PGAudit: Postgres Auditing
PGAudit is a PostgreSQL extension for logging session and object auditing over the standard PostgreSQL logging utility.
PGAudit grants fine grain control over which statements and objects are emitted to logs.
Enable the extension#
- Go to the Database page in the Dashboard.
- Click on Extensions in the sidebar.
- Search for "pgaudit" and enable the extension.
Settings#
The pgaudit.log
setting controls which statements to log. Available values include:
-
read:
SELECT
andCOPY
when the source is a relation or a query. -
write:
INSERT
,UPDATE
,DELETE
,TRUNCATE
, andCOPY
when the destination is a relation. -
function: Function calls and
DO
blocks. -
role: Statements related to roles and privileges:
GRANT
,REVOKE
,CREATE/ALTER/DROP ROLE
. -
ddl: All
DDL
that is not included in theROLE
class. -
misc: Miscellaneous commands, e.g.
DISCARD
,FETCH
,CHECKPOINT
,VACUUM
,SET
. -
misc_set: Miscellaneous
SET
commands, e.g.SET ROLE
. -
all: Include all of the above.
For a full list of available settings see settings docs. Be aware that the all
setting will generate a very large volume of logs.
Example#
Given a pgaudit setting
_10set pgaudit.log = 'read, ddl';
The following create table, insert and select statements
_10create table account (_10 id int primary key,_10 name text,_10 description text_10);_10_10insert into account (id, name, description)_10values (1, 'Foo Barsworth', 'Customer account');_10_10select * from account;
Results in the log output
_10AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.account,create table account(_10 id int,_10 name text,_10 description text_10);,<not logged>_10AUDIT: SESSION,2,1,READ,SELECT,,,select * from account,,<not logged>
Note that the insert statement is not logged because we did not include the write
option for pgaudit.log
.
Resources#
- Official
PGAudit
documentation