In Session Audit Logging, specify the rules for filtering logs to be output in the rule section in the pgaudit configuration file.
Rules are specified using the formats below. Multiple values can be specified, using a comma as the delimiter.
paramName = 'value'
paramName != 'value'
If [rule] is described on its own in the rule section with no parameters specified, all audit logs of Session Audit Logging will be output.
[output] logger = 'auditlog' [rule]
If [rule] is not described as a section, audit logs of Session Audit Logging will not be output.
[output] logger = 'auditlog'
The valid parameters in the rule section are shown in the table below.
Parameter name | Description | Example |
|---|---|---|
timestamp | Timestamp range Refer to "timestamp" for details on how to specify timestamps. | timestamp = '09:00:00 - 10:00:00, 18:00:00 - 18:30:00' |
database | Database name To specify a blank value, specify use a pair of double quotation marks ("") instead of the value. When specifying a name containing uppercase characters, key words, multibyte characters and commas, enclose the name in double quotation marks. | database = 'prodcut_db' |
audit_role | Role name To specify a blank value, specify use a pair of double quotation marks ("") instead of the value. When specifying a name containing uppercase characters, key words, multibyte characters and commas, enclose the name in double quotation marks. | audit_role = 'appuser1' |
class | Operation class Select from the values below. Multiple values can be specified. Refer to "class" for details on the meaning of each class.
| class = 'READ, WRITE' |
object_type | Object type This parameter is enabled when the class parameter is "READ" and "WRITE". Select from the values below. Multiple values can be specified.
| object_type = 'TABLE, INDEX' |
object_name | Object name This parameter is enabled when the class parameter is "READ" and "WRITE". For objects that can be modified by a schema, such as a table, modify such objects by schema name. When specifying a name containing uppercase characters, key words, multibyte characters and commas, enclose the name in double quotation marks. When specifying the object name "schemaName.tableName", enclose the entire object name modified by schema name in double quotation marks. To specify a blank value, use a pair of double quotation marks ("") instead of the value. | object_name = 'myschema.tbl1' object_name = 'myschema.tbl1, "mySchema.TABLE"' |
application_name | Application name To specify a blank value, use a pair of double quotation marks ("") instead of the value. | application_name = 'myapp' |
remote_host | Connection source(client side) host name or IP address If "on" is specified for the log_hostname parameter in the postgresql.conf file, specify a host name. Otherwise, specify the IP address. If using a local host, specify "[local]". To specify a blank value, use a pair of double quotation marks ("") instead of the value. | remote_host = 'ap_server' |
Specify a timestamp range from "startTime" to "endTime" for the log output target. The timestamp format is 'hh:mm:dd-hh:mm:dd' (hh is expressed in 24-hour notation, and hh, mm, and dd are expressed in two-digit notation).
The start time must be earlier than the end time. If specifying multiple ranges, specify each start and end timestamp using a comma as the delimiter.
End timestamps consider milliseconds. For example, if '11:00:00 - 11:59:59' is specified for the timestamp, "11:00:00:000" to "11:59:59:999" will be the target range.
The timestamps used by evaluation in the rule section of pgaudit are different to the timestamps issued in the log entries. That is because log entries are output after evaluation by pgaudit, with the timestamp being generated at that time.
The meaning of each class specified in the class parameter is below:
READ: SELECT, COPY FROM
WRITE: INSERT, UPDATE, DELETE, TRUNCATE, COPY TO
FUNCTION: Function call, DO
ROLE: GRANT, REVOKE, CREATE ROLE, ALTER ROLE, DROP ROLE
DDL: All DDLs (such as CREATE and ALTER) other than the DDLs of the ROLE class
CONNECT: Events relating to connecting (request, authenticate, and disconnect)
SYSTEM: Instance start, promotion to primary server
BACKUP: pg_basebackup
ERROR: Event completed by an error (PostgreSQL error codes other than 00). This class can be used if ERROR or lower level is specified for the log_min_messages parameter in postgresql.conf.
