Auditing

Crunchy Bridge has two types of audit logs to help with compliance:

Account-level auditing

All primary actions against a team and Postgres instance within Crunchy Bridge are automatically audited. Audited events include:

  • Provisioning and deprovisioning
  • Resizing instances
  • Upgrading Postgres
  • Logging into Crunchy Bridge
  • Inviting others to a team
  • Creating and removing log destinations
  • Creating and removing firewall rules
  • Viewing database connection credentials

You can view audit logs for all of a Team's clusters under the Settings tab at the Team level. Audit logs for a single cluster are also visible in the Settings tab at the cluster level. You can also retrieve audit logs using the api.

Database-level auditing

In addition to account-level audit logs, Crunchy Bridge provides auditing of database roles and activities using pgAudit, which is the same tooling used to ensure CIS Benchmark compliance for PostgreSQL. Auditing of all commands for your database is enabled by default for the postgres user role and individual user accounts for Crunchy Bridge.

Info

The application user for your database will not have auditing enabled by default. This is to reduce verbosity. However, you can enable it with the postgres role. See user management for more details.

Customizing Postgres auditing

By default, pgAudit is configured to log all commands run by the specified users. You can customize the level of auditing for a specific role by executing ALTER ROLE and setting the desired log level.

Log retention and formatting

Crunchy Bridge retains a small portion of recent logs. These are available through the CLI with the cb logs. For longer-term retention we recommend sending your logs to a third party logging provider.

Audit logs are tagged with a log_parameter prefix so you can search and filter these from other log content. The default is <not logged> but you can customize this and other formatting options.