Profile Applicability:

  • Level 1

Description:

The log_min_messages flag determines the minimum severity level of messages that PostgreSQL will treat as error statements and log. Valid severity levels (from lowest to highest) include:

  • DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1

  • INFO

  • NOTICE

  • WARNING

  • ERROR

  • LOG

  • FATAL

  • PANIC

Each level includes messages of higher severity. The recommended value for this flag is WARNING to ensure critical issues are logged without creating excessive noise. Changes should align with the organization's logging policy.

Rationale:

Proper logging of error messages is crucial for troubleshooting and forensic investigations. Setting log_min_messages to WARNING ensures that essential messages are logged while avoiding an overload of unnecessary information. This improves the ability to identify critical issues without sifting through verbose logs. However, organizations may adjust the setting to meet their specific security and operational needs.

Impact:

  • Setting the flag to a low severity (e.g., DEBUG) may lead to excessive logs, increasing storage requirements and complicating error identification.

  • Setting the flag to a higher severity (e.g., PANIC) may suppress important error messages, hindering troubleshooting efforts.

  • Changes to custom flags via the command line may overwrite existing flags, potentially causing unforeseen issues. Changes should be made during periods of low activity.

Default Value:

By default, the log_min_messages flag is set to ERROR.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

                   

  1. Select the PostgreSQL instance to view its Instance Overview.

       

  1. Go to the Configuration card.

                       

  1. Verify the value of the log_min_messages flag aligns with the organization's logging policy (recommended: WARNING or stricter).

                     

Using Google Cloud CLI:

Verify the log_min_messages value for each PostgreSQL instance:

gcloud sql instances describe [INSTANCE_NAME] --format=json | jq '.settings.databaseFlags[] | select(.name=="log_min_messages")|.value'

Remediation Steps:

Using Google Cloud Console:

  1. Go to the Cloud SQL Instances page.

               

  1. Select the PostgreSQL instance that requires configuration.

 

  1. Click Edit.

     

  1. Scroll to the Flags section.

               

  1. If the log_min_messages flag is not already set, click Add a Database Flag, choose log_min_messages from the dropdown menu, and set it to WARNING or higher.

                       

  1. Click Save.

                         

  1. Verify the changes under the Flags section on the Overview page.

       

Using Google Cloud CLI:

Configure the log_min_messages flag for a PostgreSQL instance

gcloud sql instances patch [INSTANCE_NAME] --database-flags log_min_messages=WARNING
  1. Note: This command overwrites previously set database flags. To retain existing flags, include them in the command along with the new flag.

Backout Plan:

Step 1: Revert log_min_messages to a Less Restrictive Value If Needed

gcloud sql instances patch <INSTANCE_NAME> --database-flags "log_min_messages=NOTICE"

Step 2: Notify Security and Operations Teams

  • Inform security and database teams before making further changes.

Step 3: Restore from Backup (If Necessary)

  • If setting log_min_messages=WARNING causes operational issues, restore the PostgreSQL instance from a backup.

References:

  1. Google Cloud SQL PostgreSQL Flags Documentation

  2. PostgreSQL Runtime Configuration Logging

Additional Information:

  • Adjusting the log_min_messages flag does not require a Cloud SQL instance restart.

  • Some database flag changes may affect instance availability or stability and could void the Cloud SQL SLA. Review operational guidelines for more details.

  • Organizations should periodically review logging settings to ensure compliance with security policies and operational needs.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.5 Collect Detailed Audit Logs

Enable detailed logging to capture sensitive data-related events, including source, timestamp, and user information.


6.3 Enable Detailed Logging

Configure logging to include essential event details such as date, user, and source/destination addresses.