Maintaining Audit Logs

Prerequisites

You have the audit permission.

Background

  • Table 1 lists the configuration parameters related to audit logs and the parameter descriptions.

    Table 1 Configuration parameters of audit logs

    Parameter

    Description

    Default Value

    audit_directory

    Audit file storage directory

    /var/log/gaussdb/User name/pg_audit

    audit_resource_policy

    Policy for saving audit logs

    on (indicating that the space configuration policy is used)

    audit_space_limit

    Maximum storage space occupied by audit files

    1GB

    audit_file_remain_time

    Minimum period for storing audit log files

    90

    audit_file_remain_threshold

    Maximum number of audit files in the audit directory

    1048576

    NOTE:
    If gs_om is used for openGauss deployment, audit logs are stored in /var/log/gaussdb/Username/pg_audit.

  • The pg_delete_audit function is used to delete audit logs and is an internal SQL function of the database. Its syntax is as follows:

    pg_delete_audit(timestamp startime,timestamp endtime)
    

    startime and endtime indicate the audit record start time and end time, respectively.

  • Audit content is commonly recorded to database tables or OS files. Table 2 lists the advantages and disadvantages of the two record methods.

    Table 2 Comparison between the two record methods

    Mode

    Advantage

    Disadvantage

    Record in tables

    Users do not need to maintain audit logs.

    Any users having certain permissions to access database objects can access the audit tables. If a user illegally performs operations on the audit tables, the audit records may become inaccurate.

    Record in OS files

    This method has higher security because a user with the permission to access the database may not have the permission to access the OS files.

    Users need to maintain audit logs.

    For database security purposes, openGauss adopts the second method to save audit results for reliability.

Procedure

  1. Log in as the OS user omm to the primary node of the database.

  2. Run the following command to connect to the database:

    gsql -d postgres -p 8000
    

    postgres is the name of the database to be connected, and 8000 is the port number of the database primary node.

    If information similar to the following is displayed, the connection succeeds:

    gsql ((openGauss 1.0 build 290d125f) compiled at 2020-05-08 02:59:43 commit 2143 last mr 131
    Non-SSL connection (SSL connection is recommended when requiring high-security)
    Type "help" for help.
    
    postgres=# 
    
  3. Select a method to maintain audit logs.

    • Automatic deletion of audit logs

      If the storage space occupied by audit files or the number of audit files reaches the upper limit, the system automatically deletes the oldest audit files and records deletion information to audit logs.

      NOTE:
      By default, the allowed maximum storage space that can be occupied by audit files is set to 1024 MB. Users can set the value as required.

      Configure the allowed maximum size of storage space occupied by audit files (audit_space_limit).

      1. View the current value.

        postgres=# SHOW audit_space_limit;
         audit_space_limit
        -------------------
         1GB
        (1 row)
        

        If the command output is not 1 GB (1024 MB), run the \q command to exit the database.

      2. Run the following command to set the parameter to its default value 1024MB:

        gs_guc reload -N all -I all -c "audit_space_limit=1024MB"
        

      Configure the maximum number of audit files (audit_file_remain_threshold).

      1. View the current value.

        postgres=# SHOW audit_file_remain_threshold;
         audit_file_remain_threshold
        -----------------------------
         1048576
        (1 row)
        

        If the command output is not 1048576, run the \q command to exit the database.

      2. Run the following command to set the parameter to its default value 1048576:

        gs_guc reload -N all -I all -c "audit_file_remain_threshold=1048576"
        
    • Manual backup of audit files

      If the storage space occupied by audit files or the number of audit logs exceeds the threshold specified by the configuration file, the system automatically deletes the oldest audit files. Therefore, you are advised to periodically save important audit logs.

      1. Run the show command to view the directory (audit_directory) where audit files are saved.

        postgres=# SHOW audit_directory;
        
      2. Copy the entire audit directory elsewhere to save it.

    • Manual deletion of audit files

      Run the pg_delete_audit command to manually delete the audit records generated during a specified period of time.

      Example: Manually delete the audit records generated from September 20, 2012 to September 21, 2012.

      postgres=# SELECT pg_delete_audit('2012-09-20 ','2012-09-21');
      
Feedback
编组 3备份
    openGauss 2024-12-26 01:04:31
    cancel