Hi Fujii,

Thanks for taking a look at the patch.  Comments below:

On 2/18/15 6:11 AM, Fujii Masao wrote:
> On Wed, Feb 18, 2015 at 1:26 AM, David Steele <da...@pgmasters.net> wrote:
>> On 2/17/15 10:23 AM, Simon Riggs wrote:
>>> I vote to include pgaudit in 9.5, albeit with any changes. In
>>> particular, David may have some changes to recommend, but I haven't
>>> seen a spec or a patch, just a new version of code (which isn't how we
>>> do things...).
>>
>> I submitted the new patch in my name under a separate thread "Auditing
>> extension for PostgreSQL (Take 2)" (54e005cc.1060...@pgmasters.net)
> 
> I played the patch version of pg_audit a bit and have basic comments about
> its spec.
> 
> The pg_audit doesn't log BIND parameter values when prepared statement is 
> used.
> Seems this is an oversight of the patch. Or is this intentional?

It's actually intentional - following the model I talked about in my
earlier emails, the idea is to log statements only.  This also follows
on 2ndQuadrant's implementation.

Logging values is interesting, but I'm sure the user would want to
specify which columns to log, which I felt was beyond the scope of the
patch.

> The pg_audit cannot log the statement like "SELECT 1" which doesn't access to
> the database object. Is this intentional? I think that there are many users 
> who
> want to audit even such statement.

I think I see how to make this work.  I'll work on it for the next
version of the patch.

> 
> Imagine the case where you call the user-defined function which executes
> many nested statements. In this case, pg_audit logs only top-level statement
> (i.e., issued directly by client) every time nested statement is executed.
> In fact, one call of such UDF can cause lots of *same* log messages. I think
> this is problematic.

I agree - not sure how to go about addressing it, though.  I've tried to
cut down on the verbosity of the logging in general, but of course it
can still be a problem.

Using security definer and a different logging GUC for the defining role
might work.  I'll add that to my unit tests and see what happens.

I appreciate your feedback!

-- 
- David Steele
da...@pgmasters.net

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to