Enable audit logging¶

This guide describes how to enable audit logging in your postgreSQL database.

The following steps need to be taken to enable the logging.

1. Configure database flags, and configure replication etc.
2. Configure database internals to be the primary.

The pgaudit logs will require disk space, monitor disk usage and enable automatic storage increase if necessary.

For more information on audit logging, see the official documentation.

Configure database flags for your sql instance¶

The following database flags must be set before we can enable audit logging.

cloudsql.enable_pgaudit
pgaudit.log

The flags can be set in the application spec:

spec:
  gcp:
    sqlInstances:
    - name: myapp
      flags:
        - name: "cloudsql.enable_pgaudit"
          value: "on"
        - name: "pgaudit.log"
          value: "write"

The cloudsql.enable_pgaudit flag enables the pgaudit logging in the database. The pgaudit.log flag specifies what to log. Possible values for pgaudit.log are as follows (and all combinations of these):

• read - Log select and copy commands.
• write - Log insert, update, delete, truncate and copy commands.
• ddl - Log all data definition language commands not included in role.
• role - Log role and permission changes (grant, revoke, create/alter/drop role).
• misc - Log miscellaneous commands (discard, fetch, checkpoint, vacuum, set).
• misc_set - Log miscellaneous set commands.
• function - Log function calls and do-blocks operations.
• all - Log all commands.

Other flags that are available for pgaudit are documented here.

Use the nais cli to configure database internals¶

The nais cli can be used to configure the database internals. This will fail if the necessary database flags have not been configured. The cli will log on to your database and create the pgaudit extension and also disable logging for the application user.

$ nais postgres enable-audit <application> <namespace> <context>

For more information on the nais cli, see the official documentation.