diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 353d4e808a..6150e57d71 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -6860,6 +6860,13 @@ local0.* /var/log/postgresql What to Log + + + What you choose to log can have security implications; see + . + + + @@ -7458,6 +7465,10 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' planning). Set log_min_error_statement to ERROR (or lower) to log such statements. + + Logged statements might reveal sensitive data and even contain + plaintext passwords. + diff --git a/doc/src/sgml/maintenance.sgml b/doc/src/sgml/maintenance.sgml index a209a63304..759ea5ac9c 100644 --- a/doc/src/sgml/maintenance.sgml +++ b/doc/src/sgml/maintenance.sgml @@ -977,7 +977,25 @@ analyze threshold = analyze base threshold + analyze scale factor * number of tu It is a good idea to save the database server's log output somewhere, rather than just discarding it via /dev/null. The log output is invaluable when diagnosing - problems. However, the log output tends to be voluminous + problems. + + + + + The server log can contain sensitive information and needs to be protected, + no matter how or where it is stored, or the destination to which it is routed. + For example, some DDL statements might contain plaintext passwords or other + authentication details. Logged statements at the ERROR + level might show the SQL source code for applications + and might also contain some parts of data rows. Recording data, events and + related information is the intended function of this facility, so this is + not a leakage or a bug. Please ensure the server logs are visible only to + appropriately authorized people. + + + + + Log output tends to be voluminous (especially at higher debug levels) so you won't want to save it indefinitely. You need to rotate the log files so that new log files are started and old ones removed after a reasonable