Excluding users or databases from audit logging
As discussed in RDS for PostgreSQL database log files, PostgreSQL logs consume storage space. Using the pgAudit extension adds to the volume of data gathered in your logs to varying degrees, depending on the changes that you track. You might not need to audit every user or database in your RDS for PostgreSQL DB instance.
To minimize impacts to your storage and to avoid needlessly capturing audit records, you can exclude users and databases from being audited. You can also change logging within a given session. The following examples show you how.
Note
Parameter settings at the session level take precedence over the settings in the custom DB parameter group for the RDS for PostgreSQL DB instance. If you don't want database users to bypass your audit logging configuration settings, be sure to change their permissions.
Suppose that your
RDS for PostgreSQL DB instance is configured
to audit the same level of activity for all users and databases.
You then decide that you don't want to audit the user
myuser. You can turn off auditing for myuser with the following
SQL command.
ALTER USER myuser SET pgaudit.log TO 'NONE';
Then, you can use the following query to check the user_specific_settings
column for pgaudit.log to confirm that the parameter is set to NONE.
SELECT usename AS user_name, useconfig AS user_specific_settings FROM pg_user WHERE usename = 'myuser';
You see output such as the following.
user_name | user_specific_settings
-----------+------------------------
myuser | {pgaudit.log=NONE}
(1 row)You can turn off logging for a given user in the midst of their session with the database with the following command.
ALTER USER myuser IN DATABASE mydatabase SET pgaudit.log TO 'none';
Use the following query to check the settings column for pgaudit.log for a specific user and database combination.
SELECT usename AS "user_name", datname AS "database_name", pg_catalog.array_to_string(setconfig, E'\n') AS "settings" FROM pg_catalog.pg_db_role_setting s LEFT JOIN pg_catalog.pg_database d ON d.oid = setdatabase LEFT JOIN pg_catalog.pg_user r ON r.usesysid = setrole WHERE usename = 'myuser' AND datname = 'mydatabase' ORDER BY 1, 2;
You see output similar to the following.
user_name | database_name | settings
-----------+---------------+------------------
myuser | mydatabase | pgaudit.log=none
(1 row)After turning off auditing for myuser, you decide that
you don't want to track changes to mydatabase. You turn off auditing
for that specific database by using the following command.
ALTER DATABASE mydatabase SET pgaudit.log to 'NONE';
Then, use the following query to check the database_specific_settings column to confirm that pgaudit.log is set to NONE.
SELECT a.datname AS database_name, b.setconfig AS database_specific_settings FROM pg_database a FULL JOIN pg_db_role_setting b ON a.oid = b.setdatabase WHERE a.datname = 'mydatabase';
You see output such as the following.
database_name | database_specific_settings
---------------+----------------------------
mydatabase | {pgaudit.log=NONE}
(1 row)To return settings to the default setting for myuser, use the following command:
ALTER USER myuser RESET pgaudit.log;
To return settings to their default setting for a database, use the following command.
ALTER DATABASE mydatabase RESET pgaudit.log;
To reset user and database to the default setting, use the following command.
ALTER USER myuser IN DATABASE mydatabase RESET pgaudit.log;
You can also capture specific events to the log by setting the pgaudit.log to one of the other
allowed values for the pgaudit.log parameter. For more information, see
List of allowable settings for the pgaudit.log parameter.
ALTER USER myuser SET pgaudit.log TO 'read'; ALTER DATABASE mydatabase SET pgaudit.log TO 'function'; ALTER USER myuser IN DATABASE mydatabase SET pgaudit.log TO 'read,function'
