Maintaining Audit Logs
Prerequisites
You have the audit permission.
Background
Table 1 lists the configuration parameters related to audit logs and the parameter descriptions.
Table 1 Configuration parameters of audit logs
NOTE:
If gs_om is used for openGauss deployment, audit logs are stored in /var/log/gaussdb/Username/pg_audit.The pg_delete_audit function is used to delete audit logs and is an internal SQL function of the database. Its syntax is as follows:
pg_delete_audit(timestamp startime,timestamp endtime)startime and endtime indicate the audit record start time and end time, respectively.
Audit content is commonly recorded to database tables or OS files. Table 2 lists the advantages and disadvantages of the two record methods.
Table 2 Comparison between the two record methods
For database security purposes, openGauss adopts the second method to save audit results for reliability.
Procedure
Log in as the OS user omm to the primary node of the database.
Run the following command to connect to the database:
gsql -d postgres -p 8000postgres is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((openGauss 1.0 build 290d125f) compiled at 2020-05-08 02:59:43 commit 2143 last mr 131 Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. postgres=#Select a method to maintain audit logs.
Automatic deletion of audit logs
If the storage space occupied by audit files or the number of audit files reaches the upper limit, the system automatically deletes the oldest audit files and records deletion information to audit logs.
NOTE:
By default, the allowed maximum storage space that can be occupied by audit files is set to 1024 MB. Users can set the value as required.Configure the allowed maximum size of storage space occupied by audit files (audit_space_limit).
View the current value.
postgres=# SHOW audit_space_limit; audit_space_limit ------------------- 1GB (1 row)If the command output is not 1 GB (1024 MB), run the \q command to exit the database.
Run the following command to set the parameter to its default value 1024MB:
gs_guc reload -N all -I all -c "audit_space_limit=1024MB"
Configure the maximum number of audit files (audit_file_remain_threshold).
View the current value.
postgres=# SHOW audit_file_remain_threshold; audit_file_remain_threshold ----------------------------- 1048576 (1 row)If the command output is not 1048576, run the \q command to exit the database.
Run the following command to set the parameter to its default value 1048576:
gs_guc reload -N all -I all -c "audit_file_remain_threshold=1048576"
Manual backup of audit files
If the storage space occupied by audit files or the number of audit logs exceeds the threshold specified by the configuration file, the system automatically deletes the oldest audit files. Therefore, you are advised to periodically save important audit logs.
Run the show command to view the directory (audit_directory) where audit files are saved.
postgres=# SHOW audit_directory;Copy the entire audit directory elsewhere to save it.
Manual deletion of audit files
Run the pg_delete_audit command to manually delete the audit records generated during a specified period of time.
Example: Manually delete the audit records generated from September 20, 2012 to September 21, 2012.
postgres=# SELECT pg_delete_audit('2012-09-20 ','2012-09-21');