Redacting Passwords from Audit Logs v13

Suggest edits

You can use the edb_filter_log.redact_password_commands extension to instruct the server to redact stored passwords from the log file. Note that the module only recognizes the following syntax:

{CREATE|ALTER} {USER|ROLE|GROUP} identifier { [WITH] [ENCRYPTED] PASSWORD
'nonempty_string_literal' | IDENTIFIED BY { 'nonempty_string_literal' |
bareword } } [ REPLACE { 'nonempty_string_literal' | bareword } ]

When such a statement is logged by log_statement, the server will redact the old and new passwords to 'x'. For example, the command:

ALTER USER carol PASSWORD '1safepwd' REPLACE 'old_pwd';

Will be added to log files as:

statement: ALTER USER carol PASSWORD 'x' REPLACE 'x';

When a statement that includes a redacted password is logged, the server redacts the statement text. When the statement is logged as context for some other message, the server omits the statement from the context.

To enable password redaction, you must first enable the extension by modifying the postgresql.conf file, adding the following value to the values specified in the shared_preload_libraries parameter:

$libdir/edb_filter_log

Then, set edb_filter_log.redact_password_commands to true:

edb_filter_log.redact_password_commands = true

After modifying the postgresql.conf file, you must restart the server for the changes to take effect.

← Prev

Using Command Tags to Filter Audit Logs

Unicode Collation Algorithm

Redacting Passwords from Audit Logs v13

← Prev

Next →