On 18 October 2014 05:13, MauMau <maumau...@gmail.com> wrote:

> [requirement]
> 10.6 Review logs and security events for
> all system components to identify
> anomalies or suspicious activity.
> Note: Log harvesting, parsing, and
> alerting tools may be used to meet this
> Requirement.
> The log review process does not have to be
> manual. The use of log harvesting, parsing, and
> alerting tools can help facilitate the process by
> identifying log events that need to be reviewed.
>
> [my comment]
> What commercial and open source products are well known as the "log
> harvesting, parsing, and alerting tool"?  Is it possible and reasonably easy
> to integrate pgaudit with those tools?  The purpose of audit logging feature
> is not recording facts, but to enable timely detection of malicious actions.
> So, I think the ease of integration with those tools must be evaluated.  But
> I don't know about such tools.
>
> I feel the current output format of pgaudit is somewhat difficult to treat:
>
> * The audit log entries are mixed with other logs in the server log files,
> so the user has to extract the audit log lines from the server log files and
> save them elsewhere.  I think it is necessary to store audit logs in
> separate files.
>
> * Does the command text need "" around it in case it contains commas?

Audit entries are sent to the server log, yes.

The server log may be redirected to syslog, which allows various forms
of routing and manipulation that are outside of the reasonable domain
of pgaudit.

PostgreSQL also provides a logging hook that would allow you to filter
or redirect messages as desired.

Given those two ways of handling server log messages, the server log
is the obvious destination to provide for the recording/loggin part of
the audit requirement. pgaudit is designed to allow generating useful
messages, not be an out of the box compliance tool.

-- 
 Simon Riggs                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to