This topic describes how to use the pgAudit plug-in in ApsaraDB RDS for PostgreSQL.The pgAudit plug-in provides audit logs, which must comply with requirements in the public service and financial sectors or ISO requirements. Audit logs help you analyze faults and behavior on your RDS instance to obtain information about data queries.
- PostgreSQL 13
- PostgreSQL 12
- PostgreSQL 11
- PostgreSQL 10
- The pgAudit plug-in can generate a large number of audit logs. The number of audit logs that are generated varies based on the settings of the pgAudit plug-in. Before you use the pgAudit plug-in to audit specific objects, we recommend that you evaluate these objects to prevent the pgAudit plug-in from generating a large number of audit logs that exhaust the disk space.
- After an object is renamed, the new audit logs that are generated by the pgAudit plug-in for the object are associated with the new object name.
Enable or disable the pgAudit plug-in
- Enable the pgAudit plug-in.
CREATE EXTENSION pgaudit;
- Disable the pgAudit plug-in.
DROP EXTENSION pgaudit;
Configure audit logs
- Session audit logging: Use the pgaudit.log parameter to specify the types of statements that you want to audit. Session audit logging provides detailed logs of all the statements of the specified types that are executed.
- Object audit logging: Use the pgaudit.role parameter to specify the role that you want to audit. If the role has the permissions on specific statements or inherits the permissions from another role, all the statements that are executed by the role on the tables and views are audited and logged.
SET pgaudit.log = 'read, ddl';
SET pgaudit.role = 'auditor'; GTANT SELECT, DELETE ON public.account TO auditor;
For more information, see pgAudit documentation.