host your logo and other images used by the white labeling feature separately. Make sure Grafana can access the URL where the assets are stored.

The configuration file in Grafana Enterprise contains the following options. Each option is defined in the file. For more information about configuring Grafana, refer to Configuration.

# Enterprise only
[white_labeling]
# Set to your company name to override application title
;app_title =

# Set to main title on the login page (Will not appear if a login logo is set)
;login_title =

# Set to login subtitle (Will not appear if a login logo is set)
;login_subtitle =

# Set to complete URL to override login logo
;login_logo =

# Set to complete CSS background expression to override login background
# example: login_background = url(http://www.bhmpics.com/wallpapers/starfield-1920x1080.jpg)
;login_background =

# Set to complete CSS background expression to override login box background
;login_box_background =

# Set to complete URL to override menu logo
;menu_logo =

# Set to complete URL to override fav icon (icon shown in browser tab)
;fav_icon =

# Set to complete URL to override apple/ios icon
;apple_touch_icon =

# Set to complete URL to override loading logo
;loading_logo =

You can replace the default footer links (Documentation, Support, Community) and even add your own custom links. An example follows for replacing the default footer and help links with new custom links.

footer_links = support guides extracustom
footer_links_support_text = Support
footer_links_support_url = http://your.support.site
footer_links_guides_text = Guides
footer_links_guides_url = http://your.guides.site
footer_links_extracustom_text = Custom text
footer_links_extracustom_url = http://your.custom.site

Here is the same example using environment variables instead of the custom.ini or grafana.ini file.

GF_WHITE_LABELING_FOOTER_LINKS=support guides extracustom
GF_WHITE_LABELING_FOOTER_LINKS_SUPPORT_TEXT=Support
GF_WHITE_LABELING_FOOTER_LINKS_SUPPORT_URL=http://your.support.site
GF_WHITE_LABELING_FOOTER_LINKS_GUIDES_TEXT=Guides
GF_WHITE_LABELING_FOOTER_LINKS_GUIDES_URL=http://your.guides.site
GF_WHITE_LABELING_FOOTER_LINKS_EXTRACUSTOM_TEXT=Custom Text
GF_WHITE_LABELING_FOOTER_LINKS_EXTRACUSTOM_URL=http://your.custom.site

Note: The following two links are always present in the footer:

Grafana edition
Grafana version with build number

If you specify footer_links or GF_WHITE_LABELING_FOOTER_LINKS, then all other default links are removed from the footer and only what is specified is included.

Export dashboard as PDF

Fri, 03 Apr 2026 20:44:05 +0000

Export dashboard as PDF

You can generate PDFs from any of your dashboards and save it to file.

Only available in Grafana Enterprise v6.7+.

In the upper right corner of the dashboard that you want to export as PDF, click the Share dashboard icon.
On the PDF tab, select the layout option for exported dashboard: Portrait or Landscape.
Click Save as PDF to render dashboard as a PDF document. Grafana opens the PDF in a new window or browser tab.