Thread: pgaudit and create postgis extension logs a lot inserts
Hi,
I have installed pgaudit, and configured as:
pgaudit.log = 'ddl,role'
pgaudit.log_level = 'log' (default)
Versions: postgresql96 (9.6.6) , pgaudit96 (1.0.4), postgis 2.3.2, Rhel 7.4
When I then install postgis extension in a database it writes a huge amount of logs which slow down the server a lot.
Not only table creation and functions are logged, even all inserts in spatial_ref_sys are written to the audit-log.
LOG: AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,,"
......
INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name"
....
This behaviour make pgaudit useless in our environment due to the overhead in log-file write.
I have tried different combinations of pgaudit.log settings (role,-functions), (role), and also changed pgaudit.log_level to warning, but it was not better.
Does anybody have a useful pgaudit settings which not overflow the log files, even when installing postgis or other extensions?
Also noticed that setting a session log to none (set pgaudit.log='none';) overrides parameter from postgresql.conf, but does not get logged, and then you can do whatever you want without any audit.
I supposed this changing of audit session log parameter should be logged to file?
Regards,
Peter
I have installed pgaudit, and configured as:
pgaudit.log = 'ddl,role'
pgaudit.log_level = 'log' (default)
Versions: postgresql96 (9.6.6) , pgaudit96 (1.0.4), postgis 2.3.2, Rhel 7.4
When I then install postgis extension in a database it writes a huge amount of logs which slow down the server a lot.
Not only table creation and functions are logged, even all inserts in spatial_ref_sys are written to the audit-log.
LOG: AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,,"
......
INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name"
....
This behaviour make pgaudit useless in our environment due to the overhead in log-file write.
I have tried different combinations of pgaudit.log settings (role,-functions), (role), and also changed pgaudit.log_level to warning, but it was not better.
Does anybody have a useful pgaudit settings which not overflow the log files, even when installing postgis or other extensions?
Also noticed that setting a session log to none (set pgaudit.log='none';) overrides parameter from postgresql.conf, but does not get logged, and then you can do whatever you want without any audit.
I supposed this changing of audit session log parameter should be logged to file?
Regards,
Peter
On 01/18/2018 04:12 AM, Svensson Peter wrote: > When I then install postgis extension in a database it writes a huge > amount of logs which slow down the server a lot. > Not only table creation and functions are logged, even all inserts in > spatial_ref_sys are written to the audit-log. > > LOG: AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,," > ...... > INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name" > .... > > This behaviour make pgaudit useless in our environment due to the > overhead in log-file write. How often do you intend to install PostGIS? Disable pgaudit, install PostGIS, enable pgaudit? Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Attachment
A test to create postgis extension made 4 rsyslog processes run for several minutes with high cpu util, and when you have only 8 cpu:s this take lot of resources. The create command also have to wait until all the log are written so there are great impact. Log file got 16 GB big only for this. We have several databases in the same server, some of them with postgis. Those databases are maintained bye different people, and tell them to disable pgaudit every time they are doing something that can cause lot log will create a bad behaviour, especially when we cannot see in the logs that they have disabled pgaudit. I think postgis extension is not the only extention that creates both tables, functions and insert data, but if there are a way to configure pgaudit so you get rid of the inserts maybe its a way to handle it. /Peter ________________________________________ Från: Joe Conway [mail@joeconway.com] Skickat: den 18 januari 2018 17:54 Till: Svensson Peter; pgsql-performance@postgresql.org Ämne: Re: pgaudit and create postgis extension logs a lot inserts On 01/18/2018 04:12 AM, Svensson Peter wrote: > When I then install postgis extension in a database it writes a huge > amount of logs which slow down the server a lot. > Not only table creation and functions are logged, even all inserts in > spatial_ref_sys are written to the audit-log. > > LOG: AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,," > ...... > INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name" > .... > > This behaviour make pgaudit useless in our environment due to the > overhead in log-file write. How often do you intend to install PostGIS? Disable pgaudit, install PostGIS, enable pgaudit? Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
On Thu, Jan 18, 2018 at 6:54 PM, Joe Conway <mail@joeconway.com> wrote:
On 01/18/2018 04:12 AM, Svensson Peter wrote:
> When I then install postgis extension in a database it writes a huge
> amount of logs which slow down the server a lot.
