Reference for the pgAudit extension

pgaudit.log

Specifies the statement classes that will be logged by session audit logging. Allowable values include ddl, function, misc, read, role, write, none, all. For more information, see List of allowable settings for the pgaudit.log parameter.

pgaudit.log_catalog

When turned on (set to 1), adds statements to audit trail if all relations in a statement are in pg_catalog.

pgaudit.log_level

Specifies the log level to use for log entries. Allowed values: debug5, debug4, debug3, debug2, debug1, info, notice, warning, log

pgaudit.log_parameter

When turned on (set to 1), parameters passed with the statement are captured in the audit log.

pgaudit.log_relation

When turned on (set to 1), the audit log for the session creates a separate log entry for each relation (TABLE, VIEW, and so on) referenced in a SELECT or DML statement.

pgaudit.log_statement_once

Specifies whether logging will include the statement text and parameters with the first log entry for a statement/substatement combination or with every entry.

pgaudit.role

Specifies the master role to use for object audit logging. The only allowable entry is rds_pgaudit.

none

This is the default. No database changes are logged.

all

Logs everything (read, write, function, role, ddl, misc).

ddl

Logs all data definition language (DDL) statements that aren't included in the ROLE class.

function

Logs function calls and DO blocks.

misc

Logs miscellaneous commands, such as DISCARD, FETCH, CHECKPOINT, VACUUM, and SET.

read

Logs SELECT and COPY when the source is a relation (such as a table) or a query.

role

Logs statements related to roles and privileges, such as GRANT, REVOKE, CREATE ROLE, ALTER ROLE, and DROP ROLE.

write

Logs INSERT, UPDATE, DELETE, TRUNCATE, and COPY when the destination is a relation (table).