Re: Loggingt psql meta-commands

Thanks Tom, I get what you are saying and that seems to be final at this
stage. I will write pg_audit down, though.

Oleg

On Thu, Dec 10, 2015 at 4:41 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> oleg yusim <olegyusim(at)gmail(dot)com> writes:
> > What I hope to achieve is to meet this requirement from Database SRG:
> > *Review DBMS documentation to verify that audit records can be produced
> > when privileges/permissions/role memberships are retrieved.*
>
> > To do that I would need to enable logging of such commands as \du, \dp,
> \z.
> > At the same time, I do not want to get 20 GB of logs on the daily basis,
> by
> > setting log_statement = 'all'. So, I'm trying to find a way in between.
>
> As multiple people have noted, it's a serious error to imagine that your
> requirement is "log \du etc". Those are just handy macros for queries on
> the system catalogs, which could also be done in other ways. What you
> seem to need is server-side logging of queries that access specific system
> catalog columns. There's no out-of-the-box facility for that right now,
> short of log_statement = all which you've already rejected.
>
> It'd be possible to write a C-code extension that did something like
> that, and some work in that direction has already gone on; the pg_audit
> extension that didn't quite get into 9.5 might come close to your
> requirements.
>
> regards, tom lane
>