AI for Smarter Data Integration<\/a> ]<\/strong><\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\nEnsure the filename pattern for log files is set correctly<\/h3>\r\n\r\n\r\n\r\n Log rotation depends upon log_rotation_age or log_rotation_size and when they met, It creates a new file whose name depends upon the file name pattern<\/p>\r\n\r\n\r\n\r\n
The default in many versions of Postgres is postgresql-%a.log<\/strong> , which creates a new log file for each day of the week (e.g. postgresql-Mon.log , postgresql-Tue.log<\/strong> ).<\/p>\r\n\r\n\r\n\r\nThus it should be set to postgresql-%Y%m%d.log<\/strong> (recommend).<\/p>\r\n\r\n\r\n\r\nOR<\/p>\r\n\r\n\r\n\r\n
postgresql-%Y-%m-%d_%H%M%S.log<\/strong><\/p>\r\n\r\n\r\n\r\nshow log_min_duration_statement;<\/pre>\r\n\r\n\r\n\r\nFigure 17: Output of psql statementFigure 18: Output of ls-ls in \/var\/log\/pg_log<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\nEnsure the maximum log file lifetime is set correctly<\/h3>\r\n\r\n\r\n\r\n When logging_collector is enabled, the log_rotation_age parameter determines the maximum lifetime of an individual log file. Once maximum log file lifetime is met, automatic log file rotation will occur.<\/p>\r\n\r\n\r\n\r\n
Default:- It is set to 1d<\/strong><\/p>\r\n\r\n\r\n\r\nshow log_rotation_age;<\/pre>\r\n\r\n\r\n\r\nIt should be set to 1 hour.<\/p>\r\n\r\n\r\n\r\nFigure 19: Output of psql statementLet’s say Opstree bank is using Postgres. It generates a hefty amount of statements or queries by customer. If the rotation age is 1 day. Then we have a single log file for the entire day. It will be difficult for them to look for specific queries when required. Instead, what they will do they will want to rotate file hourly. <\/strong><\/p>\r\n\r\n\r\n\r\nInstead of having one single file for the entire day. Now we have 12 hourly log files for the entire day.<\/strong><\/p>\r\n\r\n\r\n\r\nEnsure the maximum log file size is set correctly<\/h3>\r\n\r\n\r\n\r\n The log_rotation_size setting determines the maximum size of an individual log file. Once the maximum size of the log file is reached, automatic log file rotation will occur.<\/p>\r\n\r\n\r\n\r\n
Default: Based on Postgres versions it can vary differently<\/strong>.<\/p>\r\n\r\n\r\n\r\nMake sure it is not set to 0 which means disabled. This will prevent automatic log file rotation when files become too large.<\/p>\r\n\r\n\r\n\r\n
It should be set to 1 GB as per CIS.<\/strong><\/p>\r\n\r\n\r\n\r\nshow log_rotation_age;<\/pre>\r\n\r\n\r\n\r\nFigure 20: Output of psql statementSo if the file size is greater than the specified value it will create a new file.<\/p>\r\n\r\n\r\n\r\n
To show you an example we have deliberately set log_rotation_size to 50 MB.<\/strong><\/p>\r\n\r\n\r\n\r\nFigure 21: Set 50 Mb to show an example.Figure 22: Ensure ‘log_checkpoints’ is enabled<\/h3>\r\n\r\n\r\n\r\n A checkpoint is a point in the transaction log sequence wherein all the data files have been updated to reflect the information in the log.\u00a0<\/p>\r\n\r\n\r\n\r\n
When a crash happens, the latest checkpoint record is determined in the log from where it should start the REDO operation.<\/p>\r\n\r\n\r\n\r\n
Default:- It is disabled or off<\/strong>.<\/p>\r\n\r\n\r\n\r\nshow log_checkpoints ;<\/pre>\r\n\r\n\r\n\r\nFigure 23: Output of log_checkpointFigure 24: Ensure ‘log_error_verbosity’ is set correctly<\/h3>\r\n\r\n\r\n\r\n It specifies the verbosity (amount of detail) to be logged of an error message.<\/p>\r\n\r\n\r\n\r\n
When a statement is executed which eventually results in an error. This parameter specifies Postgres to log level of information along with error.<\/p>\r\n\r\n\r\n\r\n
By default, it is set to default<\/strong> (log error statement).<\/p>\r\n\r\n\r\n\r\nshow log_error_verbosity ;<\/pre>\r\n\r\n\r\n\r\nFigure 25: Output of psql statementOther values:<\/p>\r\n\r\n\r\n\r\n
