3.1.13 Ensure the correct SQL statements generating errors are recorded

Information

The log_min_error_statement setting causes all SQL statements generating errors at or above the specified severity level to be recorded in the server log. Each level includes all the levels that follow it. The lower the level (vertically, below), the fewer messages are recorded. Valid values are:
* DEBUG5 <-- exceedingly chatty
* DEBUG4
* DEBUG3
* DEBUG2
* DEBUG1
* INFO
* NOTICE
* WARNING
* ERROR
* LOG
* FATAL
* PANIC <-- practically mute
ERROR is considered the best practice setting. Changes should only be made in accordance with your organization's logging policy.

Note: To effectively turn off logging of failing statements, set this parameter to PANIC.

Rationale:

If this is not set to the correct value, too many erring SQL statements or too few erring SQL statements may be written to the server log.

Solution

Execute the following SQL statement(s) as superuser to remediate this setting (in the example, to error):


postgres=# alter system set log_min_error_statement = 'error';
ALTER SYSTEM
postgres=# select pg_reload_conf();
pg_reload_conf ----------------
t (1 row)

Default Value:

ERROR

See Also

https://workbench.cisecurity.org/files/2407

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv6|6, CSCv7|6.4

Plugin: PostgreSQLDB

Control ID: 33de515fca1083837b4824352701049211a30cc46ac6839acab45a3880573121