In the pgaudit configuration file, specify the information required for pgaudit actions. The pgaudit configuration file comprises three sections: "output section", "option section", and "rule section".
output section
The output section is specified using the format below:
paramName = 'value'
The valid parameters in the output section are shown in the table below.
LinuxParameter name | Description | Remarks |
|---|---|---|
logger | Dedicated log file (auditlog)/serverLog (serverlog) that will be the output destination of the audit log The default is "auditlog" (dedicated log file). | The dedicated log file is output using the same encoding as used for the database. |
log_directory | Directory where the audit log is to be created Specify the full path or the relative path from the data storage directory. The default is "pgaudit_log". However, make sure that audit log files are not output under the data storage directory. If you specify "on" for the enable_parallel_logger parameter, an audit log is created for "log_directory parameter setting/number". Refer to "6.3 Setting Up the Scalable Audit Log Feature" for more information. | Enabled only if "auditlog" is specified for the logger parameter |
log_filename | File name of the audit log Specify a file name that varies according to the time, in the same manner as for log_filename in the postgresql.conf file. The default is "pgaudit-%Y-%m-%d_%H%M%S.log". If you specify "on" for the enable_parallel_logger parameter, the audit log filename is "number-log _filename parameter setting". Refer to "6.3 Setting Up the Scalable Audit Log Feature" for more information. | Enabled only if "auditlog" is specified for the logger parameter |
log_file_mode | Specify the permissions of the audit log so that only permitted persons can access it. The parameter value is the numeric mode specified in the format permitted in chmod and umask system calls. The default is "0600". Refer to "log_file_mode" in "6.2 Setup" for information on audit log file permissions. | Enabled only if "auditlog" is specified for the logger parameter |
log_rotation_age | Maximum age of the audit log file A new audit log file is generated when the time (minute units) specified here elapses. To disable generation of new log files based on time, specify "0". The valid units are "min" (minutes), "h" (hours), and "d" (days). If the unit is omitted, "min" will be used. The default is "1d" (1 day). We strongly recommend that you set this parameter if you want to take advantage of the scalable audit log feature. This is because all logger processes rotate their dedicated log files at the same time, making it easier to avoid incorrect analysis. For more information, refer to "Considerations when Using the Scalable Audit Log Feature". | Enabled only if "auditlog" is specified for the logger parameter |
log_rotation_size | Maximum size of the audit log file A new log file will be generated after logs of the size specified here are output to a log file. To disable generation of new log files based on size, specify "0". The valid units are "kB" (kilobytes), "MB" (megabytes), and "GB" (gigabytes). If the unit is omitted, "kB" will be used. The default is "10MB". | Enabled only if "auditlog" is specified for the logger parameter |
log_truncate_on_rotation | If rotating audit log files based on time, this parameter is used to specify whether to overwrite (on)/not overwrite (off) existing audit log files of the same name. For example, if "on" is specified, and "pgaudit-%H.log" is specified for log_filename, 24 separate log files will be generated based on time, and those files will be cyclically overwritten. The default is "off". If "off" is specified, the logs will be written to the existing audit log files. | Enabled only if "auditlog" is specified for the logger parameter |
fifo_directory | FIFO (named pipe) directory to be used between the daemon process that outputs audit log files and the backend process FIFO named p.PGAUDIT.nnnn (nnnn is the postmaster PID) are created in the fifo_directories directory. The files cannot be deleted manually. The default is "/tmp". If you specify "on" for the enable_parallel_logger parameter, the name of the FIFO is "p. PGAUDIT. nnnn. number". Refer to "6.3 Setting Up the Scalable Audit Log Feature" for more information about the numbers. | Enabled only if "auditlog" is specified for the logger parameter |
audit_log_disconnection | When using Mirroring Controller, specify whether to enable (on) or disable (off) the output of disconnection logs. The default is "off" (disabled). This parameter is valid when log_disconnections in postgresql.conf is off. | Parameter used in Session Audit Logging only |
enable_parallel_logger | Specify whether to distribute the audit log output load (on)/not (off). The default is "off". The setting of this parameter is ignored when you specify "serverlog" for the logger parameter, because the serverlog of the database server cannot be distributed. | Enabled only if "auditlog" is specified for the logger parameter |
parallel_loggers | Specifies the multiplicity at which the output load of the audit log is to be distributed. You can specify a number greater than or equal to 1, but to distribute the audit log output load, specify a number greater than or equal to 2. The default is "2". Estimate parallel_loggers as follows: parallel_loggers = number of cores / 2 This estimate assumes the highest load to output audit logs, so setting a value less than the estimated value will not significantly degrade performance in most cases. Because the logger process acts as a background worker, add the value set for this parameter to the parameter max_worker_processes in postgresql.conf that sets the maximum number of background workers. | Enabled only if "auditlog" is specified for the logger parameter |
WindowsParameter name | Description | Remarks |
|---|---|---|
logger | Dedicated log file (auditlog)/serverLog (serverlog) that will be the output destination of the audit log The default is "auditlog" (dedicated log file). | The dedicated log file is output using the same encoding as used for the database. |
log_directory | Directory where the audit log is to be created Specify the full path or the relative path from the data storage directory. The default is "pgaudit_log". However, make sure that audit log files are not output under the data storage directory. If you specify "on" for the enable_parallel_logger parameter, an audit log is created for "log_directory parameter setting/number". Refer to "6.3 Setting Up the Scalable Audit Log Feature" for more information. | Enabled only if "auditlog" is specified for the logger parameter |
