Re: how _not_ to log?

On Thu, Jul 25, 2013 at 3:59 PM, Tim Spencer <tspencer@cloudpassage.com> wrote:
> Hello there!
>
>         I've seen lots of people who have asked questions about how to log this or that, but I have the opposite
question! :-)  I'm seeing this in my logs: 
>
> Jul 25 18:08:11 staging-db11 postgres[27050]: [10-2] STATEMENT:  create role pguser encrypted password 'XXX';

That does not look like the entire message.  What was before and after
it in the log?

For example:

ERROR:  role "foobar" already exists
STATEMENT:  create role foobar encrypted password 'XXX';

If it were not for the ERROR, the STATEMENT would not be being logged,
in my hands.


>
>         Where XXX is the actual password.  This happens every 30 minutes when my chef client kicks off and resets the
passwords. Here's everything that I have in postgres.conf related to logging: 
>
> log_destination = 'syslog'              # Valid values are combinations of
>                                         # stderr, csvlog, syslog, and eventlog,
>                                         # depending on platform.  csvlog
>                                         # requires logging_collector to be on.
> logging_collector = on                  # Enable capturing of stderr and csvlog
>                                         # into log files. Required to be on for
>                                         # csvlogs.
> log_directory = 'pg_log'                # directory where log files are written,
> log_filename = 'postgresql-%a.log'      # log file name pattern,
> log_truncate_on_rotation = on           # If on, an existing log file with the
>                                         # same name as the new log file will be
> log_rotation_age = 1d                   # Automatic rotation of logfiles will
> log_rotation_size = 0                   # Automatic rotation of logfiles will
>                                         # happen after that much log output.
>                                         # DO NOT USE without syslog or
>                                         # logging_collector
> log_min_duration_statement = 2000       # 2 seconds
> log_checkpoints = on

What about log_min_error_statement ?

>
>         What I'd like to do is stop logging create role commands, as the logs end up full of passwords.  Is there any
wayto do this?  Thanks, and have fun! 

First you need to find out why they were getting logged.  I don't
think any of the setting you showed explain that.

Also, I don't think anything you can do will render it acceptable to
show your log files to unprivileged users, if that is what you are
aiming for.

Cheers,

Jeff