Selecting SQL statements to audit v17
The edb_audit_statement
permits inclusion of one or more comma-separated values to control the SQL statements to audit. The following is the general format:
The comma-separated values can include or omit space characters following the comma. You can specify the values in any combination of lowercase or uppercase letters.
Overview of the parameters
The basic parameter values are the following:
all
— Audit and log every statement including any error messages on statements.none
— Disable all auditing and logging. A value ofnone
overrides any other value included in the list.ddl
— Audit all data definition language (DDL) statements (CREATE
,ALTER
, andDROP
) as well asGRANT
andREVOKE
data control language (DCL) statements.dml
— Audit all data manipulation language (DML) statements (INSERT
,UPDATE
,DELETE
, andTRUNCATE
).select
— AuditSELECT
statements.set
— AuditSET
statements.rollback
— AuditROLLBACK
statements.error
— Log all error messages that occur. Otherwise, no messages about errors that occur on SQL statements related to any of the other preceding parameter values are logged except whenall
is used.{ select | update | delete | insert }@groupname
— Selectively audit objects for specific DML statements (SELECT
,UPDATE
,DELETE
, andINSERT
) including(@)
and excluding(-)
groups on a given table. For more information, see Object auditing.
DDL and DCL statements describes additional parameter values for selecting particular DDL or DCL statements for auditing. DML statements describes additional parameter values for selecting particular DML statements for auditing.
If an unsupported value is included in the edb_audit_statement
parameter, then an error occurs when applying the setting to the database server. See the database server log file for the error such as in the following example in which create materialized vw
results in the error. The correct value is create materialized view
.
DDL and DCL statements
When auditing DDL and DCL statements, the following general rules apply to the values that can be included in the edb_audit_statement
parameter:
- If the
edb_audit_statement
parameter includesddl
orall
, then all DDL statements are audited. In addition, the DCL statementsGRANT
andREVOKE
are audited. - If the
edb_audit_statement
is set tonone
, then no DDL nor DCL statements are audited. - You can choose specific types of DDL and DCL statements for auditing by including a combination of values in the
edb_audit_statement
parameter.
Use the following syntax to specify an edb_audit_statement
parameter value for DDL statements:
object_type
is any of the following:
ACCESS METHOD
AGGREGATE
CAST
COLLATION
CONVERSION
DATABASE
EVENT TRIGGER
EXTENSION
FOREIGN TABLE
FUNCTION
INDEX
LANGUAGE
LARGE OBJECT
MATERIALIZED VIEW
OPERATOR
OPERATOR CLASS
OPERATOR FAMILY
POLICY
PUBLICATION
ROLE
RULE
SCHEMA
SEQUENCE
SERVER
SUBSCRIPTION
TABLE
TABLESPACE
TEXT SEARCH CONFIGURATION
TEXT SEARCH DICTIONARY
TEXT SEARCH PARSER
TEXT SEARCH TEMPLATE
TRANSFORM
TRIGGER
TYPE
USER MAPPING
VIEW
Descriptions of object types as used in SQL commands can be found in the PostgreSQL core documentation.
If object_type
is omitted from the parameter value, then all of the specified command statements (create
, alter
, or drop
) are audited.
Use the following syntax to specify an edb_audit_statement
parameter value for DCL statements:
Examples
In this example, edb_audit_connect
and edb_audit_statement
are set with the following non-default values:
Thus, only SQL statements invoked by the CREATE
and ALTER
commands are audited. Error messages are also included in the audit log.
The following is the database session that occurs:
The resulting audit log file contains the following. (Each audit log entry was split and displays across multiple lines. A blank line was inserted between the audit log entries for visual clarity.)
The CREATE
and ALTER
statements for the adminuser
role and auditdb
database are audited. Because error
is included in the edb_audit_statement
parameter, the error for the ALTER ROLE adminuser
statement is also logged.
Similarly, the CREATE
statements for schema edb
and tables department
and dept
are audited.
There's no edb_audit_statement
setting that results in auditing successfully processed DROP
statements such as ddl
, all
, or drop
. Thus the DROP TABLE department
statement isn't in the audit log.
In this example, edb_audit_connect
and edb_audit_statement
are set with the following non-default values:
Thus, only SQL statements invoked by the CREATE VIEW
, CREATE MATERIALIZED VIEW
, CREATE SEQUENCE
and GRANT
commands are audited.
The following is the database session that occurs:
The resulting audit log file contains the following. (Each audit log entry was split and displays across multiple lines. A blank line was inserted between the audit log entries for visual clarity.)
The CREATE VIEW
and CREATE MATERIALIZED VIEW
statements are audited. The prior CREATE TABLE emp
statement isn't audited because none of the values create
, create table
, ddl
, nor all
are included in the edb_audit_statement
parameter.
The CREATE SEQUENCE
and GRANT
statements are audited because those values are included in the edb_audit_statement
parameter.
In this example, edb_audit_connect
and edb_audit_statement
are set with the following non-default values:
The session for users who connect as ADMIN
or SYSDBA
can be fully audited. An admin user is connected to a database auditdb
as ADMINUSER
. The following ALTER USER
command specifies to audit ADMINUSER
.
Setting the edb_audit_statement
parameter to all
allows auditing of all of the SQL statements for an admin user.
The following is the database session that occurs:
The resulting audit log file contains the following. (Each audit log entry was split and displays across multiple lines. A blank line was inserted between the audit log entries for visual clarity.)
In this example, edb_audit_connect
and edb_audit_statement
are set with the following non-default values:
The audit session for a user carol
can be fully blocked by the database administrators using the ALTER USER
command:
Note
The database administrator can allow a specific user to audit any SQL statements by specifying the ALTER USER
command and setting the edb_audit_statement
parameter to any value.
The following is the database session that occurs:
The resulting audit log file contains only the connection authentication information. Setting the edb_audit_statement
parameter to none
doesn't allow the auditing of SQL statements for carol
, so no audit logs are generated.
(Each audit log entry was split and displays across multiple lines. A blank line was inserted between the audit log entries for visual clarity.)
DML statements
When auditing DML statements, the following general rules apply to the values that can be included in the edb_audit_statement
parameter:
- If the
edb_audit_statement
parameter includesdml
orall
, then all DML statements are audited. - If the
edb_audit_statement
is set tonone
, then no DML statements are audited. - You can choose specific types of DML statements for auditing by including a combination of values in the
edb_audit_statement
parameter.
Use the following syntax to specify an edb_audit_statement
parameter value for SQL INSERT
, UPDATE
, DELETE
, or TRUNCATE
statements:
Example
In this example, edb_audit_connect
and edb_audit_statement
are set with the following non-default values:
Thus, only SQL statements invoked by the UPDATE
and DELETE
commands are audited. All errors are also included in the audit log, including errors not related to the UPDATE
and DELETE
commands.
The following is the database session that occurs:
The resulting audit log file contains the following. (Each audit log entry was split and displays across multiple lines. A blank line was inserted between the audit log entries for visual clarity.)
The UPDATE dept
and DELETE FROM emp
statements are audited. All of the prior INSERT
statements aren't audited because the values insert
, dml
, or all
aren't included in the edb_audit_statement
parameter.
The SELECT * FROM dept
statement isn't audited because select
and all
aren't included in the edb_audit_statement
parameter.
Because error
is specified in the edb_audit_statement
parameter but not the truncate
value, the error on the TRUNCATE employee
statement is logged in the audit file. But the successful TRUNCATE emp
statement isn't.