Re: [GENERAL] how _not_ to log?

Fri, 26 Jul 2013 11:29:31 -0700 

On Thu, Jul 25, 2013 at 3:59 PM, Tim Spencer <tspen...@cloudpassage.com> wrote:
> Hello there!
>
>         I've seen lots of people who have asked questions about how to log 
> this or that, but I have the opposite question!  :-)  I'm seeing this in my 
> logs:
>
> Jul 25 18:08:11 staging-db11 postgres[27050]: [10-2] STATEMENT:  create role 
> pguser encrypted password 'XXX';

That does not look like the entire message.  What was before and after
it in the log?

For example:

ERROR:  role "foobar" already exists
STATEMENT:  create role foobar encrypted password 'XXX';

If it were not for the ERROR, the STATEMENT would not be being logged,
in my hands.


>
>         Where XXX is the actual password.  This happens every 30 minutes when 
> my chef client kicks off and resets the passwords.  Here's everything that I 
> have in postgres.conf related to logging:
>
> log_destination = 'syslog'              # Valid values are combinations of
>                                         # stderr, csvlog, syslog, and 
> eventlog,
>                                         # depending on platform.  csvlog
>                                         # requires logging_collector to be on.
> logging_collector = on                  # Enable capturing of stderr and 
> csvlog
>                                         # into log files. Required to be on 
> for
>                                         # csvlogs.
> log_directory = 'pg_log'                # directory where log files are 
> written,
> log_filename = 'postgresql-%a.log'      # log file name pattern,
> log_truncate_on_rotation = on           # If on, an existing log file with the
>                                         # same name as the new log file will 
> be
> log_rotation_age = 1d                   # Automatic rotation of logfiles will
> log_rotation_size = 0                   # Automatic rotation of logfiles will
>                                         # happen after that much log output.
>                                         # DO NOT USE without syslog or
>                                         # logging_collector
> log_min_duration_statement = 2000       # 2 seconds
> log_checkpoints = on

What about log_min_error_statement ?

>
>         What I'd like to do is stop logging create role commands, as the logs 
> end up full of passwords.  Is there any way to do this?  Thanks, and have fun!

First you need to find out why they were getting logged.  I don't
think any of the setting you showed explain that.

Also, I don't think anything you can do will render it acceptable to
show your log files to unprivileged users, if that is what you are
aiming for.

Cheers,

Jeff


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Reply via email to