Re: how _not_ to log?

On Thursday, July 25, 2013, Tim Spencer wrote:

> Hello there!
>
> I've seen lots of people who have asked questions about how to log
> this or that, but I have the opposite question! :-) I'm seeing this in my
> logs:
>
> Jul 25 18:08:11 staging-db11 postgres[27050]: [10-2] STATEMENT: create
> role pguser encrypted password 'XXX';
>
> Where XXX is the actual password. This happens every 30 minutes
> when my chef client kicks off and resets the passwords. Here's everything
> that I have in postgres.conf related to logging:
>
> log_destination = 'syslog' # Valid values are combinations of
> # stderr, csvlog, syslog, and
> eventlog,
> # depending on platform. csvlog
> # requires logging_collector to be
> on.
> logging_collector = on # Enable capturing of stderr and
> csvlog
> # into log files. Required to be
> on for
> # csvlogs.
> log_directory = 'pg_log' # directory where log files are
> written,
> log_filename = 'postgresql-%a.log' # log file name pattern,
> log_truncate_on_rotation = on # If on, an existing log file with
> the
> # same name as the new log file
> will be
> log_rotation_age = 1d # Automatic rotation of logfiles
> will
> log_rotation_size = 0 # Automatic rotation of logfiles
> will
> # happen after that much log
> output.
> # DO NOT USE without syslog or
> # logging_collector
> log_min_duration_statement = 2000 # 2 seconds
> log_checkpoints = on
>
> What I'd like to do is stop logging create role commands, as the
> logs end up full of passwords. Is there any way to do this? Thanks, and
> have fun!

Have chef supply the password in encrypted format.

It's not that well documented yet though, as far as I can tell. See this
thread:
http://www.postgresql.org/message-id/201110272054.p9RKsKs18362@momjian.us

Seems like that information should be in the CREATE ROLE docs.

>
> -tspencer
>
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org<javascript:;>
> )
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>