Reviewed on 10 September 2024 • Published on 05 March 2024
The pgaudit extension is available with Scaleway Managed Databases for PostgreSQL. The extension is a powerful monitoring and logging tool that allows you to keep track of the actions happening in your databases, and record them.
The main purpose of pgaudit is to allow PostgreSQL users to produce audit logs often required to comply with government, financial, and/or ISO certifications.
pgaudit allows you to log different statements executed in your Database Instance, or specific databases. You can keep track of who accessed your databases, what actions were performed, and when, under a structured format.
You can configure the extension to log only what is relevant to your audits.
Cockpit dashboard updates
Starting April 2024, a new version of Cockpit will be released.
In this version, the concept of regionalization will be introduced to offer you more flexibility and resilience for seamless monitoring. If you have created customized dashboards with data for your Scaleway resources before April 2024, you will need to update your queries in Grafana, with the new regionalized data sources.
Session audit logging - logs the operations, such as queries and updates, executed by a user during a session within a database or the entire Database Instance
Object audit logging - logs actions that involve specific data objects, like tables or files.
To use each one, you must configure the pgaudit.log and pgaudit.role settings, respectively.
Both settings can be set up at the Database Instance level, meaning that a global configuration can be applied to all databases within the Instance. You can configure them in the advanced settings of your Database Instance. You can use both settings concurrently.
pgaudit.log can also be configured for specific databases within your Instance.
The pgaudit.log setting determines which classes of statements will be recorded through session audit logging.
The possible values include:
Class
Action
READ
Logs SELECT and COPY commands when the source is a relation or a query.
WRITE
Logs INSERT, UPDATE, DELETE, TRUNCATE, and COPY commands when the destination is a relation.
FUNCTION
Logs function calls and DO blocks.
ROLE
Logs statements related to roles and privileges, such as GRANT, REVOKE, CREATE, ALTER, and DROPROLE.
DDL
Covers all Data Definition Language (DDL) statements not included in the ROLE class.
MISC
Logs miscellaneous commands like DISCARD, FETCH, CHECKPOINT, VACUUM, SET.
MISC_SET
Logs miscellaneous SET commands.
ALL
Includes all of the above classes for comprehensive logging.
Go to the Advanced settings of your Database Instance in the Scaleway console.
Click «Edit Icon».
Click + Add parameters.
Select pgaudit.log in the drop-down.
Enter one or more of the statement class values listed above.
Note
The values must be written in uppercase. If entering more than one class, separate them with a comma and no spaces. For example: READ,WRITE.
Click «Validate Icon» to validate.
Note
The configuration takes a few seconds to be applied. During this time the Database Instance connection remains uninterrupted. However, you must wait until the new configuration is applied to edit your advanced settings again.
You can edit the pgaudit.log values in the advanced settings anytime.
Run the following command to set pgaudit.log for the database. Replace <database> with the name of your database, and <class> with one or more of the statement class values listed above. When listing more than one class, separate them with a comma and no spaces. For example: WRITE,FUNCTION.
database=> ALTER DATABASE <database> SET pgaudit.log = '<class>'
If the operation is successful no output is returned.
Reset the connection to your database to apply the configuration:
Object audit logging is configured through the roles system. The pgaudit.role setting allows you to specify a principal audit role (also known as “master role”).
Various audit roles can be established, delegating responsibility for distinct aspects of audit logging to different groups. These roles must subsequently be assigned to the principal audit role to facilitate audit logging.
The primary function of the principal audit role is to oversee and manage the audit logging process. The auditing process is generally handled by an independent individual or company, which will use the audit logs to perform their audit.
Audit logging for an object (such as a TABLE or VIEW) takes place when the principal audit role has the necessary permissions to log the actions carried out on the object, or when it inherits these permissions from another role.
Currently, only the SELECT, INSERT, UPDATE, and DELETE permissions are supported.
Note
There is no default principal role. You must create a new role, or specify an existing one as the principal audit.
Tip
When specifying principal role for object audit logging, we recommend first revoking all its privileges, and then granting specific audit permissions, to improve auditing.
To set up and grant permissions to the principal audit role follow these instructions:
Run the following command to create a new user. If no output is returned, the operation was successful.
Note
If you want to specify an existing role as the principal audit, you can skip this step.
CREATE ROLE auditor;
You can replace auditor with your name of choice.
Tip
Run \du to see a list of your database roles and check that the new role was created.
Set the role you created as pgaudit.role
SET pgaudit.role = 'auditor';
Note
Alternatively, you can follow these steps to configure pgaudit.role from the Scaleway console:
Go to the Advanced settings of your Database Instance in the Scaleway console.
Click «Edit Icon».
Click + Add parameters.
Select pgaudit.role in the drop-down and enter the name of the role you created to be the principal.
Click «Validate Icon» to validate.
Note
The configuration takes a few seconds to be applied. During this time the Database Instance connection remains uninterrupted. However, you must wait until the new configuration is applied to edit your advanced settings again.
You can edit the pgaudit.role values in the advanced settings anytime.
Run the following command in your Database Instance to grant the principal audit role permissions:
GRANT PERMISSION1, PERMISSION2
on <object>
to <principal-role>;
Replace <PERMISSION1> AND <PERMISSION2> with one or more of the supported permissions, <object> with the name of the data object you want to audit, and auditor with the <principal-role> with the name of the principal role.
If the operation was successful, you see GRANT as an output.
Your logs are accessible via the Scaleway Observability dashboard, Cockpit.
Important
With Cockpit’s free plan, your logs remain available for a week. If you want to extend the volume capacity and the duration of storage, you can upgrade to a paid plan. Refer to the Cockpit FAQ for more information about plans and billing.
All management actions performed via API or the console, such as database creations and deletions, are logged, no matter the configuration. However, the associated read statements are not logged. For example, select statements used to check that actions have been correctly executed are not logged.
When objects are renamed, they will start to be logged under their new name. For more information, refer to the official pgaudit repository on Github
Audit logs are flushed and consume disk space. The log ingestion rate is 4 MB per second.
To avoid log generation from exceeding ingestion, and the subsequent uncontrolled growth of disk usage, make sure you closely monitor the disk usage of the Database Instance.
Important
If the disk space becomes full, some audit logs may be lost, and the database can become unavailable.
Before activating any audits, make sure you define exactly which statements are mandatory.
Some statements might not be important for auditing use cases, such as SELECT. When you generate high-volume logs, they can take up significant disk space.
Tip
When it comes to SELECT and DML statements, we recommend opting for an object audit logging configuration rather than a session audit one. Refer to the official pgaudit Github repository for more information.
To set up session audit logging of all statements in all databases and roles, set pgaudit.log to ALL in the advanced settings tab of your Database Instance dashboard in the Scaleway console.
To set up session audit logging only of Data Manipulation Language (DML) statements for all databases and roles, set pgaudit.log to WRITE in the advanced settings tab of your Database Instance dashboard in the Scaleway console.
session audit logging of all statements except READ and WRITE for all databases and roles, and
object audit logging of SELECT, INSERT, UPDATE, and DELETE statements only on a specific table in a database.
Set pgaudit.log to FUNCTION,ROLE,DDL,MISC,MISC_SET, and the pgaudit.role as auditor in the advanced settings tab of your Database Instance dashboard in the Scaleway console. You can replace auditor with the name of your principal audit role.