Re: pgaudit - an auditing extension for PostgreSQL

At 2014-06-23 08:50:33 -0400, sfrost(at)snowman(dot)net wrote:
>
> I'm not a huge fan of adding this as a contrib module

I added it to the CF because we're interested in auditing functionality
for 9.5, and as far as I can tell, there's nothing better available. At
the moment, the contrib module has the advantage that it exists :-) and
works with 9.[34] (and could be made to work with 9.2, though I didn't
bother for the initial submission).

> unless we can be
> quite sure that there's a path forward from here to a rework of the
> logging in core which would actually support the features pg_audit is
> adding, without a lot of pain and upgrade issues.

What sort of pain and upgrade issues did you have in mind?

> I'd expect a catalog table or perhaps changes to pg_class (maybe other
> things also..) to define what gets logged..

Please explain?

(I wish extensions were able to add reloptions. That would have made it
relatively easy for us to implement per-object audit logging.)

> I'd also like to see the ability to log based on the connecting user,
> and we need to log under what privileges a command is executing

I imagine it's not useful to point out that you can do the former with
pgaudit (using ALTER ROLE … SET), and that we log the effective userid
for the latter (though maybe you had something more in mind)…

> and, really, a whole host of other things..

…but there's not a whole lot I can do with that, either.

Is the minimal set of auditing features that we would need in-core very
different from what pgaudit already has?

-- Abhijit