Crunchy Bridge has two types of audit logs to help with compliance:
- Account-level audit logs for crunchybridge.com
- Database-level audit logs via pgAudit, which is enabled by default
All primary actions against a team and Postgres instance within Crunchy Bridge are automatically audited. Audited events include:
- Provisioning and deprovisioning
- Resizing instances
- Upgrading Postgres
- Logging into Crunchy Bridge
- Inviting others to a team
- Creating and removing log destinations
- Creating and removing firewall rules
- Viewing database connection credentials
You can view audit logs for all of a Team’s clusters under the Settings tab at the Team level. Audit logs for a single cluster are also visible in the Settings tab at the cluster level. You can also retrieve audit logs using the api.
In addition to account-level audit logs, Crunchy Bridge provides auditing of database roles and activities using pgAudit, which is the same tooling used to ensure CIS Benchmark compliance for PostgreSQL. Auditing of all commands for your database is enabled by default for the
postgres user role and individual user accounts for Crunchy Bridge.
ℹ️ InfoThe application user for your database will not have auditing enabled by default. This is to reduce verbosity. However, you can enable it with the
postgresrole. See user management for more details.
Customizing Postgres auditing
By default, pgAudit is configured to log all commands run by the specified users. You can customize the level of auditing for a specific role by executing
ALTER ROLE and setting the desired log level.
Log retention and formatting
Crunchy Bridge retains a small portion of recent logs. These are available through the CLI with the
cb logs. For longer-term retention we recommend sending your logs to a third party logging provider.
Audit logs are tagged with a
log_parameter prefix so you can search and filter these from other log content. The default is
<not logged> but you can customize this and other formatting options.