Azure
Include more log categories for PostgreSQL Flexible Servers in policy for diagnostic setting
Describe the solution you'd like Add more log categories in the diagnostic settting policy for postgreSQL flexible servers. In this policy it is only "PostgreSQLLogs" category that exists - Deploy-Diagnostics-PostgreSQL.json#L166.
I suggest adding these log categories for Flexible Servers:
- PostgreSQLFlexSessions
- PostgreSQLFlexQueryStoreRuntime
- PostgreSQLFlexQueryStoreWaitStats
- PostgreSQLFlexTableStats
- PostgreSQLFlexDatabaseXacts
Because of the existenceCondition this policy will also always be non-compliant due to checking if all logs are enabled
{ "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", "equals": "true" }
Hi @chrholt! Thanks for raising the issue. A couple of things to ask and share.
First, I'm curious where you are getting the list of categories from, as I deployed a new PostgreSQL flexbile server and have a different list of categories available (this list may have changed recently - are you checking an existing deployment):
Second, and more importantly, product owners and our policy teams are enhancing diagnostic settings policies for Azure services based on categories (as an example see https://www.azadvertizer.net/azpolicyadvertizer/6567d3f3-42d0-4cfb-9606-9741ba60fa07.html). Unfortunately, PostgreSQL has not been given the needed love as yet. This work is ongoing as something we in ALZ collectively refer to as "Diagnostic Settings v2", and we're hoping to see this implemented for all services over the next several months.
As part of our overall strategy going forward, we prefer built-in policies maintained by service owners, over maintaining custom policies that need regular maintenance, so we are generally holding off until the new diagnostics settings policies are available.
If there is an urgent need for this, we can look at updating the existing custom to include all log sources available, something like:
Microsoft.Insights/diagnosticSettings/logs[*]
Our recommendation is to wait for the official built-in policies, but will do our best to ensure your requirements are addressed.
Hi @Springstone .
We can manage without for now, knowing that changes are coming. Thanks.
We do have a custom policy for this ourselves, but we do also prefer using built-in or ALZ policies to minimize the need for maintenance. I did push a change to the diagnostic setting policy for postresql servers in this pull request a while back. To make it support flexible servers as well as single server. But at that time there was only the one category PostgreSQLLogs so I figured I could suggest adding the new categories as well.
The log categories I found from the Resource JSON of the diagnostic setting:
"logs": [
{
"category": "PostgreSQLLogs",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "PostgreSQLFlexSessions",
"categoryGroup": null,
"enabled": false,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "PostgreSQLFlexQueryStoreRuntime",
"categoryGroup": null,
"enabled": false,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "PostgreSQLFlexQueryStoreWaitStats",
"categoryGroup": null,
"enabled": false,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "PostgreSQLFlexTableStats",
"categoryGroup": null,
"enabled": false,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "PostgreSQLFlexDatabaseXacts",
"categoryGroup": null,
"enabled": false,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
]
But the categories are the same as those in your screenshot.
Closing this as we've deprecated all our diagnostic settings policies and shifted to the PG owned initiative to do the same. Please review https://aka.ms/alz/whatsnew for details.