Enabling audit logging v15
You can configure EDB Postgres Advanced Server to log all connections, disconnections, DDL statements, DCL statements, DML statements, and any statements resulting in an error.
- Enable auditing by setting the
edb_audit
parameter toxml
orcsv
. - Set the file rotation day when the new file is created by setting the parameter
edb_audit_rotation_day
to the desired value. - To audit all connections, set the parameter
edb_audit_connect
toall
. - To audit all disconnections, set the parameter
edb_audit_disconnect
toall
. - To audit DDL, DCL, DML and other statements, set the parameter
edb_audit_statement
according to the instructions in Selecting SQL statements to audit.
Setting the edb_audit_statement
parameter in the configuration file affects the entire database cluster.
You can further refine the type of statements that are audited. The type is controlled by the edb_audit_statement
parameter according to the database in use as well as the database role running the session:
- You can set the
edb_audit_statement
parameter as an attribute of a specified database with theALTER DATABASE dbname SET edb_audit_statement
command. This setting overrides theedb_audit_statement
parameter in the configuration file for statements executed when connected to databasedbname
. - You can set the
edb_audit_statement
parameter as an attribute of a specified role with theALTER ROLE rolename SET edb_audit_statement
command. This setting overrides theedb_audit_statement
parameter in the configuration file as well as any setting assigned to the database by theALTER DATABASE
command when the specified role is running the current session. - You can set the
edb_audit_statement
parameter as an attribute of a specified role when using a specified database with theALTER ROLE rolename IN DATABASE dbname SET edb_audit_statement
command. This setting overrides theedb_audit_statement
parameter in the configuration file. It also overrides any setting assigned to the database by theALTER DATABASE
command and as any setting assigned to the role with theALTER ROLE
command without theIN DATABASE
clause.
Examples
The following are examples of this technique.
The database cluster is established with edb_audit_statement
set to all
as shown in its postgresql.conf
file:
A database and role are established with the following settings for the edb_audit_statement
parameter:
- Database
auditdb
withddl
,insert
,update
, anddelete
- Role
admin
withselect
,truncate
, andset
- Role
admin
in databaseauditdb
withcreate table
,insert
, andupdate
The following shows creating and altering the database and role:
The following shows the changes made and the resulting audit log file for three cases.
Case 1: Changes made in database auditdb
by role enterprisedb
Only ddl
, insert
, update
, and delete
statements are audited:
The following audit log file shows entries only for the CREATE TABLE
, INSERT INTO audit_tbl
, and UPDATE audit_tbl
statements. The SELECT * FROM audit_tbl
and TRUNCATE audit_tbl
statements weren't audited. (Each audit log entry was split and displays across multiple lines. A blank line was inserted between the audit log entries for visual clarity.)
Case 2: Changes made in database edb
by role admin
Only select
, truncate
, and set
statements are audited:
Continuation of the audit log file now appears as follows. The last two entries representing the second case show only the SET default_with_rowids TO TRUE
, SELECT * FROM edb_tbl
, and TRUNCATE edb_tbl
statements. The CREATE TABLE edb_tbl
and INSERT INTO edb_tbl
statements weren't audited.
Case 3: Changes made in database auditdb
by role admin
Only create table
, insert
, and update
statements are audited:
Continuation of the audit log file now appears as follows. The next-to-last two entries representing the third case show only CREATE TABLE audit_tbl_2
and INSERT INTO audit_tbl_2
statements. The SELECT * FROM audit_tbl_2
and TRUNCATE audit_tbl_2
statements weren't audited.
- On this page
- Examples