On Wed, 15 Aug 2018 at 13:50, Evan Rempel <erempel@xxxxxxx> wrote:
In my opinion that is exactly why you log to syslog. The syslog
infrastructure can also
forward in real time the log events to a remote log collector that the
DBAs don't even
have access to. This method provides for a secure and prestine log
stream for archiving
and audit review processes.
Evan.
On 08/14/2018 08:44 PM, dangal wrote:
> From what I saw pgaudit records the postgres log, any dba can modify that log
>
>
>
> --
> Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html
>
+1 wrt syslog and remote logging. In any environment where security and access monitoring is important should always have logs copied to a remote, secure server with access limited to individuals who are not also responsible for administering key systems, such as the database server.
When compromising a system, it is normal to attempt to cover up your activity by modifying or deleting log files. Having these copied to a separate system means the threat actor has to now compromise multiple servers.
Another useful setup is the 'ELK' stack, which uses logstash and eleastic search to provide a powerful log storage and querying infrastructure (which can also unify logs from different sources). This can make auditing and monitoring much more powerful.
Tim
regards,
Tim
--
Tim Cross