(refactored branch) The filter by the database name has no effect on the audit log of the connection attempt.

[harada-toshi]

Overview

• The filter by the database name has no effect on the audit log of the connection attempt.
• For the connection completion audit log, the filter based on the database name has an effect.
• The disconnection audit log is valid as well.
• The database name is not set in the audit log at the time of connection attempt.
• When specifying a database name in the filter, should audit log of connection attempt should suppress output?

pgaudit config file

[output]
        logger = 'serverlog'

# CONNECT(1)
[rule]
        class = 'CONNECT'
        database = 'postgres'

Execute psql

psql -U postgres postgres -c "SELECT 1"
psql -U postgres test -c "SELECT 1"

Audit Log

LOG:  AUDIT: SESSION,,,CONNECT,2017-03-07 14:20:30 JST,,,[local],[unknown],,0,00000,connection received: host=[local],,,,,
LOG:  connection received: host=[local]
LOG:  AUDIT: SESSION,,,CONNECT,2017-03-07 14:20:30 JST,postgres,postgres,[local],[unknown],2/1,0,00000,connection authorized: user=postgres database=postgres,,,,,
LOG:  connection authorized: user=postgres database=postgres
LOG:  AUDIT: SESSION,,,CONNECT,2017-03-07 14:20:30 JST,postgres,postgres,[local],psql,,0,00000,disconnection: session time: 0:00:00.021 user=postgres database=postgres host=[local],,,,,
LOG:  disconnection: session time: 0:00:00.021 user=postgres database=postgres host=[local]
LOG:  AUDIT: SESSION,,,CONNECT,2017-03-07 14:20:30 JST,,,[local],[unknown],,0,00000,connection received: host=[local],,,,,
LOG:  connection received: host=[local]
LOG:  connection authorized: user=postgres database=test
LOG:  disconnection: session time: 0:00:00.008 user=postgres database=test host=[local]

• The connection completion audit log for the "test" database is not output, but the connection trial audit log is output.

[MasahikoSawada]

In server log you mentioned, the audit log and server log are corresponding each other like follows.

1. LOG: AUDIT: SESSION,,,CONNECT,2017-03-07 14:20:30 JST,,,[local],[unknown],,0,00000,connection received: host=[local],,,,,
   • Corresponding to "LOG: connection received: host=[local]"
2. LOG: AUDIT: SESSION,,,CONNECT,2017-03-07 14:20:30 JST,postgres,postgres,[local],[unknown],2/1,0,00000,connection authorized: user=postgres database=postgres,,,,,
   • Corresponding to "LOG: connection authorized: user=postgres database=postgres"
3. LOG: AUDIT: SESSION,,,CONNECT,2017-03-07 14:20:30 JST,postgres,postgres,[local],psql,,0,00000,disconnection: session time: 0:00:00.021 user=postgres database=postgres host=[local],,,,,
   • Corresponding to "LOG: disconnection: session time: 0:00:00.021 user=postgres database=postgres host=[local]"
4. LOG: AUDIT: SESSION,,,CONNECT,2017-03-07 14:20:30 JST,,,[local],[unknown],,0,00000,connection received: host=[local],,,,,
   • Corresponding to "LOG: connection received: host=[local]"
5. LOG: connection authorized: user=postgres database=test
6. LOG: disconnection: session time: 0:00:00.008 user=postgres database=test host=[local]

The connection and disconnection messages are output by postmaster when connection received before connecting particular database, so we cannot find out what database the client is going to connect to at that point. That's why the log message "LOG: connection received: host=[local]"" is emitted regardless of connecting database. You can see that the log message "connection authorized" and "disconnection" are output when the client connects to specified database postgres.

[harada-toshi]

I understand about the current operation. The issue is closed.