2

Recently we changed our production database log_statement from 'all' to 'mod', because the resulting log file was too large for our available storage. Unfortunately, we still need to log every SELECT made by users to a specific table N for audit purposes.

Is there any solution for that? I have tried using pgaudit and pg_stat_statements without any success.

We have set pgaudit.log to read, but it logs every SELECT query instead of just selects to table N.

Improve this question
0

1 Answer 1

Reset to default
4

You need pgAudit's object audit logging:

Object-level audit logging is implemented via the roles system. The pgaudit.role setting defines the role that will be used for audit logging. A relation (TABLE, VIEW, etc.) will be audit logged when the audit role has permissions for the command executed or inherits the permissions from another role.

So run

CREATE ROLE auditor;

GRANT INSERT, UPDATE, SELECT, DELETE ON special_table TO auditor;

Then set pgaudit.role = auditor in the configuration, and all access to the table will be audited.

Improve this answer
1
  • Thank you very much for your answer. We have tried it, and it worked as expected. Commented Dec 11, 2024 at 3:53

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.