This topic describes how to use the pgAudit plug-in in ApsaraDB RDS for PostgreSQL. The pgAudit plug-in provides audit logs, which must comply with requirements in the public service and financial sectors or ISO requirements. Audit logs help you analyze faults and behavior on your RDS instance to obtain information about data queries.
- The major engine version of your RDS instance is PostgreSQL 10, PostgreSQL 11, PostgreSQL 12, or PostgreSQL 13.
- The minor engine version of your RDS instance is 20210531 or later. For more information about how to view and update the minor engine version of an RDS instance, see Update the minor engine version of an ApsaraDB RDS for PostgreSQL instance.
- The pgAudit plug-in can generate a large amount of audit log data. The amount of audit log data that is generated varies based on the configuration of the pgAudit plug-in. Before you use the pgAudit plug-in to audit specific objects, we recommend that you evaluate these objects to prevent the pgAudit plug-in from generating a large amount of audit log data. A large amount of audit log data can exhaust the disk space of your RDS instance.
- After an object is renamed, new audit log records that are generated by the pgAudit plug-in for the object are associated with the new name of the object.
Enable or disable the pgAudit plug-in
- Enable the pgAudit plug-in.
CREATE EXTENSION pgaudit;
- Disable the pgAudit plug-in.
DROP EXTENSION pgaudit;
Configure the pgAudit plug-in
- Session audit logging: Use the pgaudit.log parameter to specify the types of statements whose logs you want to audit. The pgAudit plug-in can log all specified types of statements that are executed.
- Object audit logging: Use the pgaudit.role parameter to specify the role whose logs you want to audit. If the role has the permissions on specific statements or inherits the permissions from another role, the pgAudit plug-in can log all statements that are executed by the role on tables and views.
SET pgaudit.log = 'read, ddl';
SET pgaudit.role = 'auditor'; GTANT SELECT, DELETE ON public.account TO auditor;
For more information, see the pgAudit documentation.