PGAudit: Postgres Auditing

PGAudit is a PostgreSQL extension for logging session and object auditing over the standard PostgreSQL logging utility.

PGAudit grants fine grain control over which statements and objects are emitted to logs.

Enable the extension#

Go to the Database page in the Dashboard.
Click on Extensions in the sidebar.
Search for "pgaudit" and enable the extension.

Settings#

The pgaudit.log setting controls which statements to log. Available values include:

read: SELECT and COPY when the source is a relation or a query.
write: INSERT, UPDATE, DELETE, TRUNCATE, and COPY when the destination is a relation.
function: Function calls and DO blocks.
role: Statements related to roles and privileges: GRANT, REVOKE, CREATE/ALTER/DROP ROLE.
ddl: All DDL that is not included in the ROLE class.
misc: Miscellaneous commands, e.g. DISCARD, FETCH, CHECKPOINT, VACUUM, SET.
misc_set: Miscellaneous SET commands, e.g. SET ROLE.
all: Include all of the above.

For a full list of available settings see settings docs. Be aware that the all setting will generate a very large volume of logs.

Example#

Given a pgaudit setting


_10set pgaudit.log = 'read, ddl';

The following create table, insert and select statements


_10create table account (
_10  id int primary key,
_10  name text,
_10  description text
_10);
_10
_10insert into account (id, name, description)
_10values (1, 'Foo Barsworth', 'Customer account');
_10
_10select * from account;

Results in the log output


_10AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.account,create table account(
_10  id int,
_10  name text,
_10  description text
_10);,<not logged>
_10AUDIT: SESSION,2,1,READ,SELECT,,,select * from account,,<not logged>

Note that the insert statement is not logged because we did not include the write option for pgaudit.log.

Resources#

Official PGAudit documentation

Edit this page on GitHub