Re: Loggingt psql meta-commands

Поиск
Список
Период
Сортировка
От oleg yusim
Тема Re: Loggingt psql meta-commands
Дата
Msg-id CAKd4e_GW_FbVVDkYNyKLccPf7aDBdzCasWm2k5ksnu2R=1PUQw@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Loggingt psql meta-commands  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-general
Thanks Tom, I get what you are saying and that seems to be final at this stage. I will write pg_audit down, though.

Oleg

On Thu, Dec 10, 2015 at 4:41 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
oleg yusim <olegyusim@gmail.com> writes:
> What I hope to achieve is to meet this requirement from Database SRG:
> *Review DBMS documentation to verify that audit records can be produced
> when privileges/permissions/role memberships are retrieved.*

> To do that I would need to enable logging of such commands as \du, \dp, \z.
> At the same time, I do not want to get 20 GB of logs on the daily basis, by
> setting log_statement = 'all'. So, I'm trying to find a way in between.

As multiple people have noted, it's a serious error to imagine that your
requirement is "log \du etc".  Those are just handy macros for queries on
the system catalogs, which could also be done in other ways.  What you
seem to need is server-side logging of queries that access specific system
catalog columns.  There's no out-of-the-box facility for that right now,
short of log_statement = all which you've already rejected.

It'd be possible to write a C-code extension that did something like
that, and some work in that direction has already gone on; the pg_audit
extension that didn't quite get into 9.5 might come close to your
requirements.

                        regards, tom lane

В списке pgsql-general по дате отправления:

Предыдущее
От: oleg yusim
Дата:
Сообщение: Re: Loggingt psql meta-commands
Следующее
От: David Rowley
Дата:
Сообщение: Re: regexp_replace question / help needed