The pgaudit extension is available with Scaleway Managed Databases for PostgreSQL. The extension is a powerful monitoring and logging tool that allows you to keep track of the actions happening in your databases, and record them.
The main purpose of pgaudit is to allow PostgreSQL users to produce audit logs often required to comply with government, financial, and/or ISO certifications.
pgaudit allows you to log different statements executed in your Database Instance, or specific databases. You can keep track of who accessed your databases, what actions were performed, and when, under a structured format.
You can configure the extension to log only what is relevant to your audits.
Cockpit dashboard updates
Starting April 2024, a new version of Cockpit will be released.
In this version, the concept of regionalization will be introduced to offer you more flexibility and resilience for seamless monitoring. If you have created customized dashboards with data for your Scaleway resources before April 2024, you will need to update your queries in Grafana, with the new regionalized data sources.
To complete the actions presented below, you must have:
Click PostgreSQL and MySQL under Managed Databases on the side menu of the Scaleway console. A list of your Database Instances displays.
Click the Database Instance name or «See more Icon» > More info to access the Instance information page.
Click the Advanced settings tab.
Click «Edit Icon».
Click + Add parameters.
Select rdb.enable_pgaudit in the drop-down menu and click the toggle to set it to on.
Click «Validate Icon» to validate. Your Database Instance restarts.
Restarting can take several seconds depending on the size of your Database Instance.
Run the following command to install the pgaudit extension.
If the operation is successful, no output is returned.
pgaudit provides two different types of logging:
To use each one, you must configure the pgaudit.log and pgaudit.role settings, respectively.
Both settings can be set up at the Database Instance level, meaning that a global configuration can be applied to all databases within the Instance. You can configure them in the advanced settings of your Database Instance. You can use both settings concurrently.
pgaudit.log can also be configured for specific databases within your Instance.
The pgaudit.log setting determines which classes of statements will be recorded through session audit logging.
The possible values include:
| Class | Action |
|---|---|
READ | Logs SELECT and COPY commands when the source is a relation or a query. |
WRITE | Logs INSERT, UPDATE, DELETE, TRUNCATE, and COPY commands when the destination is a relation. |
FUNCTION | Logs function calls and DO blocks. |
ROLE | Logs statements related to roles and privileges, such as GRANT, REVOKE, CREATE, ALTER, and DROP ROLE. |
DDL | Covers all Data Definition Language (DDL) statements not included in the ROLE class. |
MISC | Logs miscellaneous commands like DISCARD, FETCH, CHECKPOINT, VACUUM, SET. |
MISC_SET | Logs miscellaneous SET commands. |
ALL | Includes all of the above classes for comprehensive logging. |
pgaudit.log in the drop-down.The values must be written in uppercase. If entering more than one class, separate them with a comma and no spaces. For example: READ,WRITE.
The configuration takes a few seconds to be applied. During this time the Database Instance connection remains uninterrupted. However, you must wait until the new configuration is applied to edit your advanced settings again.
You can edit the pgaudit.log values in the advanced settings anytime.
Connect to your database as an admin user.
Run the following command to set pgaudit.log for the database. Replace <database> with the name of your database, and <class> with one or more of the statement class values listed above. When listing more than one class, separate them with a comma and no spaces. For example: WRITE,FUNCTION.
If the operation is successful no output is returned.
Reset the connection to your database to apply the configuration:
Run \drds to see a list of your settings. You should get an output like the following:
Object audit logging is configured through the roles system. The pgaudit.role setting allows you to specify a principal audit role (also known as “master role”).
Various audit roles can be established, delegating responsibility for distinct aspects of audit logging to different groups. These roles must subsequently be assigned to the principal audit role to facilitate audit logging.
The primary function of the principal audit role is to oversee and manage the audit logging process. The auditing process is generally handled by an independent individual or company, which will use the audit logs to perform their audit.
Audit logging for an object (such as a TABLE or VIEW) takes place when the principal audit role has the necessary permissions to log the actions carried out on the object, or when it inherits these permissions from another role.
Currently, only the SELECT, INSERT, UPDATE, and DELETE permissions are supported.
