title: "Extending Feast Observability: Offline Store Metrics and SOX Audit Logging"

description: "Feast now captures RED metrics for offline store retrievals and emits structured SOX audit logs for both online and offline feature access — closing the observability gap between serving and training paths."

date: 2026-06-09

authors: ["Jitendra Yejare"]

<div class="hero-image">

<img src="/images/blog/feast-metrics-hero.png" alt="Feast Offline Store Metrics and SOX Audit Logging — Prometheus metrics for offline retrievals and structured audit logs for compliance" loading="lazy">

</div>

In [our previous post](/blog/feast-feature-server-monitoring), we introduced built-in Prometheus metrics for the Feast feature server — covering the full online serving lifecycle from HTTP request handling through online store reads, on-demand feature transformations, materialization pipelines, and feature freshness tracking.

That covered the **online** path. But production ML systems don't just serve features in real time — they also build training datasets through offline store retrievals. And for teams operating in regulated environments (financial services, healthcare, government), observability isn't enough. You need an **auditable record** of who accessed what data, when, and how much.

This post covers two new capabilities added to Feast:

1. **Offline Store RED Metrics** — Prometheus counters and histograms for offline store retrieval operations (request rate, error rate, latency, row counts)

2. **SOX Audit Logging** — Structured JSON audit log entries for both online and offline feature retrieval paths, routed to a dedicated `feast.audit` logger

Together, these close the observability gap between online and offline operations and give compliance teams the structured audit trail they need.

The online feature server already had comprehensive metrics, but the offline store — where `get_historical_features` queries execute against your data warehouse to build training datasets — had zero instrumentation. This matters because training-serving skew, stalled pipelines, and data volume anomalies all originate in the offline path.

Without offline store metrics, teams faced three blind spots:

- **Silent training failures** — An offline retrieval that returns incomplete data (or errors out) produces a corrupted training dataset. Models trained on bad data degrade in production, and without metrics, there's no signal until prediction quality drops.

- **Invisible pipeline stalls** — A `get_historical_features` call that normally takes 30 seconds but suddenly takes 10 minutes looks like a "hang" from the orchestrator's perspective. No latency metrics means no alerting until the pipeline times out.

- **Data volume anomalies** — If a typical training query returns 500K rows but suddenly returns 50K, something changed upstream. Without row count tracking, this silently propagates into model training.

Feast now automatically captures RED metrics (Rate, Errors, Duration) for every offline store retrieval — regardless of the backend. Whether you're running against BigQuery, Redshift, Snowflake, DuckDB, or local files, you get the same three Prometheus metrics out of the box:

- **`feast_offline_store_request_total`** — Counts every retrieval, labeled by success/error. Set an alert and know immediately when training pipelines start failing.

- **`feast_offline_store_request_latency_seconds`** — Latency histogram with buckets tuned for offline workloads (`0.1s` to `10min`). Set SLOs and catch slow queries before pipelines time out.

- **`feast_offline_store_row_count`** — Row count histogram covering `100` to `5M` rows. Detect data volume anomalies before they reach model training.

Metrics collection never interferes with your queries — if the metrics path fails for any reason, your offline retrieval completes normally.

For organizations subject to SOX (Sarbanes-Oxley), GDPR, HIPAA, or other regulatory frameworks, you need to answer questions like:

- *Who accessed customer features at 3:47 PM on March 15th?*

- *Which feature views were involved in the training dataset built yesterday?*

- *How many rows of PII-adjacent data were retrieved by the batch scoring pipeline?*

Before this change, answering these questions required parsing unstructured application logs and correlating timestamps across services. Feature stores sit at the intersection of data access and ML model behavior — yet most have no structured audit trail.

Feast now emits **structured JSON audit entries** for both online and offline retrieval paths, routed to a dedicated `feast.audit` logger that can be independently sent to your SIEM, log aggregator, or compliance sink — without touching your operational log pipeline.

What makes this production-ready:

- **PII-minimized by design.** Entity key *names* are logged, not *values*. A compliance auditor sees "the ML pipeline accessed `user_id` features from `transaction_features` at 3:47 PM" without the log itself containing PII.

- **Dedicated logger.** Audit entries go to `feast.audit`, separate from the application logger. Route them to a SOX-compliant sink (Splunk, ELK with retention policies, S3 with WORM locks) independently.

