Snowflake Audit Logs & Alerts: How to Monitor, Detect, and Respond to Critical Events
Although Snowflake contains audit logs and alerts as part of its suite of features, that doesn’t necessarily mean it’s easy to monitor. In fact, most of Snowflake’s native tools for controlling costs and performance are usually only helpful after a problem has come to the surface.
To that end, this short but comprehensive guide will cover the details of Snowflake audit logs, alerts, and integrations with external notification systems. We’ll provide tips on how to configure and monitor these tools, as well as an honest perspective on their limitations in keeping costs down and performance high.
Key Takeaways
- Snowflake audit logs provide essential visibility into user activity, data access, and resource consumption.
- Snowflake alerts enable proactive monitoring by automatically executing SQL conditions and triggering actions (like emails or webhooks) when predetermined thresholds are exceeded.
- Effective monitoring requires a mix of tools, including real-time visibility and automated warehouse optimization from Keebo.
What Are Snowflake Audit Logs?
Let’s start with Snowflake audit logs. These logs automatically capture detailed records of all account- and user-level activity, and provide the foundation for governance, compliance, and monitoring.
Users can access these logs through the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas. Both schemas record all kinds of data, including user queries, login attempts, and more.
Although ACCOUNT_USAGE and ORGANIZATION_USAGE offer a large number of audit views (Snowflake provides a complete list in their official documentation), here are some of the most relevant for cost and performance optimization:
| View | Description |
| WAREHOUSE_METERING_HISTORY | Tracks compute credit usage by warehouse, which is essential for analyzing and optimizing warehouse cost and performance. |
| QUERY_HISTORY | Contains statistics on queries executed, allowing review and optimization of query performance and detection of resource-intensive workloads. |
| CREDIT_USAGE_DAILY/CREDIT_USAGE | Shows daily or total credit consumption at the account level, useful for overall cost monitoring. |
| TABLE_STORAGE_METRICS | Provides metrics on table storage usage and helps identify tables that drive storage costs. |
| STAGE_STORAGE_USAGE_HISTORY | Reports storage usage on external/internal stages for cost attribution. |
| DATABASE_STORAGE_USAGE_HISTORY | Shows storage consumption at the database level to attribute and optimize database-related costs. |
| PIPE_USAGE_HISTORY | Reports credits consumed by Snowpipe and serverless loads, helpful for controlling ingestion-related compute spend. |
| SNOWFLAKE_COST | Tracks total cost for Snowflake resources attributed to objects. |
| LOGIN_HISTORY: | Useful for performance monitoring by correlating user activity with cost spikes, though more security-related. |
How to Query and Analyze Snowflake Audit Logs
Querying and analyzing Snowflake audit logs is a core part of maintaining visibility into user activity, data access, and system behavior. Note that only users with the ACCOUNTADMIN role or a delegated custom audit role can access these views, as they contain sensitive metadata.
Here’s an example of a SQL query you could use to access data from a Snowflake audit log:
SELECT user_name, query_text, start_time, execution_status
FROM SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY
WHERE start_time >= DATEADD(day, -7, CURRENT_TIMESTAMP());
Note the use of the WHERE clause to limit results to only those data added in the last seven days. You can use WHERE to filter and limit results by any parameters. Here’s another example, if you wanted to gain a record of the information accessed by a specific user over the last 45 days:
SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.ACCESS_HISTORY
WHERE user_name = 'NAME'
AND query_start_time >= DATEADD(day, -45, CURRENT_TIMESTAMP());
Keep in mind that Snowflake retains audit data for up to 365 days, with a 45-180 minute latency typical between event occurrence and log availability. As such, it’s best suited for forensic analysis and compliance monitoring, not real-time alerting.
On top of that, audit logs can only retrieve data you already know to ask for. So they can be helpful when investigating a problem you already know exists, but they don’t alert you to new problems. Snowflake audit logs are a troubleshooting tool, not a monitoring or observability tool.
How to Set Up Snowflake Alerts
Snowflake alerts, on the other hand, are schema-level objects that automatically evaluate SQL conditions on a defined schedule, and trigger actions when certain criteria are met. While audit logs are great for troubleshooting, Snowflake alerts are designed for proactive monitoring.
