Crunchy Bridge has two forms of audit logs that exist to help with compliance. The first is the account level audit logs that exist for and the second is database level logs via pg_audit which is enabled by default.

Account auditing

All primary actions against a team and Postgres instance within Crunchy Bridge are automatically audited. Audited events include:

  • Provisioning and deprovisioning
  • Resizing instances
  • Upgrading Postgres
  • Logging into Crunchy Bridge
  • Inviting others to a team
  • Creating and removing log destinations
  • Creating and removing firewall rules
  • Viewing database connection credentials

Audit logs are visible on a per cluster view or from a team perspective by all members. You can retrieve your audit logs from the api or directly from within the settings of a specific team or cluster.

Database auditing

In addition to account level auditing for Crunchy Bridge, Crunchy Bridge provides out of the box auditing of database roles and activities. PgAudit is the mechanism used to provide this level of auditing, which is the same tooling used to ensure CIS Benchmark compliance for PostgreSQL. Auditing of all commands for your database is by default enabled for the postgres user role and individual user accounts for Crunchy Bridge. For more details please read further on user management.

Note: the application user for your database does not have auditing enabled to reduce verbosity. If you do explicitly need this role audited you can enable that with the postgres role.

Customizing postgres auditing

By default pgAudit is configured to log all commands run by the specified users. You can customize the level of auditing for a specific role by executing ALTER ROLE and setting the desired log level.

Log retention

Crunchy Bridge maintains a small portion of recent logs available in the cli with the cb logs. For longer term retention we recommend sending your logs to a third party logging provider. Audit logs will be tagged with a log_parameter prefix so you can search and filter these from other log content. The default log_parameter is not logged.