CH-UICH-UI

Monitoring & SIEM

Health checks, Prometheus metrics, and forwarding CH-UI audit events to your SIEM

CH-UI exposes the signals an SRE or security team needs to run it in production: a health endpoint, Prometheus metrics, and audit-event forwarding.

Health

curl http://localhost:3488/health

Returns 200 when the server is up. The Docker image also ships a HEALTHCHECK against this endpoint.

Prometheus metrics

CH-UI serves Prometheus metrics at /metrics (no authentication — scrape it on a trusted network or restrict it at your proxy):

curl http://localhost:3488/metrics

Exposed series include:

MetricTypeDescription
ch_ui_build_infogaugeVersion, commit, Go version labels
ch_ui_uptime_secondsgaugeSeconds since start
ch_ui_http_requests_total{class}counterRequests by status class (2xx5xx)
ch_ui_http_requests_in_flightgaugeIn-flight requests
ch_ui_http_request_duration_seconds_sum / _countcounterAggregate latency
go_goroutines, go_memstats_*, go_gc_runs_totalgauge/counterGo runtime

A minimal scrape config:

scrape_configs:
  - job_name: ch-ui
    static_configs:
      - targets: ["ch-ui.internal:3488"]

Audit forwarding (SIEM)

Audit forwarding is a Pro feature. The audit trail itself is always recorded in the database; forwarding to external sinks requires a Pro license.

Every audit event (logins including failures, query execution, DDL, admin and governance changes) is stored in CH-UI's database and can also be forwarded to your tooling. Forwarding is best-effort and asynchronous — it never blocks a request, and the authoritative copy always stays in the database. Enable any combination:

# server.yaml
audit_forward_stdout: true                       # structured stdout logs
audit_log_file: /var/log/ch-ui/audit.jsonl       # append JSON lines (JSONL)
audit_webhook_url: https://siem.example.com/hook # POST each event as JSON

Equivalent environment variables: AUDIT_FORWARD_STDOUT, AUDIT_LOG_FILE, AUDIT_WEBHOOK_URL.

Each forwarded event is JSON:

{
  "action": "user.login",
  "username": "alice@example.com",
  "connection_id": "…",
  "details": "SSO login via OIDC (role: admin, ch_account: ch_sso_reader)",
  "ip_address": "203.0.113.7",
  "timestamp": "2026-06-12T08:20:31Z"
}
  • stdout — pick this up with any log pipeline (Fluent Bit, Vector, Loki, CloudWatch, Datadog agent).
  • file — tail the JSONL file with a log shipper.
  • webhook — POST directly to Splunk HEC, Datadog, Elastic, or a custom collector.

Audit export (one-off)

Admins can export the stored trail directly:

curl "http://localhost:3488/api/governance/audit-logs/export?format=csv" \
  --cookie 'chui_session=<admin session>' -o audit.csv
# format=json is also supported

Logging

CH-UI logs are structured (Go slog). Run behind a reverse proxy if you also want HTTP access logs, or enable audit_forward_stdout for a security-event stream.

Security

CH-UI security posture — TLS, authentication, RBAC, audit, encryption, and vulnerability disclosure

Compatibility & Support Matrix

Supported ClickHouse versions, browsers, platforms, and sizing guidance for CH-UI

On this page

HealthPrometheus metricsAudit forwarding (SIEM)Audit export (one-off)Logging