EDB Postgres® AI Hybrid Manager (HM) can emit structured audit logs for authenticated API requests passing through the ingress gateway. When enabled, every API call that requires authentication produces a JSON log entry providing a detailed record of who accessed what, when, and from where. This functionality is useful for compliance reporting, security incident investigation, and access auditing.
API audit logging is available from HM 2026.4.
What gets audited
HM emits an audit log entry for a request when both these conditions are met:
- The request requires authentication. Anonymous or exempt endpoints are not audited.
- The request targets an API path, such as REST APIs (
/api/…), Iceberg catalog APIs, launchpad application APIs, or gRPC service endpoints.
These request types aren't audited:
- Static resources (for example, JavaScript, CSS, images)
- Exempt paths, including
/api/uiand/api-docs
Disabling API audit logging
API audit logging is enabled by default. To disable it, set the enable_api_audit setting for the upm-istio-gateway component to "false" during installation.
Note
The accepted values are the strings "true" and "false" only. Boolean types are not permitted.
Use the instructions for your installation type.
Operator installation
Edit your HybridControlPlane custom resource to add or update the enable_api_audit setting under spec.componentsParameters.upm-istio-gateway:
apiVersion: edbpgai.edb.com/v1alpha1 kind: HybridControlPlane metadata: name: edbpgai spec: componentsParameters: upm-istio-gateway: enable_api_audit: "false"
Apply the updated custom resource:
kubectl apply -f hybridmanager.yamlBootstrap installation
Edit your values.yaml by updating the parameters.upm-istio-gateway section to set enable_api_audit to "false":
parameters: upm-istio-gateway: enable_api_audit: "false"
Run the helm upgrade command to apply the changes:
helm upgrade \ -n edbpgai-bootstrap \ --install \ -f values.yaml \ edbpgai-bootstrap enterprisedb-edbpgai/edbpgai-bootstrap
Warning
Always provide the complete set of input variables you used to install the Helm chart. If you don't specify a custom input in a subsequent helm upgrade command, its value reverts to the default.
Re-enabling API audit logging
To re-enable API audit logging after disabling it, set enable_api_audit to "true" and reapply using the same steps for your installation type.
Querying audit logs
Audit log entries are written to the ingress gateway's standard log output. You can query them using your cluster's log aggregation tool by filtering for the EDB-HM-AUDIT key.
Viewing audit logs in Grafana
Grafana is included in HM's observability stack and queries logs aggregated by Loki. You can access it as a service from the Launchpad in the HM console.
Note
To access Launchpad and Grafana, you must have the Platform Admin role. See User role permissions for details.
To view audit logs in Grafana:
From your user menu in the HM console, select Launchpad.
Select Grafana.
In Grafana, select Explore from the left side pane.
Select the Loki data source.
Run a LogQL query to filter audit entries. For example:
{namespace="istio-system", container="istio-proxy"} |= "EDB-HM-AUDIT" | json
Using kubectl
If you don't have a log aggregation tool available, use this command to stream logs directly from the ingress gateway pod for quick inspection:
kubectl logs -n istio-system -l istio=ingressgateway -c istio-proxy | grep EDB-HM-AUDIT
Log format
Each audit log entry is a JSON object nested under the EDB-HM-AUDIT key. You can use this key to filter audit entries in your log aggregation system, for example, with Loki.
Example log entry:
{ "EDB-HM-AUDIT": { "method": "GET", "uri": "/api/v1/projects?page=1", "user_id": "usr_abc123", "user_name": "alice", "key_id": "ak_def456", "session_id": "aksid_a3f8c2e1b9d04f67", "request_id": "a1b2c3d4-e5f6-7890", "user_agent": "curl/7.68.0", "ip": "10.0.0.1", "status_code": 200 } }
Log fields
Each audit log entry contains these fields. Fields with empty or unavailable values are omitted to reduce noise.
| Field | Description |
|---|---|
method | HTTP method (GET, POST, PUT, DELETE, etcetera). |
uri | Original request URI, including any query string. |
user_id | Authenticated user ID. Empty if authentication failed (for example, 401 response). |
user_name | Authenticated user display name. |
key_id | Access key ID. Present only for access-key-based authentication. Omitted for browser or OIDC sessions. |
session_id | Session identifier. For access key requests, this field is a deterministic hash derived from the key and client context, enabling correlation across requests from the same automated client. For browser sessions, this field is the OIDC session ID. |
request_id | Unique request trace ID (x-request-id). Useful for correlating audit entries with upstream service logs. |
user_agent | Client User-Agent header value. |
ip | Client IP address, extracted from the x-forwarded-for header. |
status_code | HTTP response status code (for example, 200, 401, 403, 500). |
grpc_status | gRPC status code. Present only for gRPC requests. The HTTP transport always returns 200. The actual outcome is reflected here (for example, 16 = Unauthenticated). |