Logging, Tracing, and Audit

Snowflake Management, Governance & Collaboration

Emily Melhuish

Technical Curriculum Developer, Snowflake

The Audit Problem

  • Who accessed credit scores in the last 90 days?
  • Which stored procedures ran in the early hours of a specific morning?
  • Did any logins come from outside the corporate network?
  • The record must exist before the question is asked

audit_icon.png

Snowflake Management, Governance & Collaboration

What are Event Tables?

  • Captures log and trace data emitted by Snowflake objects - from stored procedures, Snowpark functions, UDFs
  • Created like a regular table, then set as active with ALTER_ACCOUNT
  • Log and trace messages written automatically from that point
  • Query with standard SQL — no external logging tools required

event_table_simple.png

Snowflake Management, Governance & Collaboration

Log Levels

 

Level Description
TRACE Every function entry and exit — most granular
DEBUG Diagnostic detail
INFO Normal execution milestones — recommended for production
WARN Unexpected conditions that did not stop execution
ERROR Failures
FATAL Critical failures that halted execution
Snowflake Management, Governance & Collaboration

Tracing

  • Captures execution path through a multi-step process
  • Shows how steps connect, not just individual messages
  • Records duration and order of each step
  • Trace data writes to the same event table as log data

tracing_v2.png

Snowflake Management, Governance & Collaboration

Using LOGIN_HISTORY for Auditing

SELECT user_name,
       event_timestamp,
       client_ip,
       authentication_method,
       error_code,
       error_message
FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
WHERE event_timestamp >= DATEADD('day', -90, CURRENT_TIMESTAMP())
  AND client_ip NOT LIKE '203.0.113.%'
ORDER BY event_timestamp DESC;
Snowflake Management, Governance & Collaboration

QUERY_HISTORY for Audit

SELECT user_name,
       role_name,
       warehouse_name,
       query_text,
       start_time,
       end_time
FROM SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY
WHERE start_time >= DATEADD('day', -90, CURRENT_TIMESTAMP())
  AND query_text ILIKE '%credit_scores%'
ORDER BY start_time DESC;
Snowflake Management, Governance & Collaboration

The Complete Audit Trail

 

Source What it captures Audit question answered
Event table Logs and traces from stored procedures, Snowpark functions What did the platform do?
LOGIN_HISTORY Every login attempt: user, IP, method, errors Who connected, from where, did anything fail?
QUERY_HISTORY Every SQL statement: user, role, warehouse, query text What data was touched, and by whom?
Snowflake Management, Governance & Collaboration

Let's practice!

Snowflake Management, Governance & Collaboration

Preparing Video For Download...