View audit logs generated by pgAudit for AlloyDB for PostgreSQL

This page describes how to view the audit logs generated by pgAudit, which helps you to configure logs that are often required to comply with government, financial, and ISO certifications. This page also describes the log format for pgAudit. For more information about pgAudit, see About pgAudit.

Before you begin

To view audit logs, you must do the following:

• Enable Data Access audit logs for your AlloyDBproject.

• Ensure that you have the Private Logs Viewer (roles/logging.privateLogViewer) role.

View audit logs

The generated pgAudit logs for a given instance are sent to Cloud Logging as Data Access audit logs.

You can view the generated pgAudit logs by using the Logs Explorer application.

To view the pgAudit logs, select the cloudaudit.googleapis.com/data_access log filter in the Logs Explorer application.

To view all pgAudit logs for an AlloyDB project, execute the following query by using the Advanced Filter interface:

resource.type="alloydb.googleapis.com/Instance"
logName="projects/your-project-name/logs/cloudaudit.googleapis.com%2Fdata_access"
protoPayload.request.@type="type.googleapis.com/google.cloud.alloydb.audit.v1.PgAuditEntry"

Log format for pgAudit

Each pgAudit log entry in the Data Access audit logs contains fields that represent the information collected for a query. For more information about these log entry fields, see the pgAudit documentation.

Sample pgAudit log entry:

{
  protoPayload: {
    @type: "type.googleapis.com/google.cloud.audit.AuditLog"
    methodName: "alloydb.instances.query"
    request: {
      @type: "type.googleapis.com/google.cloud.alloydb.audit.v1.PgAuditEntry"
      auditClass: "READ"
      auditType: "SESSION"
      chunkCount: "1"
      chunkIndex: "1"
      command: "SELECT"
      database: "finance"
      databaseSessionId: 2209692
      parameter: "[not logged]"
      statement: "SELECT * FROM revenue"
      statementId: 2
      substatementId: 1
      user: "alice"
    }
  }
}

The following are descriptions of the fields in the Data Access audit logs:

• auditClass. The type of the statement that is logged. Possible values are READ, WRITE, FUNCTION, ROLE, DDL, MISC, and MISC_SET.
• auditType. SESSION or OBJECT.
• chunkCount. Chunking can occur on the data provided in the parameter and statement fields. The chunkCount field indicates the total number of chunks. Also see the description of the chunkIndex field.
• chunkIndex. Specifies the index number of the data chunks in the parameter and statement fields in the current request container. The initial number is 1. Also see the description of the chunkCount field.
• command. For example, ALTER TABLE or SELECT.
• parameter. The chunkIndex field can determine the contents of this field; see the description of the chunkIndex field. If the value for `pgaudit.log_parameter` is set, the parameter field can contain the statement parameters as quoted CSV data. If there are no parameters, this field contains [none]. Otherwise, this field contains [not logged].
• statement. Statement that is executed on the backend. The chunkIndex field can determine the contents of the statement field; see the description of the chunkIndex field.
• statementId. Unique statement ID for this session. Each statement ID represents a backend call. Statement IDs are sequential, even if some statements are not logged.
• substatementId. Sequential ID for each sub-statement within the main statement.

What's next

• Disable pgAudit.