On 07/25/2013 03:59 PM, Tim Spencer wrote:
> Hello there!
>
> I've seen lots of people who have asked questions about how to log this or that, but I have the opposite
question! :-) I'm seeing this in my logs:
>
> Jul 25 18:08:11 staging-db11 postgres[27050]: [10-2] STATEMENT: create role pguser encrypted password 'XXX';
>
> Where XXX is the actual password. This happens every 30 minutes when my chef client kicks off and resets the
passwords. Here's everything that I have in postgres.conf related to logging:
>
>
> What I'd like to do is stop logging create role commands, as the logs end up full of passwords. Is there any way
todo this? Thanks, and have fun!
The STATEMENT you show is from another process?
I would except resetting of passwords to use ALTER ROLE.
As an aside:
http://www.postgresql.org/docs/9.2/interactive/sql-alterrole.html
Caution must be exercised when specifying an unencrypted password
with this command. The password will be transmitted to the server in
cleartext, and it might also be logged in the client's command history
or the server log. psql contains a command \password that can be used to
change a role's password without exposing the cleartext password.
As to how to make it stop, set log_statement = 'none' ?
This will not log anything though, see below for details:
http://www.postgresql.org/docs/9.2/interactive/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT
log_statement (enum)
Controls which SQL statements are logged. Valid values are none (off),
ddl, mod, and all (all statements). ddl logs all data definition
statements, such as CREATE, ALTER, and DROP statements. mod logs all ddl
statements, plus data-modifying statements such as INSERT, UPDATE,
DELETE, TRUNCATE, and COPY FROM. PREPARE, EXECUTE, and EXPLAIN ANALYZE
statements are also logged if their contained command is of an
appropriate type. For clients using extended query protocol, logging
occurs when an Execute message is received, and values of the Bind
parameters are included (with any embedded single-quote marks doubled).
The default is none. Only superusers can change this setting.
>
> -tspencer
>
>
>
--
Adrian Klaver
adrian.klaver@gmail.com