5.2.4 Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server

Information

Ensure logfiles.retention_days on PostgreSQL flexible servers is set to an appropriate value.

Rationale:

Configuring logfiles.retention_days determines the duration in days that Azure Database for PostgreSQL retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

Impact:

Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy a large amount of disk space. In this case you may want to set this to a lower number.

Solution

Remediate from Azure Portal

From Azure Home select the Portal Menu.

Go to Azure Database for PostgreSQL flexible servers.

For each database, under Settings, click Server parameters.

In the filter bar, type logfiles.retention_days.

Input a value between 4 and 7 (inclusive).

Click Save.

Remediate from Azure CLI
Use the below command to update logfiles.retention_days configuration:

az postgres flexible-server parameter set --resource-group <resourceGroup> --server-name <serverName> --name logfiles.retention_days --value <4-7>

Remediate from Powershell
Use the below command to update logfiles.retention_days configuration:

Update-AzPostgreSqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name logfiles.retention_days -Value <4-7>

Default Value:

By default logfiles.retention_days is set to 3.

See Also

https://workbench.cisecurity.org/benchmarks/16820

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv7|6.4

Plugin: microsoft_azure

Control ID: f10ecf045a58668d45798e195c8332c205d757558f0ed8e5dbf93889bb133d53