Audit Trail and Compliance on Apache Superset 2026

Enable Apache Superset audit trail: FAB logs, EventLogger, SIEM integration, GDPR/SOC2 compliance.

9 May 2026 · Tuvalu Tech OÜ

The audit trail is mandatory for any serious production Apache Superset instance. It serves compliance (GDPR, SOC 2, ISO 27001), post-incident investigation, and internal compliance. This guide details the configuration in 2026.

1. What to track?

Authentication: login, logout, failure;
Permission changes: role change, user added;
Dashboard access: who saw what;
SQL Lab queries: who executed which query;
Dataset modifications: who changed what;
Exports: CSV, PDF, PNG.

If you want a preconfigured audit trail, TVL Managed Superset activates centralized audit trail on Pro+ instances.

2. Enable Superset audit log

In superset_config.py:

from superset.stats_logger import DBEventLogger

EVENT_LOGGER = DBEventLogger()
LOG_LEVEL = "INFO"

# Log more details
SUPERSET_LOG_LEVEL = "INFO"
ENABLE_TIME_ROTATE = True
TIME_ROTATE_LOG_LEVEL = "INFO"

With DBEventLogger, all events are stored in the logs table of the Superset metadata DB.

3. Custom logger to SIEM

To stream to a SIEM (Splunk, ELK, Datadog):

from superset.stats_logger import BaseEventLogger
import json
import requests

class SIEMLogger(BaseEventLogger):
    def log(self, user_id, action, dashboard_id=None, slice_id=None, **kwargs):
        event = {
            "timestamp": datetime.utcnow().isoformat(),
            "user_id": user_id,
            "action": action,
            "dashboard_id": dashboard_id,
            "slice_id": slice_id,
            **kwargs,
        }
        requests.post(
            "https://siem.example.com/ingest",
            json=event,
            headers={"X-API-Key": os.environ["SIEM_KEY"]},
        )

EVENT_LOGGER = SIEMLogger()

4. Superset log centralization

Beyond application events, centralize pod logs:

Loki + Promtail on Kubernetes;
ELK / OpenSearch;
Datadog;
OpenObserve.

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

5. GDPR compliance

For GDPR:

Retention: 12 months minimum, to fix in the processing register;
Pseudonymization of PII in logs;
EU storage mandatory;
Right of access: ability to extract a user's logs for DSAR.

6. SOC 2 compliance

Integral and non-alterable audit trail (signature, chaining);
Typical 7-year retention;
Monthly review by compliance;
Off-site backup of logs.

7. Post-incident investigation

In case of a security incident:

Filter logs on the suspect period;
Identify compromised accounts;
Trace executed SQL Lab queries;
List performed exports;
Notify authorities in case of PII leak (72h GDPR).

8. Useful audit metrics

Metric	Potential anomaly
Failed logins > 10/h on a user	Brute force
CSV export > 100 MB	Exfiltration
SQL Lab from a user who never uses it	Compromised account
Login from unusual country	Compromised account
Massive dashboard modification	Attack or error

9. Common pitfalls

Local logs: lost on pod crash;
No rotation: full disk;
Infinite retention: GDPR not respected;
PII in clear in logs: leak risk;
No alerting on suspect events.

10. Conclusion

The audit trail is a mandatory investment for any production Superset instance. With a few hours of configuration (DBEventLogger or SIEM) and a centralized log pipeline, you have the traceability needed for compliance and investigation. For regulated organizations, it's non-negotiable.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).

For more: GDPR compliance, hardening, centralized logs.