public inbox for [email protected]
help / color / mirror / Atom feedFrom: Adrian Klaver <[email protected]>
To: Lok P <[email protected]>
To: pgsql-general <[email protected]>
Subject: Re: Logging statement having any threat?
Date: Sat, 20 Apr 2024 09:32:46 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAKna9VZZuGwejSd+u9gQ7WobDYDcip+2Ua5e67sKA-Wgah=7Wg@mail.gmail.com>
References: <CAKna9VZZuGwejSd+u9gQ7WobDYDcip+2Ua5e67sKA-Wgah=7Wg@mail.gmail.com>
On 4/20/24 07:02, Lok P wrote:
> Hello All,
> Its postgres version 15.4 and its RDS, in which our dev team gets the
> infrastructure code from another third party team which provides us base
> infrastructure code to build a postgres database, in which we will be
> able to do change DB parameter values etc whatever is mentioned in the
> file with possible values. But surprisingly we don't see log_statement
> there. Below was our requirement,
>
> For debugging and evaluating performance we were having
> pg_stat_statements but it contains aggregated information about all the
> query execution. But in case just want to debug any point in time issues
> where the selected few queries were performing bad (may be because of
> plan change), we were planning to have the auto_explain extension added
> and set the log_min_duration to ~5 seconds, So that, all the queries
> going above that time period(5 seconds) will be logged and provide
> detailed information on the exact point of bottleneck. But we see the
> log_statement parameter has been removed from the base infrastructure
> script/terraform script given by the database team here, so that means
> we will get it as default which is "NONE", which means no
> statement(SELECT/DML/DDL etc) can be logged.
Have you tried?:
https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT
"
log_statement (enum)
<...>
The default is none. Only superusers and users with the appropriate SET
privilege can change this setting.
"
Or
https://www.postgresql.org/docs/current/functions-admin.html#FUNCTIONS-ADMIN-SET
set_config ( setting_name text, new_value text, is_local boolean ) → text
>
> Now when we reach out to the infrastructure team , they are saying these
> variables(pg_cluster_log_statement,pg_instance_log_statement) were
Where are those variables coming from? I can not find them in RDS or
Terraform docs.
> removed due to potential security threat. So I want to understand from
> experts here , how this is really a security threat and if any option to
> get this logging enabled (which will help us debug performance issues)
> at same time addressing the threat too?
>
> Regards
> Lok
--
Adrian Klaver
[email protected]
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Logging statement having any threat?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox