Auditing
Crunchy Bridge has two types of audit logs to help with compliance:
- Account-level audit logs for crunchybridge.com
- Database-level audit logs via pgAudit, which is enabled by default
Account-level logs
All primary actions against a team and Postgres instance within Crunchy Bridge are automatically logged. Logged events include:
- Provisioning and deprovisioning
- Resizing instances
- Upgrading Postgres
- Inviting others to a team
- Creating and removing log destinations
- Creating and removing firewall rules
- Viewing database connection credentials
You can view audit logs for all of a Team's clusters under the Settings tab at the Team level. Audit logs for a single cluster are also visible in the Settings tab at the cluster level. You can also retrieve audit logs using the api.
Database-level logs
In addition to account-level logs, Crunchy Bridge provides logging of
database roles and activities using
pgAudit, which is the same tooling used to
ensure CIS Benchmark compliance for PostgreSQL. Logging of all commands for
your database is enabled by default for the postgres user role and individual
user accounts for Crunchy Bridge.
Info
The application user for your database will not save logs
by default. This is to reduce verbosity. However, you can enable it with the
postgres role. See user management for more details.
Customizing Postgres logs
By default, pgAudit is configured to log all commands run by the specified
users. You can customize the level of logging for a specific role by executing
ALTER ROLE and setting the desired
log level.
Log retention and formatting
Crunchy Bridge retains a small portion of recent logs. These are available
through the CLI with the cb logs. For longer-term retention we recommend
sending your logs to a third party logging provider.
Audit logs are tagged with a log_parameter prefix so you can search and filter
these from other log content. The default is <not logged> but you can
customize this and other
formatting options.