Re: pgaudit - an auditing extension for PostgreSQL

From: Simon Riggs <simon(at)2ndQuadrant(dot)com>
To: MauMau <maumau307(at)gmail(dot)com>
Cc: Abhijit Menon-Sen <ams(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Ian Barwick <ian(at)2ndquadrant(dot)com>
Subject: Re: pgaudit - an auditing extension for PostgreSQL
Date: 2014-10-18 09:04:35
Message-ID: CA+U5nMLURCsfmk2WR7ykTvLWA5-+vJ7xRL9Fo6MCxPYizuMVQA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 18 October 2014 05:13, MauMau <maumau307(at)gmail(dot)com> wrote:

> [requirement]
> 10.6 Review logs and security events for
> all system components to identify
> anomalies or suspicious activity.
> Note: Log harvesting, parsing, and
> alerting tools may be used to meet this
> Requirement.
> The log review process does not have to be
> manual. The use of log harvesting, parsing, and
> alerting tools can help facilitate the process by
> identifying log events that need to be reviewed.
>
> [my comment]
> What commercial and open source products are well known as the "log
> harvesting, parsing, and alerting tool"? Is it possible and reasonably easy
> to integrate pgaudit with those tools? The purpose of audit logging feature
> is not recording facts, but to enable timely detection of malicious actions.
> So, I think the ease of integration with those tools must be evaluated. But
> I don't know about such tools.
>
> I feel the current output format of pgaudit is somewhat difficult to treat:
>
> * The audit log entries are mixed with other logs in the server log files,
> so the user has to extract the audit log lines from the server log files and
> save them elsewhere. I think it is necessary to store audit logs in
> separate files.
>
> * Does the command text need "" around it in case it contains commas?

Audit entries are sent to the server log, yes.

The server log may be redirected to syslog, which allows various forms
of routing and manipulation that are outside of the reasonable domain
of pgaudit.

PostgreSQL also provides a logging hook that would allow you to filter
or redirect messages as desired.

Given those two ways of handling server log messages, the server log
is the obvious destination to provide for the recording/loggin part of
the audit requirement. pgaudit is designed to allow generating useful
messages, not be an out of the box compliance tool.

--
Simon Riggs http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Greg Stark 2014-10-18 12:27:22 Re: Optimizer on sort aggregate
Previous Message Petr Jelinek 2014-10-18 08:56:48 Re: pgaudit - an auditing extension for PostgreSQL