Session logging

Session logging is off by default. You can enable Session logging parameters that log all activity for sets of audit event types. Session logging is enabled for the whole DB cluster and is either on or off for a specific event type.

Event types

Session logging is configured per event type. The supported event types across all versions are:

• FUNCTION
• ROLE
• DDL
• MISC
• MISC_SET (this additional type is only supported in PostgreSQL 12 or greater)

For more information, see pgaudit.

Enabling pgAudit session logging

To enable pgAudit session logging, connect as the admin user and call the set_pgaudit_session_logging function with the appropriate event parameters specified. Session logging is enabled directly in the database and no API or CLI access is provided.

For example, to enable DDL and ROLE you would call:

SELECT public.set_pgaudit_session_logging('{ddl, role}');

Any subsequent calls replace the existing configuration; they are not additive. For example, a subsequent call to SELECT public.set_pgaudit_session_logging('{misc}'); would log only misc but disable ddl and role.

Disabling pgAudit

To disable audit logging: call the same function with none specified. For example:

SELECT public.set_pgaudit_session_logging('{none}');

Changing audit levels happens immediately when calling the function without interrupting the database activity.

Audit logs

Audit events appear in IBM® Cloud Logs Routing with the following format:

LOG: AUDIT: SESSION,1,1,DDL,CREATE TABLE,,,create table f2 (id int);,<not logged>

The format is documented here.

If you want to see the current log level, you can run the command:

show pgaudit.log;