With normal audit log feature, there is only one logger process and only one dedicated log file.
Therefore, the load of audit logs, including logs output by all backend processes, in the instance concentrates to the logger process and dedicated log file.
The scalable audit log feature distributes multiple dedicated log files, as shown below, and executes multiple output processes (logger processes) in a one-to-one relationship with those files. The number of distributions can be changed by parameter settings.
Information
Because there is a one-to-one relationship between the dedicated log file and the logger process, the logger process also operates as many dedicated log files as there are. A number is appended to the end of the its command title as reported by ps or Process Explorer, as follows. Use this information as a reference when monitoring the process status.
pgaudit logger 0 pgaudit logger 1 pgaudit logger 2
Parameters in the pgaudit configuration file
Set the following parameters to the "output section":
Refer to the "6.4 pgaudit Configuration File" for details on the parameters.
Set "on". The default is "off".
If the logger parameter in the pgaudit configuration file is not "auditlog" (the default), it is ignored even if set to "on"
Sets the number of logger processes. Specify a value greater than or equal to "2."
Refer to “6.4 pgaudit Configuration File” for an estimate of the values to set.
We strongly recommend that you set this parameter. Although the scalable audit log feature works without configuration, it is easier to avoid incorrect analysis when analyzing the output audit logs. Refer to "Considerations when Using the Scalable Audit Log Feature".
[output] enable_parallel_logger = on parallel_loggers = 5 log_rotation_age = 1h
postgresql.conf Parameters
Adds the value set for parallel_loggers to the value set for the max_worker_processes parameter. This is because the logger process acts as a background worker.
If max_worker_processes is set to 8 and you want to set parallel_loggers to 3, do the following:
max_worker_processes = 11
Storage location of the dedicated log file
A dedicated log file is output with the following path and name:
For more information about the log_directory and log_filename parameters, refer to "6.4 pgaudit Configuration File".
log_directory parameter setting/number/number-log_filename parameter setting
The number is a number between 0 and the number specified by parallel_loggers. If parallel_loggers is 3, it can be 0 or greater and 2 or less. For more information about how to analyze these multiple files, refer to "6.9 Analyzing Audit Logs in SQL".
If you set parallel_loggers=3, a dedicated log file is generated as follows:
pgaudit_log/0/0-pgaudit-2024-02-02_153000.log pgaudit_log/1/1-pgaudit-2024-02-02_153000.log pgaudit_log/2/2-pgaudit-2024-02-02_153000.log
If you can use multiple disks, you can also distribute the disk I/O load by setting the dedicated log file storage directory as a symbolic link to another disk, as shown below.
For Windows, use junction instead of symbolic links.
Place pgaudit_log/2 on a different disk:
ln -s /other_disk/2 pgaudit_log/2
mklink /J pgaudit_log\2 E:\other_disk\2Depending on the situation, create a symbolic link as follows. If the directory (or symbolic link) specified as the log output destination for the scalable audit log feature does not exist, the directory is automatically created. If the directory already exists, it is used as the log output destination.
If you are using the scalable audit log feature for the first time, there is no dedicated log file directory. In this case, create a symbolic link after stopping the instance.
If you are already using the scalable audit log feature, you already have a dedicated log file directory. After stopping the instance, move the stored dedicated log file to another location, and then delete the storage directory. Then, create a symbolic link with the same name as the deleted directory.