Skip to content

Add security event logging documentation #1236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 20, 2025
Merged

Add security event logging documentation #1236

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1cfa9d0
Add security event logging documentation
marceloneppel Oct 18, 2025
a8068aa
Ignore terraform URLs in link checker
a-velasco Oct 20, 2025
1bb268d
Fix charm substrate.
marceloneppel Oct 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/.custom_wordlist.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ CSR
CSRs
databag
databags
DDL
dev
dvipng
eks
Expand Down Expand Up @@ -86,6 +87,7 @@ Parca
Parca's
Patroni
patronictl
pgAudit
pgbackrest
pgBackRest
pgbouncer
Expand Down
4 changes: 3 additions & 1 deletion docs/conf.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,9 @@
"http://127.0.0.1:8000",
"https://github.com/canonical/ACME/*",
"https://matrix.to/*",
"https://portal.azure.com/#browse/Microsoft.Compute/VirtualMachines"
"https://portal.azure.com/#browse/Microsoft.Compute/VirtualMachines",
"https://developer.hashicorp.com/*",
"https://www.terraform.io/*"
]

# A regex list of URLs where anchors are ignored by 'make linkcheck'
Expand Down
15 changes: 15 additions & 0 deletions docs/explanation/security/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,21 @@ Charmed PostgreSQL provides native integration with the [Canonical Observability

PostgreSQL logs are stored in `/var/snap/charmed-postgresql/common/var/log/postgresql` within the PostgreSQL container of each unit. It’s recommended to integrate the charm with [COS](/how-to/monitoring-cos/enable-monitoring), from where the logs can be easily persisted and queried using [Loki](https://charmhub.io/loki-k8s)/[Grafana](https://charmhub.io/grafana).

### Security event logging

Charmed PostgreSQL VM provides [PostgreSQL Audit Extension (or pgAudit)](https://www.pgaudit.org/) enabled by default. These logs are stored in the `/var/snap/charmed-postgresql/common/var/log/postgresql` directory of each unit along with the regular workload logs, and rotated minutely. If COS is enabled, audit logs are also persisted there.

The following information is configured to be logged:

* Statements related to roles and privileges, such as GRANT, REVOKE, CREATE, ALTER, and DROP ROLE.
* Data Definition Language (DDL) statements.
* Miscellaneous commands like DISCARD, FETCH, CHECKPOINT, VACUUM, SET.
* Miscellaneous SET commands.

Other events, like connections and disconnections, are logged depending on the value of the charm configuration options related to them. For more information, check the configuration options with the `logging` prefix in the [configuration reference](https://charmhub.io/postgresql/configurations#logging_log_connections).

No secrets are logged.

## Additional resources

For details on the cryptography used by Charmed PostgreSQL, see the [Cryptography](/explanation/security/cryptography) explanation page.
Expand Down