Enable pgAudit

To enable auditing on an AlloyDB instance, you perform two steps. First, you enable alloydb.enable_pgaudit flag on the instance. Then, you connect to the cluster's primary instance and create the pgaudit extension in the databases.

  1. Enable pgAudit on the instance:

    Console

    1. In the Google Cloud console, go to the Clusters page.

      Go to Clusters

    2. Click a cluster in the Resource Name column.
    3. In the Overview page, go to Instances in your cluster, select an instance, and then click Edit.
    4. Add the alloydb.enable_pgaudit flag on your instance:
      1. Click Add flag.
      2. Select the alloydb.enable_pgaudit flag from the New database flag list.
      3. Select on from the Value list.
      4. Click Done.
    5. Click Update instance.

    gcloud

    To use the gcloud CLI, you can install and initialize the Google Cloud CLI (version 383.0.1 or later), or you can use Cloud Shell.

    gcloud beta alloydb instances update INSTANCE_NAME \
             --database-flags alloydb.enable_pgaudit=on\
                --region=REGION_ID \
             --cluster=CLUSTER_ID \
             --project=PROJECT_ID
           
    • INSTANCE_NAME: The name of the instance.
    • REGION_ID: The region where the instance is present.
    • CLUSTER_ID: The ID of the cluster where the instance is present.
    • PROJECT_ID: The ID of the project where the cluster is present.
  2. Connect to the primary instance and create the extension in each database. You must perform the following steps on the primary instance even if you are enabling auditing on a read pool instance:
    1. Connect a psql client to the cluster's primary instance, as described in Connect a psql client to an instance.
    2. At the psql command prompt, connect to the database and create the extension:
          \c DB_NAME
          CREATE EXTENSION IF NOT EXISTS pgaudit;
          
    3. Repeat the previous two steps to connect to other databases and create the extension in each one of them.