PostgreSQL Audit Logs
PostgreSQL with pgAudit — SELECT/INSERT/UPDATE/DELETE queries with parameterized statements, connection lifecycle, authentication failures, DDL operations, role management (GRANT/REVOKE), and database errors (deadlocks, constraint violations).
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/database-postgresql/generator.yml \
--id postgresql \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| SELECT | Read queries (pgaudit READ) | ~45% | database |
| INSERT | Insert queries (pgaudit WRITE) | ~15% | database |
| UPDATE | Update queries (pgaudit WRITE) | ~10% | database |
| DELETE | Delete queries (pgaudit WRITE) | ~3% | database |
| Connection | Connection authorized | ~10% | network |
| Disconnection | Session disconnection (correlated) | ~8% | network |
| AuthFailure | Authentication failures | ~2% | authentication |
| DDL | CREATE/ALTER/DROP, VACUUM, ANALYZE | ~3% | database |
| Role | GRANT/REVOKE, CREATE/ALTER/DROP ROLE | ~2% | iam |
| Error | Deadlocks, constraint violations, timeouts | ~2% | database |
Realism Features
- Correlated connections — connection events create entries consumed by disconnection events with matching user/db/pid
- 6-host cluster — primary, replicas, analytics, staging, dev servers with unique agent IDs and OS metadata
- 15 database users — superuser, application, readonly, admin, developer roles with matching application names
- 24 tables across 8 database/schema combinations with weighted access patterns
- Parameterized queries — prepared statement parameters ($1, $2, ...) matching pgAudit format
- Authentication failures — password denials, pg_hba.conf mismatches, nonexistent roles from public IPs
- Database errors — deadlocks, duplicate keys, FK violations, lock timeouts, query cancellations
Sample Output
{
"@timestamp": "2026-03-04T10:15:42.123456+00:00",
"event": {
"action": "SELECT",
"category": ["database"],
"dataset": "postgresql.log",
"duration": 3245000,
"module": "postgresql",
"outcome": "success",
"type": ["access"]
},
"message": "AUDIT: SESSION,42,1,READ,SELECT,,,SELECT id, email, name FROM public.users WHERE id = $1,{1042}",
"postgresql": {
"log": {
"database": "app_production",
"query": "SELECT id, email, name FROM public.users WHERE id = $1",
"query_name": "SELECT"
}
},
"user": { "name": "app_backend" },
"source": { "ip": "10.1.3.22", "port": 45321 },
"service": { "type": "postgresql" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| cluster_name | pg-prod-cluster | PostgreSQL cluster name |
| pg_version | 16.4 | PostgreSQL version string |
| agent_version | 8.17.0 | Filebeat version string |
Related Generators
Microsoft SQL Server Audit
SQL Server Audit via Windows Event ID 33205 — login/logout lifecycle, DML queries (SELECT/INSERT/UPDATE/DELETE), stored procedure execution, schema changes (CREATE/ALTER/DROP), permission management (GRANT/DENY/REVOKE), role membership, backups, DBCC commands, and password changes.
MySQL Audit
MySQL Enterprise Audit Plugin events (ECS-compatible JSON) covering all four audit classes — connection, general, table_access, and audit. Generates connect/disconnect lifecycle, DML queries (SELECT/INSERT/UPDATE/DELETE), table access tracking, DDL schema changes, GRANT/REVOKE privileges, admin commands, query errors, and failed authentication attempts with realistic query statistics.
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.