There is no default principal role. You must create a new role, or specify an existing one as the principal audit.
When specifying a principal role for object audit logging, we recommend first revoking all its privileges, and then granting specific audit permissions, to improve auditing.
To set up and grant permissions to the principal audit role follow these instructions:
Connect to your database as an admin user.
Run the following command to create a new user. If no output is returned, the operation was successful.
If you want to specify an existing role as the principal audit, you can skip this step.
You can replace auditor with your name of choice.
Run \du to see a list of your database roles and check that the new role was created.
Set the role you created as pgaudit.role
Alternatively, you can follow these steps to configure pgaudit.role from the Scaleway console:
pgaudit.role in the drop-down and enter the name of the role you created to be the principal.The configuration takes a few seconds to be applied. During this time the Database Instance connection remains uninterrupted. However, you must wait until the new configuration is applied to edit your advanced settings again.
You can edit the pgaudit.role values in the advanced settings anytime.
Run the following command in your Database Instance to grant the principal audit role permissions:
Replace <PERMISSION1> AND <PERMISSION2> with one or more of the supported permissions, <object> with the name of the data object you want to audit, and auditor with the <principal-role> with the name of the principal role.
If the operation was successful, you see GRANT as an output.
Your logs are accessible via the Scaleway Observability dashboard, Cockpit.
With Cockpit’s free plan, your logs remain available for a week. If you want to extend the volume capacity and the duration of storage, you can upgrade to a paid plan. Refer to the Cockpit FAQ for more information about plans and billing.
All management actions performed via API or the console, such as database creations and deletions, are logged, no matter the configuration. However, the associated read statements are not logged. For example, select statements used to check that actions have been correctly executed are not logged.
When objects are renamed, they will start to be logged under their new name. For more information, refer to the official pgaudit repository on Github
Audit logs are displayed in a specific format that you can also find referenced in the official pgaudit repository on Github
Audit logs are flushed and consume disk space. The log ingestion rate is 4 MB per second.
To avoid log generation from exceeding ingestion, and the subsequent uncontrolled growth of disk usage, make sure you closely monitor the disk usage of the Database Instance.
If the disk space becomes full, some audit logs may be lost, and the database can become unavailable.
Before activating any audits, make sure you define exactly which statements are mandatory.
Some statements might not be important for auditing use cases, such as SELECT. When you generate high-volume logs, they can take up significant disk space.
When it comes to SELECT and DML statements, we recommend opting for an object audit logging configuration rather than a session audit one. Refer to the official pgaudit Github repository for more information.
Connect to your database as an admin user.
Run the following command to deactivate the pgaudit extension in your Database Instance.
Go to the Advanced settings of your Database Instance in the Scaleway console.
Click «Edit Icon».
Click + Add parameters.
Select rdb.enable_pgaudit in the drop-down and click the toggle to set it to off.
Click «Validate Icon» to validate. Your Database Instance restarts.
If you reactivate the extension, your previous configuration is applied.
To set up session audit logging of all statements in all databases and roles, set pgaudit.log to ALL in the advanced settings tab of your Database Instance dashboard in the Scaleway console.
To set up session audit logging only of Data Manipulation Language (DML) statements for all databases and roles, set pgaudit.log to WRITE in the advanced settings tab of your Database Instance dashboard in the Scaleway console.
To set up session audit logging of all statements in only one database, you must:
pgaudit.log to NONE in the advanced settings tab of your Database Instance dashboard in the Scaleway console.
mydb with the name of your database.To set up:
READ and WRITE for all databases and roles, andSELECT, INSERT, UPDATE, and DELETE statements only on a specific table in a database.Set pgaudit.log to FUNCTION,ROLE,DDL,MISC,MISC_SET, and the pgaudit.role as auditor in the advanced settings tab of your Database Instance dashboard in the Scaleway console. You can replace auditor with the name of your principal audit role.
There is no default principal role. You must create a new role, or specify an existing one as the principal audit.
Connect to your database as an admin user and run the following command:
Replace mydb with the name of your database and mytable with the name of the table.