pgaudit icon indicating copy to clipboard operation
pgaudit copied to clipboard

Published 20 hours ago verified publisher icon pgaudit

Improve logging of compound statements.

Open dwsteele opened this issue 1 year ago • 1 comments
trafficstars

This improves the situation where compound statements are sent to PostgreSQL. Previously, all the statements would be output for each audit entry, which is less useful and wasteful of space. In addition password redaction may redact following statements.

The biggest change for the output is that statement-terminating semicolons are not output. This is probably a net benefit overall but does represent a change from prior output. Leading/trailing whitespace is also stripped.

dwsteele avatar May 16 '24 04:05 dwsteele

@crunchyjohn @prlaurence It would probably be a good idea for you to have a look at this change since there are differences in the output. It think it is probably too late to put this in for PG17 but I could be convinced otherwise -- if I can come up with a cleaner impl that I'm happy with in time.

dwsteele avatar May 16 '24 04:05 dwsteele

Will this change also be added to the other (<17) branches?

mbanck avatar Oct 09 '24 11:10 mbanck

I wasn't planning to since there is a behavioral change even when there is only one statement. i.e. semicolons are stripped. Also, I don't think the pattern that led to this fix is very widespread.

I might be wrong about the last part, but we do strive to avoid changing the behavior.

dwsteele avatar Oct 09 '24 11:10 dwsteele

i see the same issue getting manifested on pg-15, is there any plan to backport this to pg-15 branch ?

harinath001 avatar Jan 15 '25 22:01 harinath001

i see the same issue getting manifested on pg-15, is there any plan to backport this to pg-15 branch ?

There are no plans to back patch because of the behavioral change.

dwsteele avatar Jan 15 '25 23:01 dwsteele

@dwsteele isn't the logging of the passwords in some cases (https://github.com/pgaudit/pgaudit/issues/214) a serious bug that needs to be fixed even for PG15? May I request that we scope down the change for PG15 to just the part that prevents the password from getting logged, without bringing in the change in behavior?

harinath001 avatar Jan 16 '25 00:01 harinath001

isn't the logging of the passwords in some cases (https://github.com/pgaudit/pgaudit/issues/214) a serious bug that needs to be fixed even for PG15?

We don't really consider this to be a bug and certainly not a serious one. There are plenty of ways for password to leak into the logs and we don't pretend to cover them all. Fixing this would require the formatting change and we are not willing to commit such a large change to back branches.

You can pull this change into pgAudit for PG15 yourself if you require it. Or upgrade to PG17.

dwsteele avatar Jan 16 '25 13:01 dwsteele