pg_audit #4068

peterkracik · 2025-05-07T11:38:10Z

peterkracik
May 7, 2025

Hi,
I have an AWS environment - Postgrest 17.4 in AWS RDS and PostgREST latest as a pod in EKS cluster.
I enabled pg_audit, if I do a direct SQL statement to the DB, I can see an entry about this statement in the AWS CloudWatch.
But if I do an operation (ie. to create an entry) via PostgREST API, nothing is logged.

I use the same user to communicate with the DB for direct SQL queries and PostgREST. The only difference is that the authentication for API calls is done using JWT OAUTH.

I also tried to update the role used for the authentication with pgaudit.log = 'write'

Am I missing something?

peterkracik · 2025-05-08T10:57:35Z

peterkracik
May 8, 2025
Author

Even after configuring alter system set pgaudit.log to "all";
I am not getting the insert/update statements. I am only getting a lot of logs without the statement body.

These are all logs after a simple insert via PostgREST, without anything resembling "INSERT INTO ..."

0 replies

wolfgangwalther · 2025-05-08T11:02:25Z

wolfgangwalther
May 8, 2025
Maintainer

I don't think this is related to PostgREST and I have no idea how to fix it.

4 replies

peterkracik May 8, 2025
Author

thank you for your answer @wolfgangwalther

I don't think it is not related to PostgREST, because if I do the same insert via an SQL client using the same user, I can see it in cloudwatch

Couldn't it be because of the usage of CTEs?

wolfgangwalther May 8, 2025
Maintainer

Couldn't it be because of the usage of CTEs?

You can verify that, if you just use CTEs directly in your SQL client.

Or, better, run the exact same queries that PostgREST is running there, too.

peterkracik May 8, 2025
Author

That's a good idea, but how could I get the same query that PostgREST is running?

wolfgangwalther May 8, 2025
Maintainer

You could run PostgREST / PostgreSQL locally and enable statement logging for PostgreSQL (log_statement = all), then they will appear in the server log.

(or do that on AWS, if you have access to the server logs, which I don't know)

steve-chavez · 2025-05-16T17:35:48Z

steve-chavez
May 16, 2025
Maintainer

PostgREST generates queries and executes them using its API roles, it should be transparent towards pgaudit.

I also tried to update the role used for the authentication with pgaudit.log = 'write'

I haven't used pgaudit, but maybe try adding that setting for the anon or webuser too (assuming you named them like that).

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

pg_audit #4068

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

pg_audit #4068

Uh oh!

peterkracik May 7, 2025

Replies: 3 comments · 4 replies

Uh oh!

peterkracik May 8, 2025 Author

Uh oh!

wolfgangwalther May 8, 2025 Maintainer

Uh oh!

peterkracik May 8, 2025 Author

Uh oh!

wolfgangwalther May 8, 2025 Maintainer

Uh oh!

peterkracik May 8, 2025 Author

Uh oh!

Uh oh!

wolfgangwalther May 8, 2025 Maintainer

Uh oh!

steve-chavez May 16, 2025 Maintainer

peterkracik
May 7, 2025

Replies: 3 comments 4 replies

peterkracik
May 8, 2025
Author

wolfgangwalther
May 8, 2025
Maintainer

peterkracik May 8, 2025
Author

wolfgangwalther May 8, 2025
Maintainer

peterkracik May 8, 2025
Author

wolfgangwalther May 8, 2025
Maintainer

steve-chavez
May 16, 2025
Maintainer