\r\nTERSE<\/strong>:- It displays limited information like sql statement which generated error.<\/li>\r\nVERBOSE<\/strong>:- It shows us error code, source file name, function name where it failed, and line number<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\nIt should be set to verbose<\/strong> as per CIS but organizations should discuss and set what will be better for their case.<\/p>\r\n\r\n\r\n\r\nI have executed an error statement.\r\nshow log_error_verbosityasd ;<\/pre>\r\n\r\n\r\n\r\nFigure 26: Output of default. It logs only statement.What verbose level logs.<\/p>\r\n\r\n\r\n\r\nFigure 27: Here you can see it logs various info from ERROR Type, STATEMENT to LOCATION<\/em><\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\nPostgreSQL Logging Quick Summary:-<\/strong><\/p>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nCheck Name<\/td>\r\n Default Value<\/td>\r\n Recommended Value<\/td>\r\n<\/tr>\r\n \r\nENSURE THE LOG FILE DESTINATION DIRECTORY IS SET CORRECTLY<\/td>\r\n Depend on version<\/td>\r\n Log Directory should be set.<\/td>\r\n<\/tr>\r\n \r\nEnsure ‘log_connections’ is enabled<\/td>\r\n off<\/td>\r\n on<\/td>\r\n<\/tr>\r\n \r\nEnsure \u2018log_disconnections\u2019 is enabled<\/td>\r\n off<\/td>\r\n on<\/td>\r\n<\/tr>\r\n \r\nEnsure the log file permissions are set correctly<\/td>\r\n 600<\/td>\r\n 600<\/td>\r\n<\/tr>\r\n \r\nEnsure \u2018log_statement\u2019 is set correctly<\/td>\r\n none<\/td>\r\n ddl<\/td>\r\n<\/tr>\r\n \r\nEnsure \u2018log_duration\u2019 is enabled<\/td>\r\n off<\/td>\r\n on<\/td>\r\n<\/tr>\r\n \r\nEnsure \u2018log_min_duration_statement\u2019 is disabled<\/td>\r\n -1<\/td>\r\n -1<\/td>\r\n<\/tr>\r\n \r\nEnsure the filename pattern for log files is set correctly<\/td>\r\n Depend postgresql-%Y%m%d.log \r\nEnsure the maximum log file lifetime is set correctly<\/td>\r\n 1d<\/td>\r\n 1h<\/td>\r\n<\/tr>\r\n \r\nEnsure the maximum log file size is set correctly<\/td>\r\n Depend upon version<\/td>\r\n 1GB<\/td>\r\n<\/tr>\r\n \r\nEnsure \u2018log_checkpoints\u2019 is enabled<\/td>\r\n off<\/td>\r\n on<\/td>\r\n<\/tr>\r\n \r\nEnsure \u2018log_error_verbosity\u2019 is set correctly<\/td>\r\n default<\/td>\r\n verbose<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\nTable 1: Quick Summary of PostgreSQL Logging<\/em><\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\nDirectory and File Permission<\/h2>\r\n\r\n\r\n\r\nEnsure the file permissions mask is correct<\/h3>\r\n\r\n\r\n\r\n As we know when a file or directory is created, its permission depends upon the umask value. Therefore this umask value should be set to restrict group and other permission.<\/p>\r\n\r\n\r\n\r\n
By default, it is 002.<\/strong><\/p>\r\n\r\n\r\n\r\nIt should be set to 077. Which will restrict groups and other users from read and write permissions.<\/strong><\/p>\r\n\r\n\r\n\r\nFigure 28:
![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-1.png?w=459\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-3.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-4.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-5.png?w=443\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-9.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-7.png?w=555\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-10.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-11.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-12.png?w=365\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-13.png?w=757\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-15.png?w=480\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-16.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-18.png?w=606\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-17.png?w=926\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-22.png?w=400\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-20.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-21.png?w=307\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-40.png\")
![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-25.png?w=359\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-27.png?w=349\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-32.png?w=329\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-31.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-34.png?w=368\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-33.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-37.png?w=352\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-36.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-38.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/01\/image-39.png?w=576\")
\r\n