MISC: Other commands (such as DISCARD, FETCH, CHECKPOINT, and VACUUM)
Evaluation of the rule section
When a log event occurs, all expressions in the rule section are evaluated at once. Log entries are only output if all parameters in the rule section are evaluated as being true.
For example, if the rule below has been set, of the operations performed by 'apserver' to 'myschema.tbl1', the operations applicable to classes other than 'WRITE" in the period from 10 a.m. to 11 a.m. will be output as audit logs.
[rule] timestamp = '10:00:00-11:00:00' remote_host = 'apserver' object_name = 'myschema.tbl1' class != 'WRITE'
Multiple rule sections can be defined in the pgaudit configuration file. Log events are evaluated using each rule section, and an audit log is output for each matching rule section.
For example, if the rules below are set, duplicated audit logs will be output.
[rule] object_name = 'myschema.tbl1' [rule] object_name = 'myschema.tbl1'
If the same parameter is specified multiple times in one rule section, the last specified parameter is effective.
For example, if the rule below has been set, "object_name = 'myschema.tbl3'" will take effect.
[rule] object_name = 'myschema.tbl1' object_name = 'myschema.tbl2' object_name = 'myschema.tbl3'
Output format
In Session Audit Logging, audit logs are output in the format below:
AUDIT: SESSION,READ,2022-03-12 19:00:58 PDT,
(1) (2) (3)
[local],19944,psql,appuser,postgres,2/8, 2, 1,SELECT,,TABLE,myschema.account, ,
(4) (5) (6) (7) (8) (9)(10)(11)(12)(13)(14) (15) (16)
SELECT * FROM myschema.account;,<not logged>
(17) (18)No | Content |
|---|---|
(1) | Log header Fixed as "AUDIT: SESSION". |
(2) | Class |
(3) | SQL start time |
(4) | Remote host name If using a local host, [local] is output. |
(5) | Backend process ID |
(6) | Application name If an application name is not specified, [unknown] is output. |
(7) | User name |
(8) | Database name |
(9) | Virtual transaction ID |
(10) | Statement ID |
(11) | Substatement ID |
(12) | Command tag |
(13) | SQLSTATE |
(14) | Object type |
(15) | Object name |
(16) | Error message |
(17) | SQL If the SQL contains a password, such as for CREATE ROLE, and so on, it will be replaced with "<REDACTED>". Additionally, if "on" is specified for the log_statement_once parameter of the option section in the pgaudit configuration file, "<previously logged>" is output for the second and subsequent statements. |
(18) | Depending on the log_parameter parameter value of the option section in the pgaudit configuration file, the output content will be as below.
Additionally, if "on" is specified for the log_statement_once parameter of the option section in the pgaudit configuration file, "<previously logged>" is output for the second and subsequent statements. |
Information
If accessing resources that use the features below, the command tag (12) may be output as "???".
INSTEAD OF trigger
RULE
VIEW
Security policy per row
Table inheritance
Example
Below is an example of retrieving audit logs in Session Audit Logging.
In the pgaudit configuration file, specify the rule section below.
[rule] class = 'READ, WRITE' object_name = 'myschema.account'
Execute the SQL below from the client.
CREATE TABLE myschema.account
(
id int,
name text,
password text,
description text
);
INSERT INTO myschema.account (id, name, password, description) VALUES (1, 'user1', 'HASH1', 'blah, blah');
SELECT * FROM myschema.account;The audit log below can be retrieved.
'DDL' is not defined in the class parameter, so CREATE TABLE is not output as an audit log.
AUDIT: SESSION,WRITE,2022-03-12 19:00:49 PDT,[local],19944,psql,appuser,postgres,2/7,1,1,INSERT,,TABLE,myschema.account,,"INSERT INTO myschema.account (id, name, password, description) VALUES (1, 'user1', 'HASH1', 'blah, blah');",<not logged> AUDIT: SESSION,READ,2022-03-12 19:00:58 PDT,[local],19944,psql,appuser,postgres,2/8,2,1,SELECT,,TABLE,myschema.account,,SELECT * FROM myschema.account;,<not logged>