pgAudit extends PolarDB for PostgreSQL's built-in logging to produce detailed audit logs. Use it to meet compliance requirements for government, financial, or ISO certifications, investigate suspicious database activity, and troubleshoot operational issues on your clusters.
Prerequisites
Before you begin, make sure that you have:
A privileged account to configure pgAudit parameters
SQL Explorer enabled on your cluster (required to view generated audit logs)
pgAudit filters only existing audit logs. Audit logs generated before the extension was enabled are not retroactively captured.
Install pgAudit
CREATE EXTENSION pgaudit;Configure session-level auditing
Session-level auditing logs all statements of the specified categories within a database or role scope.
Audit read operations on a database:
ALTER DATABASE pgaudit_testdb SET pgaudit.log = 'READ';After this, all SELECT operations on pgaudit_testdb are audited. Write operations such as INSERT and UPDATE are not audited.
Audit read and write operations:
ALTER DATABASE pgaudit_testdb SET pgaudit.log = 'READ,WRITE';After this, SELECT, INSERT, and UPDATE operations on pgaudit_testdb are all audited.
Disable auditing:
ALTER DATABASE pgaudit_testdb SET pgaudit.log = 'NONE';Configure object-level auditing
Object-level auditing tracks operations on specific database objects rather than all activity in a database. Assign a dedicated role as the audit role, then grant that role permissions on the objects you want to monitor.
The following example audits all operations on the test_audit table:
CREATE USER audit_role;
ALTER DATABASE pgaudit_testdb SET pgaudit.role = 'audit_role';
CREATE TABLE test_audit (id INT);
GRANT ALL ON test_audit TO audit_role;After running these statements, only operations on test_audit in pgaudit_testdb are audited.
Uninstall pgAudit
DROP EXTENSION pgaudit;