- **Never breaks your serving path.** Audit logging is best-effort — a broken audit sink never affects feature serving latency or availability.

- **Zero overhead when disabled.** `audit_logging` defaults to `false`. Enable it only when you need it.

| Metric | Type | Labels | What It Answers |

|--------|------|--------|-----------------|

| `feast_offline_store_request_total` | Counter | `method`, `status` | What is my offline retrieval throughput and error rate? |

| `feast_offline_store_request_latency_seconds` | Histogram | `method` | How long are my training data queries taking? |

| `feast_offline_store_row_count` | Histogram | `method` | How much data are my offline retrievals returning? |

The `method` label captures the retrieval type (`to_arrow`), and `status` is `success` or `error`. The latency histogram uses wide buckets tuned for offline workloads: `0.1s, 0.5s, 1s, 5s, 10s, 30s, 60s, 2min, 5min, 10min` — because offline queries can range from sub-second (small entity sets against local files) to minutes (large point-in-time joins against BigQuery or Redshift).

The row count histogram uses exponential buckets: `100, 1K, 10K, 100K, 500K, 1M, 5M` — covering the range from small test retrievals to production training datasets.

**Online feature request audit entry:**

{

"event": "online_feature_request",

"timestamp": "2026-06-07T14:42:29.739Z",

"requestor_id": "service-account:ml-pipeline",

"entity_keys": ["driver_id"],

"entity_count": 5,

"feature_views": ["driver_hourly_stats"],

"feature_count": 3,

"status": "success",

"latency_ms": 12.45

}

**Offline feature retrieval audit entry:**

{

"event": "offline_feature_retrieval",

"timestamp": "2026-06-07T14:42:29.739Z",

"method": "to_arrow",

"start_time": "2026-06-07T14:42:29.697Z",

"end_time": "2026-06-07T14:42:29.739Z",

"feature_views": ["driver_hourly_stats"],

"feature_count": 3,

"row_count": 150000,

"status": "success",

"duration_ms": 42.39

}

Each entry is a single JSON line, making it trivial to parse with `jq`, ingest into Elasticsearch, or stream to a Kafka topic for compliance processing.

**Note on accessor identity:** Online audit entries include `requestor_id`, extracted from the Feast authentication layer (SecurityManager). Offline retrievals run as direct SDK calls in the user's own process (a notebook, Airflow task, or training script) — there is no server in the middle to extract auth context. In production SOX environments, offline accessor identity is typically established at the infrastructure level: the Kubernetes service account running the job, the IAM role accessing the data warehouse, or the CI/CD pipeline identity. A future enhancement could optionally capture identity from `os.getenv("USER")` or an explicit SDK parameter.

Add `offline_features` and `audit_logging` to your `feature_store.yaml`:

feature_server:

metrics:

enabled: true

resource: true

request: true

online_features: true

push: true

materialization: true

freshness: true

offline_features: true # NEW: Offline store RED metrics

audit_logging: true # NEW: SOX audit log entries

The `feast.audit` logger is a standard Python logger. Configure it like any other:

Or route to a JSON-aware sink in production:

We've extended the existing Feast Grafana dashboard with a dedicated **Offline Store** section containing six new panels:

<img src="/images/blog/offline_store_operational_metrics.png" alt="Grafana dashboard showing dedicated offline store containing six new panels" loading="lazy">

For SOX compliance, a separate **Audit Trail** dashboard powered by Loki visualizes:

<div class="content-image">

<img src="/images/blog/sox_compliance_and_access.png" alt="Grafana dashboard showing SOX compliance and access containing five new panels" loading="lazy">

</div>

<div class="content-image">

<img src="/images/blog/sox_offline_store_audit_logs.png" alt="Grafana dashboard showing audit logs for offline store" loading="lazy">

</div>

We've extended the [feast-prometheus-metrics](https://github.com/ntkathole/feast-automated-setups/tree/main/feast-prometheus-metrics) automated demo to include offline store metrics and SOX audit logging. The extended traffic generator exercises both online and offline paths:

After traffic generation, check the audit log:

Verify offline store metrics are being emitted:

1. **Update `feature_store.yaml`** — Add `offline_features: true` and `audit_logging: true` to the metrics block

---