Redacting passwords in audit logs v16
You can use the GUC parameter edb_filter_log.redact_password_commands
under the postgresql.conf
file to redact stored passwords in the log file.
The syntax is:
To enable password redaction, you must first enable the parameter by modifying the postgresql.conf
file. Add the following value to those specified in the shared_preload_libraries
parameter:
Then, set edb_filter_log.redact_password_commands
to true
:
After modifying the postgresql.conf
file, you must restart the server for the changes to take effect.
Examples
When the following statement is logged by log_statement
, the server redacts the password to x
. For example, this command is added to the log file:
It appears as:
When the following statement is logged by log_statement
, the server identifies the new password, replace, and redact the password to x
. For example, this command is added to the log file:
It appears as:
The statement that includes a password is logged. The server redacts the password text to x
. When the statement is logged as context for some other message, the server omits the statement from the context.