📄 Configuration

grafana.ini Configuration on Windows

Complete reference for the most important grafana.ini settings on Windows. Covers file location, port, paths, authentication, SMTP, security hardening and how to apply changes.

File location on Windows

After MSI installation, the configuration file is located at:

C:\Program Files\GrafanaLabs\grafana\conf\grafana.ini

Open it with any text editor running as Administrator. Notepad++ or VS Code are recommended for syntax highlighting.

Tip: Always back up grafana.ini before making changes. A syntax error in the config file will prevent Grafana from starting.

# Open grafana.ini in Notepad++ from PowerShell (as admin)
notepad "C:\Program Files\GrafanaLabs\grafana\conf\grafana.ini"

# Or VS Code
code "C:\Program Files\GrafanaLabs\grafana\conf\grafana.ini"

[server] — Port, host and URL settings

[server]
# HTTP port Grafana listens on (default: 3000)
http_port = 3000

# The public-facing URL — important when behind a reverse proxy
root_url = https://grafana.yourdomain.com/

# If Grafana is served from a sub-path, e.g. /grafana/
# root_url = https://yourdomain.com/grafana/
# serve_from_sub_path = true

# Bind to a specific interface (default: all interfaces)
# http_addr = 127.0.0.1

# Enable HTTP/2
# protocol = h2

[paths] — Data, logs and plugins

[paths]
# Directory for Grafana's SQLite database and other state
data = C:\Program Files\GrafanaLabs\grafana\data

# Log directory
logs = C:\Program Files\GrafanaLabs\grafana\data\log

# Plugin storage
plugins = C:\Program Files\GrafanaLabs\grafana\data\plugins

# Provisioning directory (dashboards, data sources as code)
provisioning = C:\Program Files\GrafanaLabs\grafana\conf\provisioning

Note: The service account must have Full Control on the data and logs directories. If you move these paths, update the ACLs accordingly.

[security] — Hardening settings

[security]
# Default admin credentials — change immediately after first login
admin_user = admin
admin_password = changeme

# Secret key for signing sessions (generate a random string)
secret_key = SW2YcwTIb9zpOOhoPsMm

# Disable user creation from the UI (for managed environments)
disable_gravatar = true

# Allow/deny embedding Grafana in iframes
allow_embedding = false

# Content Security Policy
[security]
content_security_policy = true

[auth] — Authentication settings

[auth]
# Disable anonymous access (recommended for production)
[auth.anonymous]
enabled = false

# Allow users to sign up (disable for managed environments)
[users]
allow_sign_up = false
auto_assign_org = true
auto_assign_org_role = Viewer

# Login form
[auth.basic]
enabled = true

# OAuth — GitHub example
[auth.github]
enabled = false
client_id = YOUR_CLIENT_ID
client_secret = YOUR_CLIENT_SECRET
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
allowed_organizations = your-org

[smtp] — Email alerts and notifications

[smtp]
enabled = true
host = smtp.yourdomain.com:587
user = grafana@yourdomain.com
password = YourEmailPassword
from_address = grafana@yourdomain.com
from_name = Grafana
startTLS_policy = MandatoryStartTLS

# Test SMTP from CLI after saving:
# grafana-cli admin send-test-email --email=you@yourdomain.com

[database] — Switch from SQLite to PostgreSQL/MySQL

For production or high-availability setups, use PostgreSQL or MySQL instead of the default SQLite.

# PostgreSQL
[database]
type = postgres
host = 127.0.0.1:5432
name = grafana
user = grafana
password = SecurePassword
ssl_mode = disable

# MySQL
[database]
type = mysql
host = 127.0.0.1:3306
name = grafana
user = grafana
password = SecurePassword

Apply configuration changes

Grafana reads grafana.ini only on startup. After any change, restart the service:

# Restart Grafana service to apply config changes
Restart-Service -Name "Grafana"

# Check logs for any config errors after restart
Get-Content "C:\Program Files\GrafanaLabs\grafana\data\log\grafana.log" -Tail 20

Environment variables: Any grafana.ini setting can be overridden with an environment variable using the pattern GF_<SECTION>_<KEY>. Example: GF_SERVER_HTTP_PORT=3001 overrides the http_port setting. This is useful for containerised or scripted deployments.