Audit logging configuration parameters v14
Use the following configuration parameters to control database auditing. See Summary of configuration parameters to determine if a change to the configuration parameter:
- Takes effect immediately
- Requires reloading the configuration
- Requires restarting the database server
edb_audit
Enables or disables database auditing. The values xml
or csv
enable database auditing. These values represent the file format in which to capture auditing information. none
disables database auditing and is the default.
Note
Set the logging_collector
parameter to on
to enable the edb_audit
parameter.
edb_audit_archiver
Enables or disables database audit archiving.
edb_audit_archiver_timeout
Enforces a timeout in seconds when a database attempts to archive a log file. The valid range is 30 seconds to one day.
edb_audit_archiver_filename_prefix
Specifies the file name of an audit log file that needs to be archived. The file name must align with the edb_audit_filename
parameter. The default value for edb_audit_archiver_filename_prefix
is audit-
. The audit files with edb_audit_archiver_filename_prefix
in the edb_audit_directory
are eligible for compression and expiration.
edb_audit_archiver_compress_time_limit
Specifies the time in seconds after which audit logs are eligible for compression. The possible values are:
edb_audit_archiver_compress_size_limit
Specifies a file size threshold, in megabytes, after which audit logs are eligible for compression. If the parameter is set to -1
, compression of the log file on a size basis doesn't occur.
edb_audit_archiver_compress_command
Specifies the command to execute compression of the audit log files. The default value for edb_audit_archiver_compress_command
is gzip %p
. The gzip
provides a standard method of compressing files. The %p
in the string is replaced with the path name of the file to archive.
edb_audit_archiver_compress_suffix
Specifies the file name of an already compressed log file. The file name must align with edb_audit_archiver_compress_command
. The default file name is .gz
.
edb_audit_archiver_expire_time_limit
Specifies the time, in seconds, after which audit logs are eligible to expire. The possible values to set this parameter are:
edb_audit_archiver_expire_size_limit
Specifies a file size threshold in megabytes, after which audit logs are eligible to expire. If the parameter is set to -1
, the expiration of a log file on the size basis doesn't occur.
edb_audit_archiver_expire_command
Specifies the command to execute on an expired audit log file before removal.
edb_audit_archiver_sort_file
Identifies the oldest log file to sort alphabetically or based on mtime
. mtime
indicates sorting of files based on file modification time. alphabetic
indicates sorting of files alphabetically based on the file name.
edb_audit_directory
Specifies the directory where the log files are created. The path of the directory can be relative to the data folder or absolute. The default is the PGDATA/edb_audit
directory.
edb_audit_filename
Specifies the file name of the audit file where the auditing information are stored. The default file name is audit-%Y%m%d_%H%M%S
. The escape sequences %Y
, %m
, and so on are replaced by the appropriate current values according to the system date and time.
edb_audit_rotation_day
Specifies the day of the week on which to rotate the audit files. Valid values are sun
, mon
, tue
, wed
, thu
, fri
, sat
, every
, and none
. To disable rotation, set the value to none
. To rotate the file every day, set the edb_audit_rotation_day
value to every
. To rotate the file on a specific day of the week, set the value to the desired day of the week. every
is the default value.
edb_audit_rotation_size
Specifies a file size threshold, in megabytes, when file rotation is forced to occur. The default value is 0 MB. If the parameter is commented out or set to 0, rotation of the file on a size basis doesn't occur.
edb_audit_rotation_seconds
Specifies the rotation time in seconds to create a log file. To disable this feature, set this parameter to 0
, which is the default.
edb_audit_connect
Enables auditing of database connection attempts by users. To disable auditing of all connection attempts, set edb_audit_connect
to none
. To audit all connection attempts, set the value to all
. To audit all failed connection attempts, set the value to failed
, which is the default.
edb_audit_disconnect
Enables auditing of database disconnections by connected users. To enable auditing of disconnections, set the value to all
. To disable, set the value to none
, which is the default.
edb_audit_statement
Specifies auditing of different categories of SQL statements. You can specify various combinations of the following values: none
, dml
, insert
, update
, delete
, truncate
, select
, error
, rollback
, ddl
, create
, drop
, alter
, grant
, revoke
, set
, all
, and { select | update | delete | insert }@groupname
. The default is ddl
and error
. See Selecting SQL statements to audit for information about setting this parameter.
edb_audit_tag
Specifies a string value to include in the audit log file for each entry as a tracking tag.
edb_log_every_bulk_value
Bulk processing logs the resulting statements into both the EDB Postgres Advanced Server log file and the EDB Audit log file. However, logging every statement in bulk processing is costly. You can control this with the edb_log_every_bulk_value
configuration parameter. When set to true
, every statement in bulk processing is logged. During bulk execution, when edb_log_every_bulk_value
is set to false
, a log message is recorded once per bulk processing along with the number of rows processed. In addition, the duration is emitted once per bulk processing. Default is false
.
edb_audit_destination
Specifies whether to record the audit log information in the directory as given by the edb_audit_directory
parameter or to the directory and file managed by the syslog
process. Set to file
to use the directory specified by edb_audit_directory
, which is the default setting.
Set to syslog
to use the syslog process and its location as configured in the /etc/syslog.conf
file. The syslog
setting is valid for EDB Postgres Advanced Server running on a Linux host and isn't supported on Windows systems.
!!! Note
In recent Linux versions, syslog was replaced with rsyslog
, and the configuration file is in /etc/rsyslog.conf
.
Note
EDB Postgres Advanced Server allows administrative users associated with administrative privileges to audit statements by any user, group, or role. By auditing specific users, you can minimize the number of audit records generated. For information, see the examples under Selecting SQL statements to audit.