Redacting Passwords from Audit Logs v13
You can use the edb_filter_log.redact_password_commands
extension to instruct the server to redact stored passwords from the log file. Note that the module only recognizes the following syntax:
When such a statement is logged by log_statement
, the server will redact the old and new passwords to 'x'. For example, the command:
Will be added to log files as:
When a statement that includes a redacted password is logged, the server redacts the statement text. When the statement is logged as context for some other message, the server omits the statement from the context.
To enable password redaction, you must first enable the extension by modifying the postgresql.conf
file, adding the following value to the values specified in the shared_preload_libraries
parameter:
Then, set edb_filter_log.redact_password_commands
to true
:
After modifying the postgresql.conf
file, you must restart the server for the changes to take effect.