Search Postgresql Archives

Re: Loggingt psql meta-commands

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Tom, I get what you are saying and that seems to be final at this stage. I will write pg_audit down, though.

Oleg

On Thu, Dec 10, 2015 at 4:41 PM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
oleg yusim <olegyusim@xxxxxxxxx> writes:
> What I hope to achieve is to meet this requirement from Database SRG:
> *Review DBMS documentation to verify that audit records can be produced
> when privileges/permissions/role memberships are retrieved.*

> To do that I would need to enable logging of such commands as \du, \dp, \z.
> At the same time, I do not want to get 20 GB of logs on the daily basis, by
> setting log_statement = 'all'. So, I'm trying to find a way in between.

As multiple people have noted, it's a serious error to imagine that your
requirement is "log \du etc".  Those are just handy macros for queries on
the system catalogs, which could also be done in other ways.  What you
seem to need is server-side logging of queries that access specific system
catalog columns.  There's no out-of-the-box facility for that right now,
short of log_statement = all which you've already rejected.

It'd be possible to write a C-code extension that did something like
that, and some work in that direction has already gone on; the pg_audit
extension that didn't quite get into 9.5 might come close to your
requirements.

                        regards, tom lane


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux