From 1cfa9d05a64b6788a510a2b876b608395c778964 Mon Sep 17 00:00:00 2001
From: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Date: Sat, 18 Oct 2025 11:59:50 -0300
Subject: [PATCH 1/3] Add security event logging documentation

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
---
 docs/.custom_wordlist.txt          |  2 ++
 docs/explanation/security/index.md | 15 +++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/docs/.custom_wordlist.txt b/docs/.custom_wordlist.txt
index 842cb0ceea..6ef00818b9 100644
--- a/docs/.custom_wordlist.txt
+++ b/docs/.custom_wordlist.txt
@@ -32,6 +32,7 @@ CSR
 CSRs
 databag
 databags
+DDL
 dev
 dvipng
 eks
@@ -86,6 +87,7 @@ Parca
 Parca's
 Patroni
 patronictl
+pgAudit
 pgbackrest
 pgBackRest
 pgbouncer
diff --git a/docs/explanation/security/index.md b/docs/explanation/security/index.md
index f304cef7da..9c7873187e 100644
--- a/docs/explanation/security/index.md
+++ b/docs/explanation/security/index.md
@@ -87,6 +87,21 @@ Charmed PostgreSQL provides native integration with the [Canonical Observability
 
 PostgreSQL logs are stored in `/var/snap/charmed-postgresql/common/var/log/postgresql` within the PostgreSQL container of each unit. It’s recommended to integrate the charm with [COS](/how-to/monitoring-cos/enable-monitoring), from where the logs can be easily persisted and queried using [Loki](https://charmhub.io/loki-k8s)/[Grafana](https://charmhub.io/grafana).
 
+### Security event logging
+
+Charmed PostgreSQL K8s provides [PostgreSQL Audit Extension (or pgAudit)](https://www.pgaudit.org/) enabled by default. These logs are stored in the `/var/snap/charmed-postgresql/common/var/log/postgresql` directory of each unit along with the regular workload logs, and rotated minutely. If COS is enabled, audit logs are also persisted there.
+
+The following information is configured to be logged:
+
+* Statements related to roles and privileges, such as GRANT, REVOKE, CREATE, ALTER, and DROP ROLE.
+* Data Definition Language (DDL) statements.
+* Miscellaneous commands like DISCARD, FETCH, CHECKPOINT, VACUUM, SET.
+* Miscellaneous SET commands.
+
+Other events, like connections and disconnections, are logged depending on the value of the charm configuration options related to them. For more information, check the configuration options with the `logging` prefix in the [configuration reference](https://charmhub.io/postgresql/configurations#logging_log_connections).
+
+No secrets are logged.
+
 ## Additional resources
 
 For details on the cryptography used by Charmed PostgreSQL, see the [Cryptography](/explanation/security/cryptography) explanation page.

From a8068aa8ed016356b53767011627403df08776b1 Mon Sep 17 00:00:00 2001
From: Andreia <andreia.velasco@canonical.com>
Date: Mon, 20 Oct 2025 11:03:26 +0200
Subject: [PATCH 2/3] Ignore terraform URLs in link checker

---
 docs/conf.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/conf.py b/docs/conf.py
index 4465ed9727..6719240ed7 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -209,7 +209,9 @@
     "http://127.0.0.1:8000",
     "https://github.com/canonical/ACME/*",
     "https://matrix.to/*",
-    "https://portal.azure.com/#browse/Microsoft.Compute/VirtualMachines"
+    "https://portal.azure.com/#browse/Microsoft.Compute/VirtualMachines",
+    "https://developer.hashicorp.com/*",
+    "https://www.terraform.io/*"
     ]
 
 # A regex list of URLs where anchors are ignored by 'make linkcheck'

From 1bb268d4582e273cac95ca1d300299f1f74ecae5 Mon Sep 17 00:00:00 2001
From: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Date: Mon, 20 Oct 2025 10:00:29 -0300
Subject: [PATCH 3/3] Fix charm substrate.

Co-authored-by: Dragomir Penev <6687393+dragomirp@users.noreply.github.com>
---
 docs/explanation/security/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/explanation/security/index.md b/docs/explanation/security/index.md
index 9c7873187e..1aaf9c43ce 100644
--- a/docs/explanation/security/index.md
+++ b/docs/explanation/security/index.md
@@ -89,7 +89,7 @@ PostgreSQL logs are stored in `/var/snap/charmed-postgresql/common/var/log/postg
 
 ### Security event logging
 
-Charmed PostgreSQL K8s provides [PostgreSQL Audit Extension (or pgAudit)](https://www.pgaudit.org/) enabled by default. These logs are stored in the `/var/snap/charmed-postgresql/common/var/log/postgresql` directory of each unit along with the regular workload logs, and rotated minutely. If COS is enabled, audit logs are also persisted there.
+Charmed PostgreSQL VM provides [PostgreSQL Audit Extension (or pgAudit)](https://www.pgaudit.org/) enabled by default. These logs are stored in the `/var/snap/charmed-postgresql/common/var/log/postgresql` directory of each unit along with the regular workload logs, and rotated minutely. If COS is enabled, audit logs are also persisted there.
 
 The following information is configured to be logged: