Show HN: I built this Postgres logger (rocketgraph.io)
Some of you were really interested in Postgres logging with pgAudit in my previous post here: https://news.ycombinator.com/item?id=37082827
So I built this logger: https://rocketgraph.io/logger-demo
using pgAudit to show you what can be done with Postgres auditing. It offers some powerful features like "get me all the CREATE queries that ran in the past hour". These are generated by AWS RDS Instance running on my Rocketgraph account. Then they are forwarded to Cloudwatch for complex querying. In the future we can connect these logs to slack so you can get slack alerts when a developer accidentally DROPs a table.
If you like my work, please check it out here: https://github.com/RocketsGraphQL/rgraph
And if you want this logging on your own Postgres instance. Use https://rocketgraph.io/ And setup a project. pgAudit is automatically installed.
48 comments
[ 3.8 ms ] story [ 113 ms ] threadthat corroborates what you have said.
Perhaps being able to exclude those as a separate category would be good?
EDIT: Since you control object auditing by granting/revoking permissions to the relevant relations I don't think it's possible to have another category there since Postgres itself doesn't differentiate between UPDATE and SELECT FOR UPDATE on permission level
Although FWIW, I do completely understand your use-case of trying to quieten down logs for a queue!
What can you do about getting me a slack notice BEFORE a developer accidentally drops a table? ;)
I was studying SQL Server at the time, so Kendra Little, Brent Ozar, that whole crew were a good starting point.
Once you learn the basics of the DCL for your database, a lot of the stuff just becomes a natural extension, and almost always you're just talking about the official documentation.
Usually you have a server and a database level identity, and manipulating those usually break out the connection vs object level permissions.
Once you understand the maps of those and grouping users, you can do stuff like detect a user did a bad thing and add them to a group of users who are default denied from the database, insert a row in a table, and roll back their changes. A logon trigger that does rude things to people's sessions, or certainty that your developers can view some parts of some data without exposing your secrets.
All our db operations like this go through our regular code review process for the db maintainers team, and instead of dropping tables, we just rename them with a prefix "to_be_dropped" as a scream test, then actually drop them a month later or so.
Recovery is much simpler for renaming than dropping.
The Monarch: "Don't worry! If he hangs you I'll have him beheaded fifteen minutes later."
Triboulet: "Well, would it be possible to behead him 15 minutes before?
Ideally, you don't want developer(s) to have access to destruct data especially things like DROP. Now, a lot of small businesses may not have the resource to have separate DBAs etc but the rule still applies.
This is more a control problem than a code problem. Having said that, you could write triggers to stop DELETE or DROPs from happening if you cannot control the access.
All the same, I don't touch prod servers, and especially don't touch client prod servers.
Maybe it could send a Slack message which you (some someone else) would need to react with (I think this site malforms that white checkmark unicode character though..) before it continues, or times out after a while with an error!
We all have a few of these. My first one was a jenkins node with a "mv $WORKSPACE/ $WORKSPACE/bin" and no "set -u" :) Or accidentially wiping all SSH keys from a server due to a typo in the config management. That was fun.
But it's a good test for the mistake culture of the team and the resilience of their infrastructure. We had juniors nuke systems and no one but us and the monitoring noticed besides maybe a short hickup during a leader failover. That's pretty cool - and also a good horror story in a few words: "When you start ansible, and 3 minutes later on-call says 'Hi.' on slack".
As to the config, this at least was pretty common for Web.*.config files in the .Net space in the mid 00s. I was never a fan of it, and even with the newer options in the space, prefer simpler environment variables these days.
> Use https://rocketgraph.io/ And setup a project.
What will the price and terms be?
But hey, you can sign up and create a project without your credit card. Once free trail ends, you can pay with stripe. Let me know how you like it.
I wrote about it here: https://blog.rocketgraph.io/posts/install-pgaudit
That's why I automated the process. Now every project comes with Postgres and pgAudit configured, Authentication, GraphQL and front-end SDKs right out of the box so it will be easier to develop web applications.