Archiving audit logs v17
EDB audit log archiving enables database administrators to control the space consumed by the audit log directory and helps manage the audit log files. The Audit Archiver is responsible for the compression, execution, and expiration of log files with edb_audit_archiver_filename_prefix
present in the audit directory. The edb_audit_archiver_timeout
parameter triggers the compression or expiration of audit log files at an appropriate time. For more information about audit archiving configuration parameters, see Audit logging configuration parameters.
The audit archiver helps to:
- Prepare a list of log files from the audit log directory for compression.
- Determine the log files for compression based on the parameters
edb_audit_archiver_compress_time_limit
andedb_audit_archiver_compress_size_limit
. - Perform compression of the log files by specifying the compression command based on the
edb_audit_archiver_compress_command
parameter. - Determine the log files to remove based on the
edb_audit_archiver_expire_time_limit
andedb_audit_archiver_expire_size_limit
parameter. - Execute the expiration command specified in the
edb_audit_archiver_expire_command
parameter to remove the log files.
Rotating out older audit log files
To rotate out the older audit log files, you can set the log file rotation day when the new file is created. To do so, set the parameter edb_audit_rotation_day
to the desired value. The audit log records are overwritten on a first-in, first-out basis if space isn't available for more audit log records.
Enabling compression and expiration of log files
To configure EDB Postgres Advanced Server to enable compression and expiration of the log files:
Enable audit log archiving by setting the
edb_audit_archiver
parameter toon
in thepostgresql.conf
file.To enable compression of log files, set the parameter
edb_audit_archiver_compress_size_limit
andedb_audit_archiver_compress_time_limit
to the values you want.To enable expiration of log files, set the parameter
edb_audit_archiver_expire_size_limit
andedb_audit_archiver_expire_time_limit
to the values you want.To enable both compression and expiration, set the parameters
edb_audit_archiver_compress_size_limit
,edb_audit_archiver_compress_time_limit
,edb_audit_archiver_expire_size_limit
,edb_audit_archiver_expire_time_limit
, andedb_audit_archiver_expire_command
to the values you want.Note
On Windows, the value you provide for
edb_audit_archiver_expire_command
must include the command prompt used to run thecopy
command. For example, you could enter the following command:In this example, you could replace
cmd.exe
with any other command prompt, such aspowershell.exe
for the Windows PowerShell.
The following is an example of the configuration parameter settings in the postgresql.conf
file.
Setting the edb_audit_archiver
parameter in the configuration file affects the entire database cluster. The database cluster is established with edb_audit_archiver
set to on
, as shown in the postgresql.conf
file. The audit log file is generated in CSV format based on the setting of the edb_audit
configuration parameter.
Examples
In this example, edb_audit_archiver
, edb_audit_archiver_compress_size_limit
, and edb_audit_archiver_compress_time_limit
are set to enable compression of the audit log files greater than 10MB.
Before compression, the audit log file appears as follows:
The edb_audit_archiver
parameter checks the log files, excluding the latest file. It retains at least 10MB of log files in the audit log directory and compresses the remaining log files. The .gz
specifies the name of an already compressed log file. After compression, the audit log file appears as follows:
In this example, edb_audit_archiver
, edb_audit_archiver_expire_size_limit
, and edb_audit_archiver_expire_time_limit
are set to enable expiration of the audit log files older than one hour.
Before compression, the audit log file appears as follows:
The edb_audit_archiver
parameter checks the log files, excluding the latest file. It removes the log files older than one hour. After expiration, the audit log file appears as follows:
In this example, edb_audit_archiver
, edb_audit_archiver_compress_size_limit
, edb_audit_archiver_compress_time_limit
, edb_audit_archiver_expire_size_limit
, edb_audit_archiver_expire_time_limit
, and edb_audit_archiver_expire_command
are set to enable both compression and expiration of the audit log files.
Before compression, the audit log file appears as follows:
The edb_audit_archiver
parameter checks the log files, excluding the latest file. It retains at least 4MB of log files in the audit log directory and compresses the remaining log files. While checking the log files for expiration, edb_audit_archiver
retains at least 5MB of log files in the audit log directory and removes the remaining log files. After compression and expiration, the audit log file appears as follows:
The expiration command is specified as edb_audit_archiver_expire_command = 'cp %p /home/edb_audit/backup-log/'
in the postgresql.conf
file. The edb_audit_archiver
executes this command and copies the log files to a backup log directory before deleting them from the audit log directory. After compression and expiration, the backup log directory appears as follows: