Adrian, What I hope to achieve is to meet this requirement from Database SRG:
*Review DBMS documentation to verify that audit records can be produced when privileges/permissions/role memberships are retrieved.* To do that I would need to enable logging of such commands as \du, \dp, \z. At the same time, I do not want to get 20 GB of logs on the daily basis, by setting log_statement = 'all'. So, I'm trying to find a way in between. Thanks, Oleg On Thu, Dec 10, 2015 at 3:29 PM, Adrian Klaver <adrian.kla...@aklaver.com> wrote: > On 12/10/2015 12:56 PM, oleg yusim wrote: > >> So what I want to accomplish is logging queries for roles/privileges >> with minimal increasing volume of logs along the way. The idea I got >> from responses in this thread so far is: >> >> 1) Set log_statement on postgresql.conf to 'mod' >> 2) Raise log_statement to 'all' but only for postgres superuser >> >> What seems to be open questions to me with this model: >> >> 1) Way to check what log_statement set to on per user basis (what table >> should I query?) >> 2) Way to ensure that only superuser can run meta commands, such as \du, >> \dp, \z >> > > Maybe if you tell us what you hope to achieve, monitoring or access denial > and to what purpose, it might be possible to come up with a more complete > answer. > > >> Thanks, >> >> Oleg >> >> On Thu, Dec 10, 2015 at 2:50 PM, David G. Johnston >> <david.g.johns...@gmail.com <mailto:david.g.johns...@gmail.com>> wrote: >> >> On Thu, Dec 10, 2015 at 1:46 PM, oleg yusim <olegyu...@gmail.com >> <mailto:olegyu...@gmail.com>>wrote: >> >> Hi David, >> >> Can you, please, give me example? >> >> >> Not readily...maybe others can. Putting forth specific examples of >> what you want to accomplish may help. >> >> David J. >> >> >> > > -- > Adrian Klaver > adrian.kla...@aklaver.com >