Running pgaudit installchek with Pgpool II running failed.
Looking at the output pgaudit.out, there was no error, etc., I did not know the cause of failure.
The results of execution are attached below. Can you tell me about the problem?

installcheck_result.zip

Thanks.

I installed Postgres 10 on Solaris together with pgaudit. After compiling everything I created a database and set it up to log to syslog and csvlog. I want to audit any changes to roles. The postgres csv-log contains changes to role but not the syslog. When I produce an error (eg. select * from not-existing_table) the error is also visible in the syslog. Can you assist me to sent also the role-changes to syslog, please?

Kind regards,
Oliver

Attached are the parameter settings:

REPORTING AND LOGGING

#------------------------------------------------------------------------------

- Where to Log -

log_destination = 'syslog,csvlog' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.

This is used when logging to stderr:

logging_collector = on # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)

These are only used if logging_collector is on:

log_directory = '/usr/local/postgres/data/pg_log' # directory where log files are written,
# can be absolute or relative to PGDATA
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
log_rotation_size = 1GB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.

These are relevant when logging to syslog:

syslog_facility = 'local0'

Add settings for extensions here

shared_preload_libraries = 'pgaudit'
pgaudit.log_catalog='on'
pgaudit.log_level='NOTICE'
pgaudit.log_parameter='on'
pgaudit.log_relation='off'
pgaudit.log_statement_once='off'
pgaudit.log='role'

Hi,
I want to audit log user DML activities.
My problem is: A user who I do not want to audit log, is audited when does a DML on a table which is audited for another user over "pgaudit.role" setting.

I understood that "pgaudit.role" setting is used for a master role for auditing.
I do such a work:
Created a "auditor" role, t1 and t2 user, and a table called "a";

postgres=# CREATE ROLE auditor;
postgres=# CREATE USER t1 WITH PASSWORD 'aaa';
postgres=# CREATE USER t2 WITH PASSWORD 'aaa';
postgres=# GRANT USAGE ON SCHEMA postgres TO t1;
postgres=# GRANT USAGE ON SCHEMA postgres TO t2;
postgres=# CREATE TABLE A(a numeric);  --(in postgres schema as postgres user)
postgres=# GRANT INSERT ON a to t1;
postgres=# GRANT INSERT ON a to t2;

Now, we are here, one role, two user and a table.

Here my pgaudit settings in postgresql.conf

pgaudit.log_catalog = off
pgaudit.log_parameter = on
pgaudit.role = 'auditor'

Then, I tried to insert something in "a" table as t1 user, nothing is audit logged (well)
After that, I grant t1 user to auditor role,

postgres=# GRANT t1 to auditor;

Then, I tried to insert something in "a" table as t1 user, insert is audit logged (well)

BUT, when I tried to use user t2, (without granting to auditor) t2's inserts also audited. (why)

Is it the way that extension works?
Or Am I doing something wrong?

Update:
When I revoke t1 from auditor, then nothing is audit logged (well).

Thanks a lot.

Hi. Consider a statement like:

create temporary table t_table as select whatever from real_table;

This logs three different kinds of statements: select, insert, and "create table as". Is there a way to avoid logging the "internal" statements (select, insert) and just get the original query?

Thanks!

Can this extension include session variables in the audit file? For example, if we are not using a 1:1 mapping between application users and database users, we would do something like this:

SET my.username = 'tomas'

I couldn't find anything in the log prefix variables where we could inject something like:
current_setting('my.username')

I essentially want to do what is outlined in this blog post but ensure auditing includes the application user. https://blog.2ndquadrant.com/application-users-vs-row-level-security/

Thanks,
Rob

It would be great if we could set up a filter to audit only specific users. Currently it's either session - which is everything, or objects - which is everyone. We have noisy users (service accounts) and it would be great to be able to exclude them.

https://www.postgresql.org/docs/9.6/static/runtime-config-client.html#RUNTIME-CONFIG-CLIENT-PRELOAD

"Note: On Windows hosts, preloading a library at server start will not reduce the time required to start each new server process; each server process will re-load all preload libraries. However, shared_preload_libraries is still useful on Windows hosts for libraries that need to perform operations at postmaster start time."

The code in _PG_init will be re-run for every backend process start on Windows. That means every 30 seconds when auto vacuum runs, the log message will be printed.

I have postgres 9.5.5 installed and want to install the pgaudit extension.
Do you still need to clone the PostgreSQL git repo and build it, before cloning the pgaudit repo?
Is downloading and building postres a pre-req to the pgaudit install?

Currently pgaudit.c includes "tcop/deparse_utility.h" unconditionally, which is a 9.5 feature. Do you plan to support 9.4 as well, like the original code did?

If not, would you accept patches to do so?

Cant see OBJECT_TYPE and OBJECT_NAME in DDL operation.

my settings:

postgres: 9.6
pgaudit: pgaudit11_96-1.1.1-1.rhel7.x86_64.rpm

shared_preload_libraries=pg_stat_statements, pg_hint_plan, pg_cron, pgaudit
pgaudit.log=ddl,role
log_connections=on
log_disconnections=on
log_line_prefix=%t [%p-%l] %q%u@%d %i

action:

music=# create table mt2 (b int);
CREATE TABLE

result:

2018-05-28 10:33:08 UTC [2645-4] postgres@music CREATE TABLE LOG: AUDIT: SESSION,2,1,DDL,CREATE TABLE,,,create table mt2 (b int);,<none>

audit log problem, "CREATE TABLE AS"

Hi.

I am testing the pgaudit(https://commitfest.postgresql.org/9/463/).
(use "http://www.postgresql.org/message-id/[email protected]" attached patch on 9.6-devel)

The following issues exists in the audit log output of the "CREATE TABLE AS" statement.

• Row of "class READ" is two. Is not that redundant?
• "Class READ" in the second row ,invalid value (?d?) for object_name has been set.

Reproduce:

pgaudit configuration (with postgresql.conf)

shared_preload_libraries = 'pgaudit'
pgaudit.log = 'all'

sql script (test.sql)

CREATE TABLE tmp (id int, data text);
CREATE TABLE tmp2 AS (SELECT * FROM tmp); -- two problem.

run

psql -U postgres test -f test.sql

audit log

LOG:  AUDIT: SESSION,1,1,DDL,CREATE TABLE,,,"CREATE TABLE tmp (id int, data text);",<not logged>
LOG:  AUDIT: SESSION,2,1,READ,SELECT,,,CREATE TABLE tmp2 AS (SELECT * FROM tmp);,<not logged>
LOG:  AUDIT: SESSION,2,1,READ,SELECT,TABLE,?d?,CREATE TABLE tmp2 AS (SELECT * FROM tmp);,<not logged>
LOG:  AUDIT: SESSION,2,2,DDL,CREATE TABLE AS,,,CREATE TABLE tmp2 AS (SELECT * FROM tmp);,<not logged>

Hi Team,

I am getting error while executing following command:
Command:
make USE_PGXS=1

Error:
pgaudit.c: In function ‘log_audit_event’:
pgaudit.c:738: error: ‘LOG_SERVER_ONLY’ undeclared (first use in this function)
pgaudit.c:738: error: (Each undeclared identifier is reported only once
pgaudit.c:738: error: for each function it appears in.)

We are running PostgreSQL 9.5.3 and we installed it using source code
I am in process of evaluating pgAudit extension.

I really appreciate any help here.

Thanks:
Rishabh

While working on a debian package for pgAudit I ran the regressions tests against PostgreSQL 9.6 (the current version contained in Debian stretch). Some of the tests failed. The corresponding diff is attached (regression.diffs.txt).

Please let me know if you need further information.

regards,

• Adrian

I have a need to audit 'truncate table' statements without INSERT, UPDATE and DELETE.

Any help to accomplish this will be very much appreciated.

Thanks.

Dear Team,

We are trying to create extension of pgaudit in postgresql 10 but it gives below error.

ERROR: could not access file "$libdir/pgaudit": No such file or directory

Please help

Hello,

Thanks for your work! In our project we need to control all failure events (denying access and so on). So, pgaudit extension can register only success events.

So, the question is: it is possible to add support for audit of failure events?

After installing pgaudit on a RHEL 6 system, postgres ver 9.5.6. Any kernel update would cause the system to hang on boot when FIPS is enabled (fips=1 in grub.conf)

Fix: Add line to /etc/dracut.conf
vi /etc/dracut.conf

add this line

install_items+=" /lib64/libz.so.1 "

Rebuild initramfs

dracut -v -f

Issue:
Prior to pgaudit install, /boot/initramfs contains references to libz.so.1
-rwxr-xr-x 1 root root 88600 Oct 3 2012 lib64/libz.so.1.2.3
lrwxrwxrwx 1 root root 13 May 11 03:13 lib64/libz.so.1 -> libz.so.1.2.3

After pgaudit is installed following reference is added
-rwxr-xr-x 1 root root 112664 Feb 7 07:07 usr/pgsql-9.5/lib/libz.so.1

Without adding the line above when initramfs is rebuilt as part of a kernel upgrade, the /lib64/libz.so.1 reference is dropped and boot will hang. The only way to get the system to boot is to edit the boot parameters and change fips=0, uninstall postgres, rebuild your initramfs, reboot, then re-install postgress/pgaudit.

The guide I followed was from here:
http://iase.disa.mil/stigs/app-security/database/Pages/edb-postgres.aspx
http://iasecontent.disa.mil/stigs/zip/U_PostgreSQL_9-x_V1R1_STIG.zip
U_PostgreSQL_9-x_V1R1_Supplemental.pdf

Hello, Please would it be possible to publish guidance on how to deploy pgaudit and analyzer for Windows? I thank you and have a nice day. George Barrel

Hi, looking at git diff REL_10_STABLE REL9_5_STABLE, it seems to be that the differences are so small that it would be pretty easy to go with #if/#ifdef conditions and have only one version of the software, allowing to build that against all the PostgreSQL versions (and removing the need to do manual plugin upgrade after pg_upgrade). Also, users feel more comfortable to use the latest versions of PostgreSQL plugins (even against older postgres releases).

Makefile looks for the contrib directory, which doesn't exist on postgres when its installed from package or compiled from source downloaded from the website. "contrib" directory only exists in the postgres repo on git.

I'm added audit to read table:
grant select on audited_file to auditor;
but I see in a log 'update' statement.
I reproduced the situation this way:

PREPARE fh(varchar(255),int) as UPDATE audited_file set file_hash=$1 where id=$2;

EXECUTE fh('test', 1)

In the log appeared:

LOG: AUDIT: OBJECT,30,1,WRITE,UPDATE,TABLE,public.audited_file,"PREPARE fh(varchar(255),int) as UPDATE audited_file set file_hash=$1 where id=$2","test,1"

p.s. For prepred insert and prepared delete works normally

Hello,
When I set session audit all, and altered role1 with pgaudit.log=none. The role1 is still audited.
Is it expected? Any possibility to exclude the role from being audited?

I had set session audit by:

# postgresql.conf
pgaudit.role = 'auditor'
pgaudit.log = 'READ,WRITE,FUNCTION,ROLE,DDL,MISC' # READ,WRITE,FUNCTION,ROLE,DDL,MISC
pgaudit.log_parameter = on
pgaudit.log_statement_once = on
pgaudit.log_catalog = off

And I had altered role1 with no audit:

psql
ALTER ROLE role1 SET pgaudit.log='none';

Is this possible? Without having to build postgresql from source and then installing pg_audit?
Same question for linux as well.

For pgsql96 it will build, but for pgsql96 it will fail with:

gcc -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fexcess-precision=standard -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -DLINUX_OOM_ADJ=0 -fpic -I. -I./ -I/usr/pgsql-9.5/include/server -I/usr/pgsql-9.5/include/internal -D_GNU_SOURCE -I/usr/include/libxml2  -I/usr/include  -c -o pgaudit.o pgaudit.c
In file included from /usr/pgsql-9.5/include/server/postgres.h:48:0,
                 from pgaudit.c:11:
pgaudit.c: In function 'log_audit_event':
pgaudit.c:738:46: error: 'LOG_SERVER_ONLY' undeclared (first use in this function)
     ereport(auditLogClient ? auditLogLevel : LOG_SERVER_ONLY,
                                              ^
/usr/pgsql-9.5/include/server/utils/elog.h:116:16: note: in definition of macro 'ereport_domain'
   if (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO, domain)) \
                ^
pgaudit.c:738:5: note: in expansion of macro 'ereport'
     ereport(auditLogClient ? auditLogLevel : LOG_SERVER_ONLY,
     ^
pgaudit.c:738:46: note: each undeclared identifier is reported only once for each function it appears in
     ereport(auditLogClient ? auditLogLevel : LOG_SERVER_ONLY,
                                              ^
/usr/pgsql-9.5/include/server/utils/elog.h:116:16: note: in definition of macro 'ereport_domain'
   if (errstart(elevel, __FILE__, __LINE__, PG_FUNCNAME_MACRO, domain)) \
                ^
pgaudit.c:738:5: note: in expansion of macro 'ereport'
     ereport(auditLogClient ? auditLogLevel : LOG_SERVER_ONLY,
     ^
make: *** [pgaudit.o] Error 1

In the case of inheritance if we GRANT access to the auditor role on some child table, and not the parent, actions on the parent table which translate to actions on rows of the child table will not be logged.

I'm getting error could not find function "pgaudit_func_sql_drop" in pgaudit.so file when try to drop a table. I had setup pgaudit (i use REL_9_6_STABLE) correctly without error in Postgresql 9.6.1 on Ubuntu...

Hello,
I'm installing pgaudit with postgres 9.6 rpm, but I couldn't find how to install it without compile method.
Is there pgaudit with rpm install?
Regards,

Despite pgaudit.log_relation being off, OBJECT log entry appears in addition
to SESSION.

LOG: AUDIT: SESSION,2,1,READ,SELECT,,,SELECT * FROM a;,
LOG: AUDIT: OBJECT,2,1,READ,SELECT,TABLE,public.a,SELECT * FROM a;,

If pgaudit.log_relation is on, the output looks correct

LOG: AUDIT: OBJECT,2,1,READ,SELECT,TABLE,public.a,SELECT * FROM a;,
LOG: AUDIT: SESSION,2,1,READ,SELECT,TABLE,public.a,SELECT * FROM a;,

but gdb shows that the SESSION entry is printed out in code path which should
actually print OBJECT message:

    /* Do relation level logging if auditLogRelation is set */
    if (auditLogRelation)
    {
        auditEventStack->auditEvent.logged = false;
        auditEventStack->auditEvent.granted = false;
        log_audit_event(auditEventStack);
    }

Besides that, the following part seems to me incorrect

/*
 * If no tables were found that means that RangeTbls was empty or all
 * relations were in the system schema.  In that case still log a session
 * record.
 */
if (!found)

because each iteration of the rangetable loop sets "found" unconditionally to
true and never sets it back to false.

Attached is my patch proposal. Do I seem to misunderstand the expected behavior?

pgaudit_event_kind.diff.gz

Hi.
I have a problem with the installation of pgaudit, I have already tried it in several environments and the result is the same

I am following the next steps:

1. Compile and Install
   Clone the PostgreSQL repository:
   git clone https://github.com/postgres/postgres.git

2.-Checkout REL9_6_STABLE branch:
git checkout REL9_6_STABLE

3.- Make PostgreSQL:
./configure
make install -s

4.-Change to the contrib directory:
cd contrib

5.- Clone the pgAudit extension:
git clone https://github.com/pgaudit/pgaudit.git

6.-Change to pgAudit directory:
cd pgaudit

7.- Build pgAudit and run regression tests:
make -s check

8.- Install pgAudit:
make install

However at point 7 it fails.
[root@pgsql-desa01 pgaudit]# make -s check
pgaudit.c:38:27: fatal error: utils/varlena.h: No such file or directory
#include "utils/varlena.h"
^
compilation terminated.
make[1]: *** [pgaudit.o] Error 1
make: *** [temp-install] Error 2

indeed the file varlena.h does not exist and i dont know why.

Trying solutions I have created the file according to source code, however it fails again with another error.

[root@pgsql-desa01 pgaudit]# make -s check
In file included from pgaudit.c:38:0:
../../src/include/utils/varlena.h:19:12: error: conflicting types for ‘varstr_cmp’
extern int varstr_cmp(const char *arg1, int len1, const char *arg2, int len2, Oid collid);
^
In file included from pgaudit.c:31:0:
../../src/include/utils/builtins.h:848:12: note: previous declaration of ‘varstr_cmp’ was here
extern int varstr_cmp(char *arg1, int len1, char *arg2, int len2, Oid collid);
^
pgaudit.c:1351:29: error: unknown type name ‘QueryEnvironment’
QueryEnvironment *queryEnv,
^
pgaudit.c: In function ‘_PG_init’:
pgaudit.c:1972:27: error: ‘pgaudit_ProcessUtility_hook’ undeclared (first use in this function)
ProcessUtility_hook = pgaudit_ProcessUtility_hook;
^
pgaudit.c:1972:27: note: each undeclared identifier is reported only once for each function it appears in
pgaudit.c: At top level:
pgaudit.c:410:1: warning: ‘stack_valid’ defined but not used [-Wunused-function]
stack_valid(int64 stackId)
^
make[1]: *** [pgaudit.o] Error 1
make: *** [temp-install] Error 2
[root@pgsql-desa01 pgaudit]# ^C

Can someone help me? Thnsks

Hi!
I'm trying to install pgaudit
When I try to run 'make install USE_PGXS=1 ' it ends up with following error

make install USE_PGXS=1

gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -DLINUX_OOM_SCORE_ADJ=0 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fexcess-precision=standard -fPIC -I. -I. -I/usr/include/pgsql/server -I/usr/include/pgsql/internal -D_GNU_SOURCE -I/usr/include/libxml2 -c -o pgaudit.o pgaudit.c
pgaudit.c:13:33: fatal error: access/htup_details.h: No such file or directory
#include "access/htup_details.h"
^
compilation terminated.
make: *** [pgaudit.o] Error 1

My env:
psql (10.5)
Linux 3.10.0-514.26.2.el7.x86_64

Please mention that Simon Riggs of 2ndQuadrant contributed to the design of pgaudit, so its clear that this is a joint effort by both 2ndQuadrant and CrunchyData, as part of a submission of pgaudit to PostgreSQL core. Thanks

Hi,
Is there an option to "plug" pgAudit to the official PostgreSQL docker image?
Thanks,
Elad

Hello, how are you?
Could you explain how to avoid the next line in the audit log?
Every time I make an insert I generate many lines for the fk

OPERATOR (pg_catalog. =) $ 1 FOR KEY SHARE OF x

pgaudit fails to build with PG 11:

gcc -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fexcess-precision=standard -g -g -O2 -fdebug-prefix-map=/build/postgresql-11-LcCi7f/postgresql-11-11~beta1=. -fstack-protector-strong -Wformat -Werror=format-security -fno-omit-frame-pointer -fPIC -I. -I/srv/projects/postgresql/audit/pgaudit -I/usr/include/postgresql/11/server -I/usr/include/postgresql/internal  -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -I/usr/include/libxml2  -I/usr/include/mit-krb5  -c -o pgaudit.o /srv/projects/postgresql/audit/pgaudit/pgaudit.c
/usr/bin/clang -Wno-ignored-attributes -fno-strict-aliasing -fwrapv -O2  -I. -I/srv/projects/postgresql/audit/pgaudit -I/usr/include/postgresql/11/server -I/usr/include/postgresql/internal  -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -I/usr/include/libxml2  -I/usr/include/mit-krb5 -flto=thin -emit-llvm -c -o pgaudit.bc /srv/projects/postgresql/audit/pgaudit/pgaudit.c
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:367:42: error: too many arguments provided to
      function-like macro invocation
                                         ALLOCSET_DEFAULT_INITSIZE,
                                         ^
/usr/include/postgresql/11/server/utils/memutils.h:165:9: note: macro 'AllocSetContextCreate'
      defined here
#define AllocSetContextCreate(parent, name, allocparams) \
        ^
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:364:20: error: use of undeclared identifier
      'AllocSetContextCreate'
    contextAudit = AllocSetContextCreate(CurrentMemoryContext,
                   ^
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:1521:29: error: too many arguments provided to
      function-like macro invocation
                            ALLOCSET_DEFAULT_INITSIZE,
                            ^
/usr/include/postgresql/11/server/utils/memutils.h:165:9: note: macro 'AllocSetContextCreate'
      defined here
#define AllocSetContextCreate(parent, name, allocparams) \
        ^
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:1517:20: error: use of undeclared identifier
      'AllocSetContextCreate'
    contextQuery = AllocSetContextCreate(
                   ^
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:1632:29: error: too many arguments provided to
      function-like macro invocation
                            ALLOCSET_DEFAULT_INITSIZE,
                            ^
/usr/include/postgresql/11/server/utils/memutils.h:165:9: note: macro 'AllocSetContextCreate'
      defined here
#define AllocSetContextCreate(parent, name, allocparams) \
        ^
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:1628:20: error: use of undeclared identifier
      'AllocSetContextCreate'
    contextQuery = AllocSetContextCreate(
                   ^
6 errors generated.
make[2]: *** [/usr/lib/postgresql/11/lib/pgxs/src/makefiles/../../src/Makefile.global:1009: pgaudit.bc] Fehler 1
make[2]: *** Es wird auf noch nicht beendete Prozesse gewartet....
/srv/projects/postgresql/audit/pgaudit/pgaudit.c: In function ‘stack_push’:
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:368:66: error: macro "AllocSetContextCreate" passed 5 arguments, but takes just 3
                                          ALLOCSET_DEFAULT_MAXSIZE);
                                                                  ^
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:364:20: error: ‘AllocSetContextCreate’ undeclared (first use in this function); did you mean ‘SlabContextCreate’?
     contextAudit = AllocSetContextCreate(CurrentMemoryContext,
                    ^~~~~~~~~~~~~~~~~~~~~
                    SlabContextCreate
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:364:20: note: each undeclared identifier is reported only once for each function it appears in
/srv/projects/postgresql/audit/pgaudit/pgaudit.c: In function ‘pgaudit_ddl_command_end’:
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:1522:53: error: macro "AllocSetContextCreate" passed 5 arguments, but takes just 3
                             ALLOCSET_DEFAULT_MAXSIZE);
                                                     ^
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:1517:20: error: ‘AllocSetContextCreate’ undeclared (first use in this function); did you mean ‘SlabContextCreate’?
     contextQuery = AllocSetContextCreate(
                    ^~~~~~~~~~~~~~~~~~~~~
                    SlabContextCreate
/srv/projects/postgresql/audit/pgaudit/pgaudit.c: In function ‘pgaudit_sql_drop’:
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:1633:53: error: macro "AllocSetContextCreate" passed 5 arguments, but takes just 3
                             ALLOCSET_DEFAULT_MAXSIZE);
                                                     ^
/srv/projects/postgresql/audit/pgaudit/pgaudit.c:1628:20: error: ‘AllocSetContextCreate’ undeclared (first use in this function); did you mean ‘SlabContextCreate’?
     contextQuery = AllocSetContextCreate(
                    ^~~~~~~~~~~~~~~~~~~~~
                    SlabContextCreate
make[2]: *** [<eingebaut>: pgaudit.o] Fehler 1

"CREATE EXTENSION" problem.

Hi.
I am testing the pgaudit(https://github.com/pgaudit/pgaudit) on PostgeSQL 9.5.1.

Problem

By vaue of "pgaudit.log" , there is a case in which "CREATE EXTENTION" occurs error.

• pgaudit.log = 'none' -> normal end, and event-trigger is registered.

$ psql -U postgres newdb -c "SHOW pgaudit.log"
 pgaudit.log
-------------
 none
(1 row)

$ psql -U postgres newdb -c "CREATE EXTENSION pgaudit"
CREATE EXTENSION
$ psql -U postgres newdb -c "DROP EXTENSION pgaudit"
DROP EXTENSION
$

• pgaudit.log = 'all' -> "CREATE EXTENSION" occures error.

$ psql -U postgres newdb -c "SHOW pgaudit.log"
 pgaudit.log
-------------
 all
(1 row)

$ psql -U postgres newdb -c "CREATE EXTENSION pgaudit"
ERROR:  pg_event_trigger_ddl_commands() can only be called in an event trigger function
CONTEXT:  SQL statement "SELECT UPPER(object_type), object_identity, UPPER(command_tag)
  FROM pg_catalog.pg_event_trigger_ddl_commands()"
$

Hello,

I've noticed that the 2ndquadrant/pgaudit repository was apparently destroyed and re-forked from this one. I realise this question is about a different repo from this one, but it's kind of important.

The problem is that the 2ndquadrant/pgaudit code was compatible with PostgreSQL 9.3, which is both officially supported by postgresql.org and (somewhat unfortunately), still used by an organisation I'm working for, which has planned to deploy the (old) pgaudit on.

Basically, my question is: does anyone here still have a copy of the old repo?

I am running postgres under windows and get that log entry repeating over and over under a different session id (process id).
It looks like a deamon wakes up every 30 sec and span a new process.
What is this? Any config that I can do to stop that?
Please find bellow an extract of pg_log with the session id between brackets.
...
2017-05-04 09:48:02.670 EDT [590b3112.668] LOG: pgaudit extension initialized
2017-05-04 09:48:02.670 EDT [590b3112.81c] LOG: pgaudit extension initialized
2017-05-04 09:48:02.692 EDT [590b3112.478] LOG: pgaudit extension initialized
2017-05-04 09:48:02.694 EDT [590b3112.b1c] LOG: pgaudit extension initialized
2017-05-04 09:48:19.724 EDT [590b3123.83c] LOG: pgaudit extension initialized
2017-05-04 09:48:19.728 EDT [590b3123.83c] user=[unknown],db=[unknown],app=[unknown],err=00000: LOG: connection received: host=172.30.33.130 port=53018
2017-05-04 09:48:25.682 EDT [590b3129.b5c] LOG: pgaudit extension initialized
2017-05-04 09:48:25.686 EDT [590b3129.b5c] user=[unknown],db=[unknown],app=[unknown],err=00000: LOG: connection received: host=172.30.33.130 port=53019
2017-05-04 09:48:25.690 EDT [590b3129.b5c] user=ftier3,db=ibis,app=[unknown],err=00000: LOG: connection authorized: user=ftier3 database=ibis
2017-05-04 09:49:32.742 EDT [590b316c.b6c] LOG: pgaudit extension initialized
2017-05-04 09:50:02.840 EDT [590b318a.4b8] LOG: pgaudit extension initialized
2017-05-04 09:50:32.841 EDT [590b31a8.b40] LOG: pgaudit extension initialized
2017-05-04 09:51:02.941 EDT [590b31c6.6e8] LOG: pgaudit extension initialized
2017-05-04 09:51:32.842 EDT [590b31e4.80c] LOG: pgaudit extension initialized
2017-05-04 09:52:02.941 EDT [590b3202.11c] LOG: pgaudit extension initialized
2017-05-04 09:52:32.943 EDT [590b3220.91c] LOG: pgaudit extension initialized
...

Hi,
I need to install pgaudit. According to Installation steps provided by pgaudit, I need to first install Postgres from source, then take checkout of pgaudit source code in it's contrib directory, and after that I'll install pgaudit. Currently Postgres has been installed on my machine from apt repo, there is contrib directory inside /usr/share/postgresql but required files like Makefile.global and contrib-global files.
I have also downloaded postgres source and tried to clone pgaudit in it's contrib directory and then run 'make -s check'. But this also fails.
I can't install Postgres from source. How can I install pgaudit in this situation?

Thanks,
Aman

Hi,

Is there an rpm package avail to allow us to install pgaudit 1.2 binary (for Postgres 10.4) on SUSE SLES 12.3
Or what would be the best way to install pgaudit.
Only binary postgres 10.4 was installed on our server running SUSE SLES 12.3

Thx
Tony

Hi there
we have a postgres 9.4 Installation with pgaudit for Audits user Actions

I guess it is the Version v1.0

is postgres 9.4 compatible with is the Version v1.2
or do we have to upgrade postgres to 9.5 or higher?

there is a second question
we have a lot of Audits of pg_catalog

our Parameters are like
pgaudit.log

read, write, privilege, user, definition, config, admin, function
(1 row)

pgaudit.log_catalog = off
so this should remove the most of the pg_catalog entires in the log file or not?

Do you have a RPM package instead of compiling? I am having problems to compile on CentOS 6.8 and Pg 9.4.8. Is pgaudit available to this version of postgres?

I am using Postgres 9.5 on Win10. I have pg installed successfully. However, I am unable to get the pgaudit 1.0.6 extension to create. I have followed the steps in the readme file with no luck. The error that I am seeing now is the following when running the CREATE EXTENSION command in psql:

ERROR: could not load library "C:/POSTGR~1/pg95/../pg95/lib/postgresql/pgaudit.dll": The specified module could not be found.

The dll is located in the path and the permissions are set just as the rest.

Please help... Thank you in advance for your time and knowledge.

I run :
postgres@toshiba:/usr/local/pgsql/bin$ ./pgaudit_analyze --daemon /usr/local/pgsql/data/pg_log

then get :

Unable to open log file: Permission denied at ./pgaudit_analyze line 633.
at ./pgaudit_analyze line 44.
main::ANON('Unable to open log file: Permission denied at ./pgaudit_analy...') called at /usr/share/perl/5.18/Carp.pm line 101
Carp::confess('Unable to open log file: Permission denied') called at ./pgaudit_analyze line 633

Am I doing something wrong?
I compiled the pgaudit with postgresql 9.5.3 source code, then I copy the pgaudit_analyze under $PGHOME/bin and, lib folder to $PGHOME/lib then run the above code.
Also I install perl dbi:pg driver.
Thanks lot.

Audit log is not output after the SET ROLE.

Hi.

I am testing the pgaudit(https://commitfest.postgresql.org/9/463/).
(use http://www.postgresql.org/message-id/[email protected] attached patch on 9.6-devel)

I found strange thing.

• After SET ROLE, part of the SQL is not the audit log output.
• SQL comprising a relation is not output to the audit log.

Reproduce:

prepare

createuser test_user -U postgres
createdb test -U postgres -O test_user
psql test -U test_user -c "CREATE TABLE team(id int, name text)"

pgaudit settings

shared_preload_libraries = 'pgaudit'
pgaudit.log = 'all'

test sql script (test.sql)

SELECT 1;
SELECT * FROM team; -- output audit log
SET ROLE test_user;
SELECT 2;
SELECT * FROM team; -- no output audit log
SELECT 3;
RESET ROLE;
SELECT * FROM team; -- output audit log

run script

psql test -U postgres -f test.sql

audit log

LOG:  AUDIT: SESSION,1,1,READ,SELECT,,,SELECT 1;,<not logged>
LOG:  AUDIT: SESSION,2,1,READ,SELECT,,,SELECT * FROM team;,<not logged>
LOG:  AUDIT: SESSION,3,1,MISC,SET,,,SET ROLE test_user;,<not logged>
LOG:  AUDIT: SESSION,4,1,READ,SELECT,,,SELECT 2;,<not logged>
LOG:  AUDIT: SESSION,5,1,READ,SELECT,,,SELECT 3;,<not logged>
LOG:  AUDIT: SESSION,6,1,MISC,RESET,,,RESET ROLE;,<not logged>
LOG:  AUDIT: SESSION,7,1,READ,SELECT,,,SELECT * FROM team;,<not logged>

Is it possible to define a directory and location for the pgaudit log. Security standards require protection of this information. We have to allow other userids such as monitor accounts to read our server log.

Hi,

I encounter problems when configuring pgaudit with Postgresql 9.6.3 on Centos 7.3

I follow these steps:

1.Compile and Install
Clone the PostgreSQL repository:
git clone https://github.com/postgres/postgres.git
2.-Checkout REL9_6_STABLE branch:
git checkout REL9_6_STABLE

3.- Make PostgreSQL:
./configure
make install -s

4.-Change to the contrib directory:
cd contrib

5.- Clone the pgAudit extension:
git clone https://github.com/pgaudit/pgaudit.git

6.-Change to pgAudit directory:
cd pgaudit

7.- Build pgAudit and run regression tests:
make -s check

8.- Install pgAudit:
make install

However at point 7 it fails.
[XXx]# make -s check
pgaudit.c:38:27: fatal error: utils/varlena.h: No such file or directory
#include "utils/varlena.h"
^
compilation terminated.
make[1]: *** [pgaudit.o] Error 1
make: *** [temp-install] Error 2

Look's like there are no varlena header.

Some one can tell me what's wrong here ,please ?

I need to only log the first occurrence of query and DML.
I set log_statement_once=on in postgresql.conf and make sure that the parameter is not overwiden at the DB or role level.
Please find bellow a simple test case and result.
select count(*) from poe;
show pgaudit.log_statement_once;
pgaudit.log_statement_once
----------
on
select count(*) from poe;
select count(*) from poe;

pg_log results
LOG: AUDIT: SESSION,2,1,READ,SELECT,,,select count(*) from poe;,<none>
LOG: AUDIT: SESSION,3,1,MISC,SHOW,,,show pgaudit.log_statement_once;,<none>
LOG: AUDIT: SESSION,4,1,READ,SELECT,,,select count(*) from poe;,<none>
LOG: AUDIT: SESSION,5,1,READ,SELECT,,,select count(*) from poe;,<none>

Tried to compile this extension on RedHat Enterprise 7 and I get the following error:

make -s check
pgaudit.c: In function ‘stack_push’:
pgaudit.c:358:66: error: macro "AllocSetContextCreate" passed 5 arguments, but takes just 3
ALLOCSET_DEFAULT_MAXSIZE);
^
pgaudit.c:354:20: error: ‘AllocSetContextCreate’ undeclared (first use in this function)
contextAudit = AllocSetContextCreate(CurrentMemoryContext,
^
pgaudit.c:354:20: note: each undeclared identifier is reported only once for each function it appears in
pgaudit.c: In function ‘pgaudit_ddl_command_end’:
pgaudit.c:1485:53: error: macro "AllocSetContextCreate" passed 5 arguments, but takes just 3
ALLOCSET_DEFAULT_MAXSIZE);
^
pgaudit.c:1480:20: error: ‘AllocSetContextCreate’ undeclared (first use in this function)
contextQuery = AllocSetContextCreate(
^
pgaudit.c: In function ‘pgaudit_sql_drop’:
pgaudit.c:1596:53: error: macro "AllocSetContextCreate" passed 5 arguments, but takes just 3
ALLOCSET_DEFAULT_MAXSIZE);
^
pgaudit.c:1591:20: error: ‘AllocSetContextCreate’ undeclared (first use in this function)
contextQuery = AllocSetContextCreate(
^
make[1]: *** [pgaudit.o] Error 1
make: *** [temp-install] Error 2

Hi,

the latest release of pgaudit (1.1.0) fails to build against PostgreSQL 9.5 because LOG_SERVER_ONLY isn't defined [1] The log level in versions prior 1.1.0 was COMMERROR which is effectively the same in PostgreSQL 9.6 [2].

I wonder if it would be possible to support multiple versions at once. From a package maintainer point of view this would make things much easier (I'm working on a pgaudit package for debian).

Cheers,
Adrian

[1] Build Error:

pgaudit.c: In function ‘log_audit_event’:
pgaudit.c:738:46: error: ‘LOG_SERVER_ONLY’ undeclared (first use in this function)
ereport(auditLogClient ? auditLogLevel : LOG_SERVER_ONLY,

[2] Defines PostgreSQL 9.6 (elog.h):

#define LOG_SERVER_ONLY 16 /* Same as LOG for server reporting, but never
* sent to client. /
#define COMMERROR LOG_SERVER_ONLY / Client communication problems; same
* as LOG for server reporting, but
* never sent to client. */

There is a little bit of strange behavior with the pgaudit_analyze script when:
a) it is started up with the --daemon option via ssh from another machine and
b) it is using a fast ssh connection

The problem happens when pgaudit_analyze is invoked in such a way:
ssh -t 'sudo /usr/bin/pgaudit_analyze --daemon /var/lib/pgsql/9.5/data/pg_log --user=postgres

If the ssh connection is slow, the above command will work perfectly to spawn an analyzer process that will stay up on the remote machine. However, if ssh is really fast, the command will complete with a success error code, but the analyzer fails to start.

This can be worked around as follows:
ssh -t -t 'sudo /usr/bin/pgaudit_analyze --daemon /var/lib/pgsql/9.5/data/pg_log --user=postgres && sleep 1

It looks like the pgaudit_analyze process is saying it's completed before it's 100% up and running. If I were to guess, this could be because of a 'fork' call that happens in the --daemon process that is not yet finished. But, that's just an off-the-wall guess.

This may be a minor edge case, but I thought it worth logging.