The pgAudit extension provides detailed session and object audit logging for ApsaraDB RDS for PostgreSQL. Audit logs help you meet compliance requirements such as public service, financial, or ISO standards. You can use audit logs to analyze faults, track operations, and get information about data queries on your RDS instance.
Prerequisites
Before you begin, make sure that you have:
An ApsaraDB RDS for PostgreSQL instance that runs PostgreSQL 10 or later with minor engine version 20210531 or later. If your instance runs PostgreSQL 17, minor engine version 20241030 or later. For more information about how to view and update the minor engine version, see Update the minor engine version
pgauditadded to theshared_preload_librariesparameter of your RDS instance. For more information, see Modify the parameters of an ApsaraDB RDS for PostgreSQL instance
How pgAudit works
pgAudit uses the standard PostgreSQL logging facility. It intercepts SQL statements and logs them with structured metadata, including the statement class, command tag, object type, and object name.
pgAudit supports two audit logging modes:
Session audit logging: Logs all statements of the specified classes during a session. You control which statement classes to log by setting the
pgaudit.logparameter.Object audit logging: Logs statements that affect specific database objects. You control which objects to audit by granting permissions to a designated audit role specified by the
pgaudit.roleparameter. Object audit logging provides finer granularity than session audit logging.
Usage notes
pgAudit can generate a large amount of audit log data. The amount varies based on the extension configuration. Before you enable auditing, evaluate which objects and statement classes to audit. Logging excessive data can exhaust the storage capacity of your RDS instance.
After you rename an object, new audit log records that pgAudit generates for the object are associated with the new name.
Enable the pgAudit extension
Connect to your RDS instance and run the following statement:
CREATE EXTENSION pgaudit;Configure session audit logging
Session audit logging records all statements of the specified classes that a user runs during a database session. Set the pgaudit.log parameter to specify which statement classes to audit.
Statement classes
| Class | Description |
|---|---|
READ | SELECT and COPY statements when the source is a relation or query. |
WRITE | INSERT, UPDATE, DELETE, TRUNCATE, and COPY statements when the destination is a relation. |
FUNCTION | Function calls and DO blocks. |
ROLE | Statements related to roles and privileges, such as GRANT, REVOKE, CREATE ROLE, ALTER ROLE, and DROP ROLE. |
DDL | All DDL statements that are not covered by the ROLE class. |
MISC | Miscellaneous commands such as DISCARD, FETCH, CHECKPOINT, and VACUUM. |
MISC_SET | Miscellaneous SET commands such as SET ROLE. |
ALL | Includes all statement classes. |
Set the audit log class
To configure the statement classes to audit, set the pgaudit.log parameter in the RDS console. For more information, see Modify the parameters of an ApsaraDB RDS for PostgreSQL instance.
Use a comma-separated list to specify multiple statement classes. For example:
To log all write and DDL operations, set
pgaudit.logtowrite, ddl.To log all statement classes, set
pgaudit.logtoall.To disable session audit logging, set
pgaudit.logtonone.
Thepgaudit.logparameter requires superuser privileges to modify. On ApsaraDB RDS for PostgreSQL, you must configure this parameter through the RDS console instead of using a SQLSETstatement.
Example: Log DDL and write operations
After you set pgaudit.log to ddl, write in the RDS console, run the following SQL statements:
-- Create a table
CREATE TABLE employees (id int, name text, department text);
-- Insert a row
INSERT INTO employees VALUES (1, 'Alice', 'Engineering');The above statements generate the following audit log entries, which you can view in the error logs of your RDS instance:
AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.employees,"CREATE TABLE employees (id int, name text, department text);",<not logged>
AUDIT: SESSION,2,1,WRITE,INSERT,,,"INSERT INTO employees VALUES (1, 'Alice', 'Engineering');",<not logged>Configure object audit logging
Object audit logging records statements that affect specific database objects. It uses the PostgreSQL permission system to determine which operations to log.
To configure object audit logging:
Set the
pgaudit.roleparameter to the name of a designated audit role in the RDS console. For example, setpgaudit.roletoauditor. For more information, see Modify the parameters of an ApsaraDB RDS for PostgreSQL instance. > Note: Thepgaudit.roleparameter requires superuser privileges to modify. On ApsaraDB RDS for PostgreSQL, you must configure this parameter through the RDS console instead of using a SQLSETstatement.Create the audit role:
CREATE ROLE auditor;Grant permissions to the audit role on the objects you want to audit. For example, to audit all
SELECTandDELETEoperations on a table namedorders:GRANT SELECT, DELETE ON orders TO auditor;
After you configure object audit logging, pgAudit logs any SELECT or DELETE statement that accesses the orders table, regardless of which user runs the statement.
Example: Log read operations on a specific table
After you set pgaudit.role to auditor in the RDS console, run the following SQL statements:
-- Grant SELECT on the target table to the audit role
GRANT SELECT ON employees TO auditor;
-- Any SELECT on the employees table is now logged
SELECT * FROM employees WHERE department = 'Engineering';The above SELECT statement generates the following audit log entry:
AUDIT: OBJECT,1,1,READ,SELECT,TABLE,public.employees,"SELECT * FROM employees WHERE department = 'Engineering';",<not logged>Session audit logging parameters
The following table describes the parameters that control session audit logging behavior. To modify these parameters, configure them in the RDS console. For more information, see Modify the parameters of an ApsaraDB RDS for PostgreSQL instance.
| Parameter | Type | Default | Description |
|---|---|---|---|
pgaudit.log | String | none | Statement classes to log. Use a comma-separated list. Valid values: READ, WRITE, FUNCTION, ROLE, DDL, MISC, MISC_SET, ALL, NONE. |
pgaudit.log_catalog | Boolean | on | Logs statements where all relations in the statement are in the pg_catalog schema. Disabling this parameter reduces noise from queries against the catalog by tools such as psql and PgAdmin. |
pgaudit.log_client | Boolean | off | Sends log messages to the client process in addition to the server log. This parameter is available on PostgreSQL 11 and later. |
pgaudit.log_level | String | log | Log level for audit entries. Valid values: DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, LOG. |
pgaudit.log_parameter | Boolean | off | Includes the parameters passed with the statement in the audit log. When parameters are present, they appear after the statement text in CSV format. |
pgaudit.log_relation | Boolean | off | Creates separate log entries for each relation (TABLE, VIEW, etc.) referenced in a SELECT or DML statement. Useful for object audit logging without using the pgAudit role. |
pgaudit.log_rows | Boolean | off | Includes the number of rows retrieved or affected by a statement in the audit log. This parameter is available on PostgreSQL 12 and later. |
pgaudit.log_statement | Boolean | on | Includes the statement text and parameters in the log entry. Depending on requirements, the statement text may need to be excluded from the audit log. |
pgaudit.log_statement_once | Boolean | off | Logs the statement text and parameters only with the first log entry for a statement or sub-statement combination. This reduces log verbosity but can make it harder to correlate a statement with its log entry. |
pgaudit.role | String | None | Master role for object audit logging. Multiple audit roles can be defined by granting them to the master role. |
Some parameters, such aspgaudit.log_client,pgaudit.log_rows, andpgaudit.log_statement, may not be available in the RDS console parameter settings page. These parameters use their default values. To check the current value, runSHOW <parameter_name>;after you connect to your RDS instance.
Audit log output format
pgAudit generates log entries in the following format. You can view these entries in the error logs of your RDS instance.
AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.orders,"CREATE TABLE orders (id int, name text);",<not logged>Each log entry contains the following fields, separated by commas:
| Field | Description |
|---|---|
| AUDIT_TYPE | SESSION or OBJECT, indicating the type of audit logging. |
| STATEMENT_ID | Unique identifier for the statement. A counter that increments for each statement in a session. |
| SUBSTATEMENT_ID | Unique identifier for the sub-statement. A counter that increments for each sub-statement within a statement. |
| CLASS | Statement class, such as DDL, READ, or WRITE. |
| COMMAND | Command tag, such as CREATE TABLE or SELECT. |
| OBJECT_TYPE | Type of the object, such as TABLE, INDEX, or FUNCTION. |
| OBJECT_NAME | Fully qualified name of the object, such as public.orders. |
| STATEMENT | SQL statement that was run. |
| PARAMETER | Statement parameters in CSV format. Displays <not logged> when pgaudit.log_parameter is set to off. |
Best practices
Start with minimal logging: Begin with specific statement classes such as
WRITEandDDLrather thanALL. Expand the scope as needed.Monitor storage usage: Audit logging generates additional data. Regularly check the storage usage of your RDS instance to prevent storage exhaustion.
Use object audit logging for fine-grained control: When you need to audit specific tables or views, use object audit logging instead of session audit logging to reduce the volume of log data.
Exclude catalog queries: Keep
pgaudit.log_catalogset toononly if you need to audit catalog queries. Setting it tooffreduces noise from administrative tools.
Disable the pgAudit extension
To stop generating audit logs and remove the extension, run the following statement:
DROP EXTENSION pgaudit;References
For more information about pgAudit, see pgAudit documentation.