Audit Logging Configuration Parameters v13
Use the following configuration parameters to control database auditing. See Summary of Configuration Parameters to determine if a change to the configuration parameter takes effect immediately, or if the configuration needs to be reloaded, or if the database server needs to be restarted.
edb_audit
Enables or disables database auditing. The values xml
or csv
will enable database auditing. These values represent the file format in which auditing information will be captured. none
will disable database auditing and is also the default.
Note
The logging_collector
parameter must be set to on
to enable the edb_audit
parameter.
edb_audit_directory
Specifies the directory where the log files will be created. The path of the directory can be relative or absolute to the data folder. The default is the PGDATA/edb_audit
directory.
edb_audit_filename
Specifies the file name of the audit file where the auditing information will be stored. The default file name will be audit-%Y%m%d_%H%M%S
. The escape sequences, %Y
, %m
etc., will be replaced by the appropriate current values according to the system date and time.
edb_audit_rotation_day
Specifies the day of the week on which to rotate the audit files. Valid values are sun
, mon
, tue
, wed
, thu
, fri
, sat
, every
, and none
. To disable rotation, set the value to none
. To rotate the file every day, set the edb_audit_rotation_day
value to every
. To rotate the file on a specific day of the week, set the value to the desired day of the week. every
is the default value.
edb_audit_rotation_size
Specifies a file size threshold in megabytes when file rotation will be forced to occur. The default value is 0 MB. If the parameter is commented out or set to 0, rotation of the file on a size basis will not occur.
edb_audit_rotation_seconds
Specifies the rotation time in seconds when a new log file should be created. To disable this feature, set this parameter to 0, which is the default.
edb_audit_connect
Enables auditing of database connection attempts by users. To disable auditing of all connection attempts, set edb_audit_connect
to none
. To audit all failed connection attempts, set the value to failed
, which is the default. To audit all connection attempts, set the value to all
.
edb_audit_disconnect
Enables auditing of database disconnections by connected users. To enable auditing of disconnections, set the value to all
. To disable, set the value to none
, which is the default.
edb_audit_statement
This configuration parameter is used to specify auditing of different categories of SQL statements. Various combinations of the following values may be specified: none
, dml
, insert
, update
, delete
, truncate
, select
, error
, rollback
, ddl
, create
, drop
, alter
, grant
, revoke
, set
and all
. The default is ddl
and error
. See Selecting SQL Statements to Audit for information regarding the setting of this parameter.
edb_audit_tag
Use this configuration parameter to specify a string value that will be included in the audit log file for each entry as a tracking tag.
edb_log_every_bulk_value
Bulk processing logs the resulting statements into both the Advanced Server log file and the EDB Audit log file. However, logging each and every statement in bulk processing is costly. This can be controlled by the edb_log_every_bulk_value
configuration parameter. When set to true
, each and every statement in bulk processing is logged. During bulk execution, when edb_log_every_bulk_value
is set to false
, a log message is recorded once per bulk processing along with the number of rows processed. In addition, the duration is emitted once per bulk processing. Default is set to false
.
edb_audit_destination
Specifies whether the audit log information is to be recorded in the directory as given by the edb_audit_directory
parameter or to the directory and file managed by the syslog
process. Set to file
to use the directory specified by edb_audit_directory
, which is the default setting.
Set to syslog
to use the syslog process and its location as configured in the /etc/syslog.conf
file. The syslog
setting is valid for Advanced Server running on a Linux host and is not supported on Windows systems. Note: In recent Linux versions, syslog has been replaced by rsyslog
and the configuration file is in /etc/rsyslog.conf
.
Note
Advanced Server allows administrative users associated with administrative privileges to audit statements by any user, group, or role. By auditing specific users, you can minimize the number of audit records generated. For information, see the examples under Selecting SQL Statements to Audit.
The following section describes selection of specific SQL statements for auditing using the edb_audit_statement
parameter.