On Thursday, July 25, 2013, Tim Spencer wrote: > Hello there! > > I've seen lots of people who have asked questions about how to log > this or that, but I have the opposite question! :-) I'm seeing this in my > logs: > > Jul 25 18:08:11 staging-db11 postgres[27050]: [10-2] STATEMENT: create > role pguser encrypted password 'XXX'; > > Where XXX is the actual password. This happens every 30 minutes > when my chef client kicks off and resets the passwords. Here's everything > that I have in postgres.conf related to logging: > > log_destination = 'syslog' # Valid values are combinations of > # stderr, csvlog, syslog, and > eventlog, > # depending on platform. csvlog > # requires logging_collector to be > on. > logging_collector = on # Enable capturing of stderr and > csvlog > # into log files. Required to be > on for > # csvlogs. > log_directory = 'pg_log' # directory where log files are > written, > log_filename = 'postgresql-%a.log' # log file name pattern, > log_truncate_on_rotation = on # If on, an existing log file with > the > # same name as the new log file > will be > log_rotation_age = 1d # Automatic rotation of logfiles > will > log_rotation_size = 0 # Automatic rotation of logfiles > will > # happen after that much log > output. > # DO NOT USE without syslog or > # logging_collector > log_min_duration_statement = 2000 # 2 seconds > log_checkpoints = on > > What I'd like to do is stop logging create role commands, as the > logs end up full of passwords. Is there any way to do this? Thanks, and > have fun!
Have chef supply the password in encrypted format. It's not that well documented yet though, as far as I can tell. See this thread: http://www.postgresql.org/message-id/201110272054.p9rksks18...@momjian.us Seems like that information should be in the CREATE ROLE docs. > > -tspencer > > > > -- > Sent via pgsql-general mailing list > (pgsql-general@postgresql.org<javascript:;> > ) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general >
