Thanks Tom, I get what you are saying and that seems to be final at this stage. I will write pg_audit down, though.
Oleg On Thu, Dec 10, 2015 at 4:41 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > oleg yusim <olegyu...@gmail.com> writes: > > What I hope to achieve is to meet this requirement from Database SRG: > > *Review DBMS documentation to verify that audit records can be produced > > when privileges/permissions/role memberships are retrieved.* > > > To do that I would need to enable logging of such commands as \du, \dp, > \z. > > At the same time, I do not want to get 20 GB of logs on the daily basis, > by > > setting log_statement = 'all'. So, I'm trying to find a way in between. > > As multiple people have noted, it's a serious error to imagine that your > requirement is "log \du etc". Those are just handy macros for queries on > the system catalogs, which could also be done in other ways. What you > seem to need is server-side logging of queries that access specific system > catalog columns. There's no out-of-the-box facility for that right now, > short of log_statement = all which you've already rejected. > > It'd be possible to write a C-code extension that did something like > that, and some work in that direction has already gone on; the pg_audit > extension that didn't quite get into 9.5 might come close to your > requirements. > > regards, tom lane >