> Not only table creation and functions are logged, even all inserts in
> spatial_ref_sys are written to the audit-log.
>
> LOG: AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,,"
> ......
> INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name"
> ....
>
> This behaviour make pgaudit useless in our environment due to the
> overhead in log-file write.
How often do you intend to install PostGIS? Disable pgaudit, install
PostGIS, enable pgaudit?
Would it make sense for pgaudit to, at least by option, not include DDL statements that are generated as "sub-parts" of a CREATE EXTENSION? It should still log the CREATE EXTENSION of course, but not necessarily all the contents of it, since that's actually defined in the extension itself already?
Please remove me from this list. Thanks. Karen Stone| Technical Services| Eldorado |a Division of MphasiS 5353 North 16th Street, Suite 400, Phoenix, Arizona 85016-3228 Tel (928) 892 5735 | www.eldoinc.com | www.mphasis.com |kstone@eldocomp.com -----Original Message----- From: Svensson Peter [mailto:peter.svensson@smhi.se] Sent: Friday, January 19, 2018 4:04 AM To: Joe Conway <mail@joeconway.com>; pgsql-performance@postgresql.org Subject: SV: pgaudit and create postgis extension logs a lot inserts A test to create postgis extension made 4 rsyslog processes run for several minutes with high cpu util, and when you haveonly 8 cpu:s this take lot of resources. The create command also have to wait until all the log are written so there are great impact. Log file got 16 GB big only for this. We have several databases in the same server, some of them with postgis. Those databases are maintained bye different people, and tell them to disable pgaudit every time they are doing somethingthat can cause lot log will create a bad behaviour, especially when we cannot see in the logs that they have disabledpgaudit. I think postgis extension is not the only extention that creates both tables, functions and insert data, but if there area way to configure pgaudit so you get rid of the inserts maybe its a way to handle it. /Peter ________________________________________ Från: Joe Conway [mail@joeconway.com] Skickat: den 18 januari 2018 17:54 Till: Svensson Peter; pgsql-performance@postgresql.org Ämne: Re: pgaudit and create postgis extension logs a lot inserts On 01/18/2018 04:12 AM, Svensson Peter wrote: > When I then install postgis extension in a database it writes a huge > amount of logs which slow down the server a lot. > Not only table creation and functions are logged, even all inserts > in spatial_ref_sys are written to the audit-log. > > LOG: AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,," > ...... > INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name" > .... > > This behaviour make pgaudit useless in our environment due to the > overhead in log-file write. How often do you intend to install PostGIS? Disable pgaudit, install PostGIS, enable pgaudit? Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
On 1/19/18 6:05 AM, Magnus Hagander wrote: > > > On Thu, Jan 18, 2018 at 6:54 PM, Joe Conway <mail@joeconway.com > <mailto:mail@joeconway.com>> wrote: > > On 01/18/2018 04:12 AM, Svensson Peter wrote: > > When I then install postgis extension in a database it writes a huge > > amount of logs which slow down the server a lot. > > Not only table creation and functions are logged, even all inserts in > > spatial_ref_sys are written to the audit-log. > > > > LOG: AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,," > > ...... > > INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name" > > .... > > > > This behaviour make pgaudit useless in our environment due to the > > overhead in log-file write. > > How often do you intend to install PostGIS? Disable pgaudit, install > PostGIS, enable pgaudit? > > > Would it make sense for pgaudit to, at least by option, not include DDL > statements that are generated as "sub-parts" of a CREATE EXTENSION? It > should still log the CREATE EXTENSION of course, but not necessarily all > the contents of it, since that's actually defined in the extension > itself already? That's doable, but I think it could be abused if it was always on and installing extensions is generally not a daily activity. It seems in this case the best action is to disable pgaudit before installing postgis or install postgis first. Regards, -- -David david@pgmasters.net
Hi Peter, On 1/18/18 7:12 AM, Svensson Peter wrote: > > Also noticed that setting a session log to none (set > pgaudit.log='none';) overrides parameter from postgresql.conf, but > does not get logged, and then you can do whatever you want without any > audit. > I supposed this changing of audit session log parameter should be > logged to file? pgaudit is not intended to audit the superuser and only a superuser can set pgaudit.log. However, you can limit superuser access with the setuser extension: https://github.com/pgaudit/set_user Regards, -- -David david@pgmasters.net
On Fri, Jan 19, 2018 at 3:41 PM, David Steele <david@pgmasters.net> wrote:
On 1/19/18 6:05 AM, Magnus Hagander wrote:
>
>
> On Thu, Jan 18, 2018 at 6:54 PM, Joe Conway <mail@joeconway.com
> <mailto:mail@joeconway.com>> wrote:
>
> On 01/18/2018 04:12 AM, Svensson Peter wrote:
> > When I then install postgis extension in a database it writes a huge
> > amount of logs which slow down the server a lot.
