Top
Enterprise Postgres 14 SP1 Security Operation Guide
FUJITSU Software

6.3 pgaudit Configuration File

In the pgaudit configuration file, specify the information required for pgaudit actions. The pgaudit configuration file comprises three sections: "output section", "option section", and "rule section".

output section

The output section is specified using the format below:

The valid parameters in the output section are shown in the table below.

Parameter name

Description

Remarks

logger

Dedicated log file (auditlog)/serverLog (serverlog) that will be the output destination of the audit log

The default is "auditlog" (dedicated log file).

The dedicated log file is output using the same encoding as used for the database.

log_directory

Directory where the audit log is to be created

Specify the full path or the relative path from the data storage directory.

The default is "pgaudit_log".

Enabled only if "auditlog" is specified for the logger parameter

log_filename

File name of the audit log

Specify a file name that varies according to the time, in the same manner as for log_filename in the postgresql.conf file.

The default is "pgaudit-%Y-%m-%d_%H%M%S.log".

Enabled only if "auditlog" is specified for the logger parameter

log_file_mode

Specify the permissions of the audit log so that only permitted persons can access it.

The parameter value is the numeric mode specified in the format permitted in chmod and umask system calls. The default is "0600".

Refer to "log_file_mode" in "6.2 Setup" for information on audit log file permissions.

Enabled only if "auditlog" is specified for the logger parameter

log_rotation_age

Maximum age of the audit log file

A new audit log file is generated when the time (minute units) specified here elapses. To disable generation of new log files based on time, specify "0".

The valid units are "min" (minutes), "h" (hours), and "d" (days). If the unit is omitted, "min" will be used.

The default is "1d" (1 day).

Enabled only if "auditlog" is specified for the logger parameter

log_rotation_size

Maximum size of the audit log file

A new log file will be generated after logs of the size specified here are output to a log file. To disable generation of new log files based on size, specify "0".

The valid units are "kB" (kilobytes), "MB" (megabytes), and "GB" (gigabytes). If the unit is omitted, "kB" will be used.

The default is "10MB".

Enabled only if "auditlog" is specified for the logger parameter

log_truncate_on_rotation

If rotating audit log files based on time, this parameter is used to specify whether to overwrite (on)/not overwrite (off) existing audit log files of the same name. For example, if "on" is specified, and "pgaudit-%H.log" is specified for log_filename, 24 separate log files will be generated based on time, and those files will be cyclically overwritten.

The default is "off". If "off" is specified, the logs will be written to the existing audit log files.

Enabled only if "auditlog" is specified for the logger parameter

fifo_directory

FIFO (named pipe) directory to be used between the daemon process that outputs audit log files and the backend process

FIFO named p.PGAUDIT.nnnn (nnnn is the postmaster PID) are created in the fifo_directories directory. The files cannot be deleted manually.

The default is "/tmp".

Enabled only if "auditlog" is specified for the logger parameter


Information

If the logger parameter is set to "serverlog", audit logs will be output to the server log as log messages, therefore the status information and message severity level according to the log_line_prefix parameter in postgresql.conf will be output to the beginning of the audit log.

If the logger parameter is omitted or set to "auditlog", audit logs will be output to a dedicated log file as dedicated logs, therefore the status information and message severity level according to the log_line_prefix parameter in the postgresql.conf file will not be output.

Refer to "Output format" in "6.4 Session Audit Logging"or "Output format" in "6.5 Object Audit Logging" for information on the output format of audit logs.

Point

The pgaudit log_file_mode configuration parameter setting is separate from, and unaffected by, the log_file_mode GUC parameter setting and the -g/-allow-group-access initdb option.

When using a dedicated pgaudit log file, since the pgaudit log_directory location defaults to inside the data storage directory, it is possible for the pgaudit log_file_mode permissions to conflict with the intended file permissions specified by the -g/-allow-group-access initdb option. In this case, the pgaudit log_directory should be specified to be a directory located outside of the data storage directory.


option section

The option section is specified using the format below:

The valid parameters in the option section are shown in the table below.

Parameter name

Description

Remarks

role

Name of roles used in Object Audit Logging

If specifying a name containing uppercase characters, key words, multibyte characters and commas, enclose the name in double quotation marks.

Parameter used in Object Audit Logging only

log_catalog

Whether to enable (on)/disable (off) log output for pg_catalog

Specify "off" if you do not want to retrieve audit logs that access pg_catalog.

The default is "on" (enabled).

log_parameter

Whether to enable (on)/disable (off) output of values passed by parameters in SQL execution

The default is "off" (disabled).

log_statement_once

Whether to control (on)/not control (off) output for the second and subsequent SQL statements if the same SQL statement is the log output target

The default is "off" (do not control).

log_level

Log level of audit logs

The valid values are "DEBUG5", "DEBUG4", "DEBUG3", "DEBUG2", "DEBUG1", "INFO", "NOTICE", "WARNING", and "LOG".

The default is "LOG".

Enabled only if "serverlog" is specified for the logger parameter

rule section

The rule section is used in Session Audit Logging. Refer to "6.4 Session Audit Logging" for details.

Note

Do not specify the rule section if the role parameter has been specified in the option section. If you specify the rule section, the audit logs of Object Audit Logging and Session Audit Logging will be output intermingled and you will be unable to view the logs in CSV format.