Each alert has three components:
- Condition (what the alert checks)
- Schedule (how often the alert runs)
- Action (what the alert does when the condition evaluates to true)
Setting up an alert in Snowflake is fairly straightforward. Simply execute a SQL command similar to the following:
CREATE ALERT high_credit_usage
WAREHOUSE = my_wh
SCHEDULE = '1 MINUTES'
IF (EXISTS(
SELECT 1
FROM SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY
WHERE credits_used > 100
))
THEN
CALL SYSTEM$SEND_EMAIL(
'admin@example.com',
'High Credit Usage',
'Warehouse exceeded 100 credits.'
);
Some of the most common alert types include:
- Monitoring credit consumption spikes to evaluate usage and cost
- Detecting failed logins and unauthorized access attempts to improve system security
- Catching pipeline lag issues to surface operational anomalies
Note that each alert execution consumes compute credits. So it’s important to schedule them thoughtfully, as running too many queries could end up causing an increase in costs.
How to Integrate Snowflake Alerts with External Notification Tools
One of the advantages of Snowflake’s monitoring tools is the ability to integrate alerts with external notification systems. This enables teams to centralize their monitoring efforts and increase the speed of insights, all of which enables faster identification and resolution of cost or performance issues.
Snowflake’s integration options include the following:
- AWS SNS (Simple Notification Service). SNS helps broadcast alerts to multiple subscribers or downstream automation tools.
- Azure Event Grid. This option works best for event-driven workflows and integrations with Azure-based monitoring tools.
- Webhook endpoints. Users can send alert messages directly to platforms like Slack, Microsoft Teams, and virtually any tool that supports webhooks.
- Email via Snowflake notification channels. This helps maintain simple, direct communication with admins and stakeholders.
For example, let’s say you want to monitor credit usage and send a webhook message to a Slack channel when a certain threshold has been reached. You could write a SQL command similar to the following:
CREATE ALERT cost_alert
WAREHOUSE = my_wh
SCHEDULE = '5 MINUTES'
IF (EXISTS(
SELECT 1
FROM SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY
WHERE credits_used > 500
))
THEN
CALL SYSTEM$SEND_WEBHOOK('slack_webhook', OBJECT_CONSTRUCT('text', 'High credit usage detected'));
Best Practices for Audit Logs & Alerts
To get the most out of Snowflake audit logs and alerts (and to keep them from eating into your credits):
- Enable ACCESS_HISTORY and change tracking on sensitive tables to monitor access patterns
- Create dedicated audit roles with read-only privileges restricted to ACCOUNT_USAGE and ORGANIZATION_USAGE views
- Schedule periodic exports of audit logs to long-term cloud storage (e.g., Amazon S3, Azure Blob)
- Set clear, meaningful alert thresholds that reflect real operational risk; this will help reduce alert fatigue and prioritize critical events
- Automate real-time actions based on alerts (e.g. pausing a warehouse when credit usage exceeds a defined threshold)
- Use ALERT_HISTORY() and ACCOUNT_USAGE.ALERTS to track alert execution performance, identify failed runs, and fine-tune alert logic
- Assign alerts to lightweight, dedicated warehouses to avoid contention with production workloads
- Correlate alerts with query, user, and warehouse metadata to build richer investigative context and accelerate root cause analysis
Limitations & Common Pitfalls
For all the insight that Snowflake notifications and alerts can offer, there are some limitations and pitfalls to keep in mind. Here are a few of the most relevant:
| Limitation | Description |
| Latency | ACCOUNT_USAGE views can lag by 45-180 minutes, so logs and query data are not truly real-time. |
| Coverage gaps | Some activities (e.g. COPY INTO to external stages) aren’t always fully logged, which can leave only partial audit trails. |
| Alert performance | Frequent alert schedules can consume significant compute credits. |
| Error handling | Failed alerts don’t auto-restart and must be manually checked or managed using ALERT_HISTORY(). |
| Retention limits | Audit logs are retained for up to 365 days; long-term record-keeping requires scheduled exports. |
| Operational overhead | Maintaining alert schedules, external integrations, and log exports adds administrative burden and ongoing cost. |
Final Thoughts on Snowflake Audit Logs & Alerts
Snowflake audit logs and alerts can be helpful tools for maintaining visibility into costs and performance. They’re especially useful as diagnostic and troubleshooting tools: once you notice a problem, you can use these features to drill down into the root cause.
However, they are unable to provide real-time visibility into your Snowflake environment and surface problems you may not realize you have. If you’re overspending on a warehouse or seeing numerous sub-optimal queries, Snowflake audit logs and alerts may not flag them. Keebo, however, can.
Keebo’s workload intelligence platform identifies up to 18% savings (on average) for our users. Let’s set up a consultation to see how much you can save.
Author
