Postgres Pro
Downloads
Home   >   mailing lists

Re: Loggingt psql meta-commands - Mailing list pgsql-general

From oleg yusim
Subject Re: Loggingt psql meta-commands
Date
Msg-id CAKd4e_EJ_knr_WXSBh3LT3_f=hqBUjvFtUz4OgFJTa_u_bsj9A@mail.gmail.com
Whole thread Raw
In response to Re: Loggingt psql meta-commands  (Adrian Klaver <adrian.klaver@aklaver.com>)
Responses Re: Loggingt psql meta-commands  (Adrian Klaver <adrian.klaver@aklaver.com>)
Re: Loggingt psql meta-commands  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-general
Tree view
Adrian,

What I hope to achieve is to meet this requirement from Database SRG:

Review DBMS documentation to verify that audit records can be produced when privileges/permissions/role memberships are retrieved.

To do that I would need to enable logging of such commands as \du, \dp, \z. At the same time, I do not want to get 20 GB of logs on the daily basis, by setting log_statement = 'all'. So, I'm trying to find a way in between.

Thanks,

Oleg



On Thu, Dec 10, 2015 at 3:29 PM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
On 12/10/2015 12:56 PM, oleg yusim wrote:
So what I want to accomplish is logging queries for roles/privileges
with minimal increasing volume of logs along the way. The idea I got
from responses in this thread so far is:

1) Set log_statement on postgresql.conf to 'mod'
2) Raise log_statement to 'all' but only for postgres superuser

What seems to be open questions to me with this model:

1) Way to check what log_statement set to on per user basis (what table
should I query?)
2) Way to ensure that only superuser can run meta commands, such as \du,
\dp, \z

 Maybe if you tell us what you hope to achieve, monitoring or access denial and to what purpose, it might be possible to come up with a more complete answer.


Thanks,

Oleg

On Thu, Dec 10, 2015 at 2:50 PM, David G. Johnston
 <david.g.johnston@gmail.com <mailto:david.g.johnston@gmail.com>> wrote:

    On Thu, Dec 10, 2015 at 1:46 PM, oleg yusim <olegyusim@gmail.com
     <mailto:olegyusim@gmail.com>>wrote:

        Hi David,

        Can you, please, give me example?


    ​Not readily...maybe others can.  Putting forth specific examples of
    what you want to accomplish may help.

    David J.​




--
Adrian Klaver
adrian.klaver@aklaver.com

pgsql-general by date:

Previous
From: Adrian Klaver
Date:
Subject: Re: Loggingt psql meta-commands
Next
From: John R Pierce
Date:
Subject: Re: Loggingt psql meta-commands