log_filename | File name of the audit log Specify a file name that varies according to the time, in the same manner as for log_filename in the postgresql.conf file. The default is "pgaudit-%Y-%m-%d_%H%M%S.log". If you specify "on" for the enable_parallel_logger parameter, the audit log filename is "number-log _filename parameter setting". Refer to "6.3 Setting Up the Scalable Audit Log Feature" for more information. | Enabled only if "auditlog" is specified for the logger parameter |
log_file_mode | This parameter is ignored in Windows. | |
log_rotation_age | Maximum age of the audit log file A new audit log file is generated when the time (minute units) specified here elapses. To disable generation of new log files based on time, specify "0". The valid units are "min" (minutes), "h" (hours), and "d" (days). If the unit is omitted, "min" will be used. The default is "1d" (1 day). We strongly recommend that you set this parameter if you want to take advantage of the scalable audit log feature. This is because all logger processes rotate their dedicated log files at the same time, making it easier to avoid incorrect analysis. For more information, refer to "Considerations when Using the Scalable Audit Log Feature". | Enabled only if "auditlog" is specified for the logger parameter |
log_rotation_size | Maximum size of the audit log file A new log file will be generated after logs of the size specified here are output to a log file. To disable generation of new log files based on size, specify "0". The valid units are "kB" (kilobytes), "MB" (megabytes), and "GB" (gigabytes). If the unit is omitted, "kB" will be used. The default is "10MB". | Enabled only if "auditlog" is specified for the logger parameter |
log_truncate_on_rotation | If rotating audit log files based on time, this parameter is used to specify whether to overwrite (on)/not overwrite (off) existing audit log files of the same name. For example, if "on" is specified, and "pgaudit-%H.log" is specified for log_filename, 24 separate log files will be generated based on time, and those files will be cyclically overwritten. The default is "off". If "off" is specified, the logs will be written to the existing audit log files. | Enabled only if "auditlog" is specified for the logger parameter |
audit_log_disconnection | When using Mirroring Controller, specify whether to enable (on) or disable (off) the output of disconnection logs. The default is "off" (disabled). This parameter is valid when log_disconnections in postgresql.conf is off. | Parameter used in Session Audit Logging only |
enable_parallel_logger | Specify whether to distribute the audit log output load (on)/not (off). The default is "off". The setting of this parameter is ignored when you specify "serverlog" for the logger parameter, because the serverlog of the database server cannot be distributed. | Enabled only if "auditlog" is specified for the logger parameter |
parallel_loggers | Specifies the multiplicity at which the output load of the audit log is to be distributed. You can specify a number greater than or equal to 1, but to distribute the audit log output load, specify a number greater than or equal to 2. The default is "2". Estimate parallel_loggers as follows: parallel_loggers = number of cores / 2 This estimate assumes the highest load to output audit logs, so setting a value less than the estimated value will not significantly degrade performance in most cases. Because the logger process acts as a background worker, add the value set for this parameter to the parameter max_worker_processes in postgresql.conf that sets the maximum number of background workers. | Enabled only if "auditlog" is specified for the logger parameter |
Information
If the logger parameter is set to "serverlog", audit logs will be output to the server log as log messages, therefore the status information and message severity level according to the log_line_prefix parameter in postgresql.conf will be output to the beginning of the audit log.
If the logger parameter is omitted or set to "auditlog", audit logs will be output to a dedicated log file as dedicated logs, therefore the status information and message severity level according to the log_line_prefix parameter in the postgresql.conf file will not be output.
Refer to "Output format" in "6.5 Session Audit Logging"or "Output format" in "6.6 Object Audit Logging" for information on the output format of audit logs.
Point
The pgaudit log_file_mode configuration parameter setting is separate from, and unaffected by, the log_file_mode GUC parameter setting and the -g/-allow-group-access initdb option.
When using a dedicated pgaudit log file, since the pgaudit log_directory location defaults to inside the data storage directory, it is possible for the pgaudit log_file_mode permissions to conflict with the intended file permissions specified by the -g/-allow-group-access initdb option. In this case, the pgaudit log_directory should be specified to be a directory located outside of the data storage directory.
Point
If the file permissions for the server log do not satisfy the security requirements of the system, specify a dedicated log file for the output destination of the audit log, and set the access permissions for the output destination directory so that the security requirements are satisfied. At that time, assign read and write permissions to the database administrator.
option section
The option section is specified using the format below:
paramName = 'value'
The valid parameters in the option section are shown in the table below.
Parameter name | Description | Remarks |
|---|---|---|
role | Name of roles used in Object Audit Logging If specifying a name containing uppercase characters, key words, multibyte characters and commas, enclose the name in double quotation marks. | Parameter used in Object Audit Logging only |
log_catalog | Whether to enable (on)/disable (off) log output for pg_catalog If pgAdmin, and so on, will not be retrieving audit logs that access pg_catalog, specify "off". The default is "on" (enabled). | |
log_parameter | Whether to enable (on)/disable (off) output of values passed by parameters in SQL execution The default is "off" (disabled). | |
log_statement_once | Whether to control (on)/not control (off) output for the second and subsequent SQL statements if the same SQL statement is the log output target The default is "off" (do not control). | |
log_level | Log level of audit logs The valid values are "DEBUG5", "DEBUG4", "DEBUG3", "DEBUG2", "DEBUG1", "INFO", "NOTICE", "WARNING", and "LOG". The default is "LOG". | Enabled only if "serverlog" is specified for the logger parameter |
rule section
The rule section is used in Session Audit Logging. Refer to "6.5 Session Audit Logging" for details.
Note
Do not specify the rule section if the role parameter has been specified in the option section. If you specify the rule section, the audit logs of Object Audit Logging and Session Audit Logging will be output intermingled and you will be unable to view the logs in CSV format.
