Audit logging configuration parameters v14

Use the following configuration parameters to control database auditing. See Summary of configuration parameters to determine if a change to the configuration parameter:

  • Takes effect immediately
  • Requires reloading the configuration
  • Requires restarting the database server

edb_audit

Enables or disables database auditing. The values xml or csv enable database auditing. These values represent the file format in which to capture auditing information. none disables database auditing and is the default.

Note

Set the logging_collector parameter to on to enable the edb_audit parameter.

edb_audit_archiver

Enables or disables database audit archiving.

edb_audit_archiver_timeout

Enforces a timeout in seconds when a database attempts to archive a log file. The valid range is 30 seconds to one day.

edb_audit_archiver_filename_prefix

Specifies the file name of an audit log file that needs to be archived. The file name must align with the edb_audit_filename parameter. The default value for edb_audit_archiver_filename_prefix is audit-. The audit files with edb_audit_archiver_filename_prefix in the edb_audit_directory are eligible for compression and expiration.

edb_audit_archiver_compress_time_limit

Specifies the time in seconds after which audit logs are eligible for compression. The possible values are:

- `0` — Compression starts as soon as the log file isn't a current file. 
- `-1` — Compression of the log file on a timely basis doesn't occur.

edb_audit_archiver_compress_size_limit

Specifies a file size threshold, in megabytes, after which audit logs are eligible for compression. If the parameter is set to -1, compression of the log file on a size basis doesn't occur.

edb_audit_archiver_compress_command

Specifies the command to execute compression of the audit log files. The default value for edb_audit_archiver_compress_command is gzip %p. The gzip provides a standard method of compressing files. The %p in the string is replaced with the path name of the file to archive.

edb_audit_archiver_compress_suffix

Specifies the file name of an already compressed log file. The file name must align with edb_audit_archiver_compress_command. The default file name is .gz.

edb_audit_archiver_expire_time_limit

Specifies the time, in seconds, after which audit logs are eligible to expire. The possible values to set this parameter are:

- `0` — Expiration starts as soon as the log file isn't a current file. 
- `-1` — Expiration of the log file on a timely basis doesn't occur.

edb_audit_archiver_expire_size_limit

Specifies a file size threshold in megabytes, after which audit logs are eligible to expire. If the parameter is set to -1, the expiration of a log file on the size basis doesn't occur.

edb_audit_archiver_expire_command

Specifies the command to execute on an expired audit log file before removal.

edb_audit_archiver_sort_file

Identifies the oldest log file to sort alphabetically or based on mtime. mtime indicates sorting of files based on file modification time. alphabetic indicates sorting of files alphabetically based on the file name.

edb_audit_directory

Specifies the directory where the log files are created. The path of the directory can be relative to the data folder or absolute. The default is the PGDATA/edb_audit directory.

edb_audit_filename

Specifies the file name of the audit file where the auditing information are stored. The default file name is audit-%Y%m%d_%H%M%S. The escape sequences %Y, %m, and so on are replaced by the appropriate current values according to the system date and time.

edb_audit_rotation_day

Specifies the day of the week on which to rotate the audit files. Valid values are sun, mon, tue, wed, thu, fri, sat, every, and none. To disable rotation, set the value to none. To rotate the file every day, set the edb_audit_rotation_day value to every. To rotate the file on a specific day of the week, set the value to the desired day of the week. every is the default value.

edb_audit_rotation_size

Specifies a file size threshold, in megabytes, when file rotation is forced to occur. The default value is 0 MB. If the parameter is commented out or set to 0, rotation of the file on a size basis doesn't occur.

edb_audit_rotation_seconds

Specifies the rotation time in seconds to create a log file. To disable this feature, set this parameter to 0, which is the default.

edb_audit_connect

Enables auditing of database connection attempts by users. To disable auditing of all connection attempts, set edb_audit_connect to none. To audit all connection attempts, set the value to all. To audit all failed connection attempts, set the value to failed, which is the default.

edb_audit_disconnect

Enables auditing of database disconnections by connected users. To enable auditing of disconnections, set the value to all. To disable, set the value to none, which is the default.

edb_audit_statement

Specifies auditing of different categories of SQL statements. You can specify various combinations of the following values: none, dml, insert, update, delete, truncate, select, error, rollback, ddl, create, drop, alter, grant, revoke, set, all, and { select | update | delete | insert }@groupname. The default is ddl and error. See Selecting SQL statements to audit for information about setting this parameter.

edb_audit_tag

Specifies a string value to include in the audit log file for each entry as a tracking tag.

edb_log_every_bulk_value

Bulk processing logs the resulting statements into both the EDB Postgres Advanced Server log file and the EDB Audit log file. However, logging every statement in bulk processing is costly. You can control this with the edb_log_every_bulk_value configuration parameter. When set to true, every statement in bulk processing is logged. During bulk execution, when edb_log_every_bulk_value is set to false, a log message is recorded once per bulk processing along with the number of rows processed. In addition, the duration is emitted once per bulk processing. Default is false.

edb_audit_destination

Specifies whether to record the audit log information in the directory as given by the edb_audit_directory parameter or to the directory and file managed by the syslog process. Set to file to use the directory specified by edb_audit_directory, which is the default setting.

Set to syslog to use the syslog process and its location as configured in the /etc/syslog.conf file. The syslog setting is valid for EDB Postgres Advanced Server running on a Linux host and isn't supported on Windows systems.

!!! Note In recent Linux versions, syslog was replaced with rsyslog, and the configuration file is in /etc/rsyslog.conf.

Note

EDB Postgres Advanced Server allows administrative users associated with administrative privileges to audit statements by any user, group, or role. By auditing specific users, you can minimize the number of audit records generated. For information, see the examples under Selecting SQL statements to audit.