> > Not only table creation and functions are logged, even all inserts in
> > spatial_ref_sys are written to the audit-log.
> >
> > LOG: AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,,"
> > ......
> > INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name"
> > ....
> >
> > This behaviour make pgaudit useless in our environment due to the
> > overhead in log-file write.
>
> How often do you intend to install PostGIS? Disable pgaudit, install
> PostGIS, enable pgaudit?
>
>
> Would it make sense for pgaudit to, at least by option, not include DDL
> statements that are generated as "sub-parts" of a CREATE EXTENSION? It
> should still log the CREATE EXTENSION of course, but not necessarily all
> the contents of it, since that's actually defined in the extension
> itself already?
That's doable, but I think it could be abused if it was always on and
installing extensions is generally not a daily activity.
Probably true, yeah. It can certainly be part of a daily activity in say CI environments etc, but those are not likely environments where pg_audit makes that much sense in the first place.
OK, thanks a lot. Regards, Peter ________________________________________ Från: David Steele [david@pgmasters.net] Skickat: den 19 januari 2018 14:41 Till: Magnus Hagander; Joe Conway Kopia: Svensson Peter; pgsql-performance@postgresql.org Ämne: Re: pgaudit and create postgis extension logs a lot inserts On 1/19/18 6:05 AM, Magnus Hagander wrote: > > > On Thu, Jan 18, 2018 at 6:54 PM, Joe Conway <mail@joeconway.com > <mailto:mail@joeconway.com>> wrote: > > On 01/18/2018 04:12 AM, Svensson Peter wrote: > > When I then install postgis extension in a database it writes a huge > > amount of logs which slow down the server a lot. > > Not only table creation and functions are logged, even all inserts in > > spatial_ref_sys are written to the audit-log. > > > > LOG: AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,," > > ...... > > INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name" > > .... > > > > This behaviour make pgaudit useless in our environment due to the > > overhead in log-file write. > > How often do you intend to install PostGIS? Disable pgaudit, install > PostGIS, enable pgaudit? > > > Would it make sense for pgaudit to, at least by option, not include DDL > statements that are generated as "sub-parts" of a CREATE EXTENSION? It > should still log the CREATE EXTENSION of course, but not necessarily all > the contents of it, since that's actually defined in the extension > itself already? That's doable, but I think it could be abused if it was always on and installing extensions is generally not a daily activity. It seems in this case the best action is to disable pgaudit before installing postgis or install postgis first. Regards, -- -David david@pgmasters.net
On Fri, Jan 19, 2018 at 11:03:42AM +0000, Svensson Peter wrote: > > A test to create postgis extension made 4 rsyslog processes run for several minutes with high cpu util, > and when you have only 8 cpu:s this take lot of resources. > The create command also have to wait until all the log are written so there are great impact. > Log file got 16 GB big only for this. Uh, that seems odd. Is rsyslog fsync'ing each write? You should check the docs on that. Here is an example report: http://kb.monitorware.com/simple-question-what-does-the-dash-t10237.html I don't see the dash behavior mentioned in my Debian Jessie rsyslogd manual page though. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +