Re: pgaudit and create postgis extension logs a lot inserts

2018-01-19 Thread David Steele 
On 1/19/18 6:05 AM, Magnus Hagander wrote:
> 
> 
> On Thu, Jan 18, 2018 at 6:54 PM, Joe Conway  > wrote:
> 
> On 01/18/2018 04:12 AM, Svensson Peter wrote:
> > When I then install  postgis extension in a database it writes a huge
> > amount of logs which slow down the server a lot.
> > Not only table creation and functions are logged,  even  all inserts in 
> > spatial_ref_sys are written to the audit-log.
> >
> > LOG:  AUDIT: SESSION,1,1,DDL,CREATE FUNCTION,,,"
> > ..
> > INSERT INTO ""spatial_ref_sys"" (""srid"",""auth_name"
> > 
> >
> > This behaviour make pgaudit useless in our environment due to the
> > overhead in log-file write.
> 
> How often do you intend to install PostGIS? Disable pgaudit, install
> PostGIS, enable pgaudit?
> 
> 
> Would it make sense for pgaudit to, at least by option, not include DDL
> statements that are generated as "sub-parts" of a CREATE EXTENSION? It
> should still log the CREATE EXTENSION of course, but not necessarily all
> the contents of it, since that's actually defined in the extension
> itself already? 
That's doable, but I think it could be abused if it was always on and
installing extensions is generally not a daily activity.

It seems in this case the best action is to disable pgaudit before
installing postgis or install postgis first.

Regards,
-- 
-David
[email protected]

Re: pgaudit and create postgis extension logs a lot inserts

2018-01-19 Thread David Steele 
Hi Peter,

On 1/18/18 7:12 AM, Svensson Peter wrote:
> 
> Also noticed that setting a session log to none (set
> pgaudit.log='none';)  overrides parameter from postgresql.conf,  but
> does not get logged, and then you can do whatever you want without any
> audit.
> I supposed this changing of  audit session log parameter should be
> logged to file?

pgaudit is not intended to audit the superuser and only a superuser can
set pgaudit.log.

However, you can limit superuser access with the setuser extension:
https://github.com/pgaudit/set_user

Regards,
-- 
-David
[email protected]