Thanks Tom, I get what you are saying and that seems to be final at this stage. I will write pg_audit down, though.
Oleg
On Thu, Dec 10, 2015 at 4:41 PM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
oleg yusim <olegyusim@xxxxxxxxx> writes:
> What I hope to achieve is to meet this requirement from Database SRG:
> *Review DBMS documentation to verify that audit records can be produced
> when privileges/permissions/role memberships are retrieved.*
> To do that I would need to enable logging of such commands as \du, \dp, \z.
> At the same time, I do not want to get 20 GB of logs on the daily basis, by
> setting log_statement = 'all'. So, I'm trying to find a way in between.
As multiple people have noted, it's a serious error to imagine that your
requirement is "log \du etc". Those are just handy macros for queries on
the system catalogs, which could also be done in other ways. What you
seem to need is server-side logging of queries that access specific system
catalog columns. There's no out-of-the-box facility for that right now,
short of log_statement = all which you've already rejected.
It'd be possible to write a C-code extension that did something like
that, and some work in that direction has already gone on; the pg_audit
extension that didn't quite get into 9.5 might come close to your
requirements.
regards, tom lane