Profile Applicability:
- Level 1
Description:
The log_min_error_statement flag defines the minimum severity level of messages that PostgreSQL will treat as error statements. Messages for error statements are logged along with the SQL statement. Valid severity levels (from lowest to highest) include:
DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1
INFO
NOTICE
WARNING
ERROR
LOG
FATAL
PANIC
Each severity level includes messages of higher severity. To ensure proper error classification and auditing, it is recommended to set log_min_error_statement to ERROR or stricter.
Rationale:
Proper configuration of the log_min_error_statement flag allows accurate identification and logging of error messages and associated SQL statements. This improves troubleshooting and forensic analysis by ensuring critical errors are captured without excessive logging of less relevant information. Setting this flag to ERROR or stricter aligns with best practices for logging and auditing database activity.
Impact:
Setting the flag to a less restrictive value (e.g., INFO) may result in excessive logging, increasing storage requirements and making it difficult to identify critical errors.
Setting the flag to a more restrictive value (e.g., FATAL) may exclude essential error messages, hindering effective troubleshooting.
Adjusting custom flags via command-line tools may overwrite existing flags, leading to potential configuration loss or instance restarts. It is recommended to make changes during low-usage periods.
Default Value:
By default, the log_min_error_statement flag is set to ERROR.
Audit Steps:
Using Google Cloud Console:
Go to the Cloud SQL Instances page.
Select the PostgreSQL instance to view its Instance Overview page.
Under the Configuration card, check the value of the log_min_error_statement flag. Ensure it is set to ERROR or stricter.
Using Google Cloud CLI:
Verify the log_min_error_statement flag for each PostgreSQL instance:gcloud sql instances describe [INSTANCE_NAME] --format=json | jq '.settings.databaseFlags[] | select(.name=="log_min_error_statement")|.value'Remediation Steps:
Using Google Cloud Console:
Navigate to the Cloud SQL Instances page.
Select the PostgreSQL instance that requires configuration.
Click Edit.
Scroll to the Flags section.
If the log_min_error_statement flag is not already set, click Add item, choose log_min_error_statement from the dropdown menu, and set it to ERROR or stricter.
Click Save.
Verify the changes under the Flags section on the Overview page.
Using Google Cloud CLI:
Configure the log_min_error_statement flag for a PostgreSQL instance:
gcloud sql instances patch [INSTANCE_NAME] --database-flags log_min_error_statement=ERRORNote: This command overwrites previously set database flags. To retain existing flags, include them in the command along with the new flag.
Backout Plan:
Step 1: Revert log_min_error_statement to a Less Restrictive Value If Needed
gcloud sql instances patch <INSTANCE_NAME> --database-flags "log_min_error_statement=WARNING"
Step 2: Notify Security and Operations Teams
Inform security and database teams before making further changes.
Step 3: Restore from Backup (If Necessary)
- If setting log_min_error_statement=ERROR causes operational issues, restore the PostgreSQL instance from a backup.
References:
Additional Information:
Modifying the log_min_error_statement flag does not require restarting the Cloud SQL instance.
Certain flag configurations may affect instance availability or stability and could void the Cloud SQL SLA. Review the Operational Guidelines before making changes.
CIS Controls: