From 7e243947484e1036ffa1e3a87229a2355aebd078 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matja=C5=BE=20Mori?= Date: Mon, 9 Dec 2024 14:19:15 +0100 Subject: [PATCH 1/4] Update to Dynamically Handle Primary Keys (Including Composite PKs) This update enhances the audit function by dynamically identifying the primary key (PK) columns of a table, even when they are named differently than the default "id". It now supports tables with composite primary keys or no primary key at all. --- audit.sql | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/audit.sql b/audit.sql index df1eda1..c32dedf 100644 --- a/audit.sql +++ b/audit.sql @@ -50,7 +50,7 @@ action TEXT NOT NULL CHECK (action IN ('I', 'D', 'U', 'T')), row_data jsonb, changed_fields jsonb, statement_only boolean not null, -row_id bigint +row_id text ); REVOKE ALL ON audit.logged_actions FROM public; @@ -72,6 +72,7 @@ COMMENT ON COLUMN audit.logged_actions.action IS 'Action type; I = insert, D = d COMMENT ON COLUMN audit.logged_actions.row_data IS 'Record value. Null for statement-level trigger. For INSERT this is the new tuple. For DELETE and UPDATE it is the old tuple.'; COMMENT ON COLUMN audit.logged_actions.changed_fields IS 'New values of fields changed by UPDATE. Null except for row-level UPDATE events.'; COMMENT ON COLUMN audit.logged_actions.statement_only IS '''t'' if audit event is from an FOR EACH STATEMENT trigger, ''f'' for FOR EACH ROW'; +COMMENT ON COLUMN audit.logged_actions.row_id IS 'PK ID of the row'; CREATE INDEX logged_actions_relid_idx ON audit.logged_actions(relid); CREATE INDEX logged_actions_action_tstamp_tx_stm_idx ON audit.logged_actions(action_tstamp_stm); CREATE INDEX logged_actions_action_idx ON audit.logged_actions(action); @@ -83,8 +84,47 @@ DECLARE h_old jsonb; h_new jsonb; excluded_cols text [] = ARRAY []::text []; + pk_value text DEFAULT NULL; -- Initialize pk_value + composite_key_value text DEFAULT NULL; + pk_col_names text[] = ARRAY[]::text[]; + pk_col_name text; -- Variable for individual column name + i integer; -- Loop counter BEGIN IF TG_WHEN <> 'AFTER' THEN RAISE EXCEPTION 'audit.if_modified_func() may only run as an AFTER trigger'; END IF; + +-- Get the primary key column names for the table + SELECT array_agg(a.attname) + INTO pk_col_names + FROM pg_index i + JOIN pg_attribute a ON a.attrelid = i.indrelid + AND a.attnum = ANY(i.indkey) + WHERE i.indrelid = (TG_TABLE_SCHEMA || '.' || TG_TABLE_NAME)::regclass + AND i.indisprimary; + + -- If no primary key columns found + IF pk_col_names IS NULL OR array_length(pk_col_names, 1) = 0 THEN + RAISE NOTICE 'No primary key found for table %', TG_TABLE_NAME; + END IF; + + IF array_length(pk_col_names, 1) > 0 THEN + composite_key_value = ''; + -- Loop over the primary key columns and extract values + FOR i IN 1..array_length(pk_col_names, 1) LOOP + pk_col_name := pk_col_names[i]; + -- Dynamically fetch the value of the primary key column for the OLD row + EXECUTE format('SELECT $1.%I', pk_col_name) INTO pk_value USING OLD; + IF pk_value IS NULL THEN + EXECUTE format('SELECT $1.%I', pk_col_name) INTO pk_value USING NEW; + END IF; + -- Concatenate the value to form the composite key + IF pk_value IS NOT NULL THEN + composite_key_value := composite_key_value || pk_value; + ELSE + composite_key_value := composite_key_value || ''; + END IF; + END LOOP; + END IF; + audit_row = ROW( nextval('audit.logged_actions_event_id_seq'), -- event_id @@ -118,7 +158,7 @@ audit_row = ROW( NULL, -- row_data, changed_fields 'f', -- statement_only, - COALESCE(OLD.id, NULL) -- pk ID of the row + composite_key_value -- pk ID of the row ); IF NOT TG_ARGV [0]::boolean IS DISTINCT FROM 'f'::boolean THEN audit_row.client_query = NULL; From d7dd8dca5b53ca9a2622b97e99745df04638d928 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matja=C5=BE=20Mori?= Date: Mon, 9 Mar 2026 07:03:06 +0100 Subject: [PATCH 2/4] Update repository link in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b65632d..8116437 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -Audit trigger for postgres. Fork from [this repo](https://github.com/2ndQuadrant/audit-trigger) including a bunch of changes: +Audit trigger for postgres. Fork from [this repo](https://github.com/iloveitaly/audit-trigger) including a bunch of changes: * converted from hstore to jsonb * Add a function to stop auditing a table. From 1978410dfc272a73ad0b78dd2fb66a9fcf300a03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matja=C5=BE=20Mori?= Date: Tue, 10 Mar 2026 07:52:04 +0100 Subject: [PATCH 3/4] Decentralize --- .gitignore | 1 - AUTHORS | 11 - COPYRIGHT | 27 -- audit.sql | 987 +++++++++++++++++++++++++++++++++++++---------------- 4 files changed, 687 insertions(+), 339 deletions(-) delete mode 100644 .gitignore delete mode 100644 AUTHORS delete mode 100644 COPYRIGHT diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 9f11b75..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -.idea/ diff --git a/AUTHORS b/AUTHORS deleted file mode 100644 index 60250cf..0000000 --- a/AUTHORS +++ /dev/null @@ -1,11 +0,0 @@ -Craig Ringer -github: - -with contributions including: - -github: 3nids -github: ADTC -github: asenyshyn -github: jhm713 -github: paulovieira -github: nineinchnick diff --git a/COPYRIGHT b/COPYRIGHT deleted file mode 100644 index b892225..0000000 --- a/COPYRIGHT +++ /dev/null @@ -1,27 +0,0 @@ -The following is "The PostgreSQL License", effectively equivalent to the BSD -license. - -I, Craig Ringer, cede any copyright on this work to the PostgreSQL Global -Development Group. - ------- - -PostgreSQL Audit Trigger Example -Copyright (c) 2013, PostgreSQL Global Development Group - -Permission to use, copy, modify, and distribute this software and its -documentation for any purpose, without fee, and without a written agreement -is hereby granted, provided that the above copyright notice and this -paragraph and the following two paragraphs appear in all copies. - -IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR -DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING -LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS -DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. - -THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS -ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO -PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. diff --git a/audit.sql b/audit.sql index c32dedf..a85c09b 100644 --- a/audit.sql +++ b/audit.sql @@ -1,309 +1,696 @@ --- An audit history is important on most tables. Provide an audit trigger that logs to --- a dedicated audit table for the major relations. +-- ============================================================================ +-- FLEXIBLE POSTGRESQL AUDIT SYSTEM +-- ============================================================================ +-- Supports TWO modes: +-- 1. DATABASE-LEVEL: All audit objects in dedicated 'audit' schema (default) +-- 2. SCHEMA-SPECIFIC: All audit objects within a specific schema -- --- This file should be generic and not depend on application roles or structures, --- as it's being listed here: --- --- https://wiki.postgresql.org/wiki/Audit_trigger_91plus --- --- This trigger was originally based on --- http://wiki.postgresql.org/wiki/Audit_trigger --- but has been completely rewritten. --- --- Should really be converted into a relocatable EXTENSION, with control and upgrade files. -CREATE SCHEMA audit; -REVOKE ALL ON SCHEMA audit -FROM public; -COMMENT ON SCHEMA audit IS 'Out-of-table audit/history logging tables and trigger functions'; --- --- Audited data. Lots of information is available, it's just a matter of how much --- you really want to record. See: --- --- http://www.postgresql.org/docs/9.1/static/functions-info.html --- --- Remember, every column you add takes up more audit table space and slows audit --- inserts. --- --- Every index you add has a big impact too, so avoid adding indexes to the --- audit table unless you REALLY need them. The json GIN/GIST indexes are --- particularly expensive. --- --- It is sometimes worth copying the audit table, or a coarse subset of it that --- you're interested in, into a temporary table where you CREATE any useful --- indexes and do your analysis. --- -CREATE TABLE audit.logged_actions ( -event_id bigserial primary key, -schema_name text not null, -table_name text not null, -relid oid not null, -session_user_name text, -action_tstamp_tx TIMESTAMP WITH TIME ZONE NOT NULL, -action_tstamp_stm TIMESTAMP WITH TIME ZONE NOT NULL, -action_tstamp_clk TIMESTAMP WITH TIME ZONE NOT NULL, -transaction_id bigint, -application_name text, -client_addr inet, -client_port integer, -client_query text, -action TEXT NOT NULL CHECK (action IN ('I', 'D', 'U', 'T')), -row_data jsonb, -changed_fields jsonb, -statement_only boolean not null, -row_id text -); -REVOKE ALL ON audit.logged_actions -FROM public; -COMMENT ON TABLE audit.logged_actions IS 'History of auditable actions on audited tables, from audit.if_modified_func()'; -COMMENT ON COLUMN audit.logged_actions.event_id IS 'Unique identifier for each auditable event'; -COMMENT ON COLUMN audit.logged_actions.schema_name IS 'Database schema audited table for this event is in'; -COMMENT ON COLUMN audit.logged_actions.table_name IS 'Non-schema-qualified table name of table event occured in'; -COMMENT ON COLUMN audit.logged_actions.relid IS 'Table OID. Changes with drop/create. Get with ''tablename''::regclass'; -COMMENT ON COLUMN audit.logged_actions.session_user_name IS 'Login / session user whose statement caused the audited event'; -COMMENT ON COLUMN audit.logged_actions.action_tstamp_tx IS 'Transaction start timestamp for tx in which audited event occurred'; -COMMENT ON COLUMN audit.logged_actions.action_tstamp_stm IS 'Statement start timestamp for tx in which audited event occurred'; -COMMENT ON COLUMN audit.logged_actions.action_tstamp_clk IS 'Wall clock time at which audited event''s trigger call occurred'; -COMMENT ON COLUMN audit.logged_actions.transaction_id IS 'Identifier of transaction that made the change. May wrap, but unique paired with action_tstamp_tx.'; -COMMENT ON COLUMN audit.logged_actions.client_addr IS 'IP address of client that issued query. Null for unix domain socket.'; -COMMENT ON COLUMN audit.logged_actions.client_port IS 'Remote peer IP port address of client that issued query. Undefined for unix socket.'; -COMMENT ON COLUMN audit.logged_actions.client_query IS 'Top-level query that caused this auditable event. May be more than one statement.'; -COMMENT ON COLUMN audit.logged_actions.application_name IS 'Application name set when this audit event occurred. Can be changed in-session by client.'; -COMMENT ON COLUMN audit.logged_actions.action IS 'Action type; I = insert, D = delete, U = update, T = truncate'; -COMMENT ON COLUMN audit.logged_actions.row_data IS 'Record value. Null for statement-level trigger. For INSERT this is the new tuple. For DELETE and UPDATE it is the old tuple.'; -COMMENT ON COLUMN audit.logged_actions.changed_fields IS 'New values of fields changed by UPDATE. Null except for row-level UPDATE events.'; -COMMENT ON COLUMN audit.logged_actions.statement_only IS '''t'' if audit event is from an FOR EACH STATEMENT trigger, ''f'' for FOR EACH ROW'; -COMMENT ON COLUMN audit.logged_actions.row_id IS 'PK ID of the row'; -CREATE INDEX logged_actions_relid_idx ON audit.logged_actions(relid); -CREATE INDEX logged_actions_action_tstamp_tx_stm_idx ON audit.logged_actions(action_tstamp_stm); -CREATE INDEX logged_actions_action_idx ON audit.logged_actions(action); -CREATE OR REPLACE FUNCTION audit.if_modified_func() RETURNS TRIGGER AS $body$ +-- Usage: +-- Database-level: SELECT audit_initialize(); +-- Schema-specific: SELECT audit_initialize('myschema'); +-- ============================================================================ + +-- ============================================================================ +-- INITIALIZATION FUNCTION +-- ============================================================================ +-- This function creates all audit objects in the specified schema +-- If no schema specified, defaults to 'audit' schema (database-level mode) +-- ============================================================================ + +CREATE OR REPLACE FUNCTION audit_initialize( + p_audit_schema text DEFAULT 'audit' +) +RETURNS void AS $body$ DECLARE - audit_row audit.logged_actions; - include_values boolean; - log_diffs boolean; - h_old jsonb; - h_new jsonb; - excluded_cols text [] = ARRAY []::text []; - pk_value text DEFAULT NULL; -- Initialize pk_value - composite_key_value text DEFAULT NULL; - pk_col_names text[] = ARRAY[]::text[]; - pk_col_name text; -- Variable for individual column name - i integer; -- Loop counter - BEGIN IF TG_WHEN <> 'AFTER' THEN RAISE EXCEPTION 'audit.if_modified_func() may only run as an AFTER trigger'; -END IF; - --- Get the primary key column names for the table - SELECT array_agg(a.attname) - INTO pk_col_names - FROM pg_index i - JOIN pg_attribute a ON a.attrelid = i.indrelid - AND a.attnum = ANY(i.indkey) - WHERE i.indrelid = (TG_TABLE_SCHEMA || '.' || TG_TABLE_NAME)::regclass - AND i.indisprimary; - - -- If no primary key columns found - IF pk_col_names IS NULL OR array_length(pk_col_names, 1) = 0 THEN - RAISE NOTICE 'No primary key found for table %', TG_TABLE_NAME; + _sql text; + _schema_exists boolean; +BEGIN + -- Check if schema exists + SELECT EXISTS( + SELECT 1 FROM information_schema.schemata + WHERE schema_name = p_audit_schema + ) INTO _schema_exists; + + -- Create schema if it doesn't exist (for database-level mode) + IF NOT _schema_exists THEN + IF p_audit_schema = 'audit' THEN + EXECUTE format('CREATE SCHEMA %I', p_audit_schema); + EXECUTE format('REVOKE ALL ON SCHEMA %I FROM public', p_audit_schema); + EXECUTE format('COMMENT ON SCHEMA %I IS ''Audit/history logging tables and trigger functions''', p_audit_schema); + RAISE NOTICE 'Created schema: %', p_audit_schema; + ELSE + RAISE EXCEPTION 'Schema % does not exist. Please create it first or use ''audit'' for database-level auditing.', p_audit_schema; + END IF; + ELSE + RAISE NOTICE 'Using existing schema: %', p_audit_schema; END IF; - IF array_length(pk_col_names, 1) > 0 THEN - composite_key_value = ''; - -- Loop over the primary key columns and extract values - FOR i IN 1..array_length(pk_col_names, 1) LOOP - pk_col_name := pk_col_names[i]; - -- Dynamically fetch the value of the primary key column for the OLD row - EXECUTE format('SELECT $1.%I', pk_col_name) INTO pk_value USING OLD; - IF pk_value IS NULL THEN - EXECUTE format('SELECT $1.%I', pk_col_name) INTO pk_value USING NEW; + -- ======================================================================== + -- Create logged_actions table + -- ======================================================================== + _sql := format($sql$ + CREATE TABLE IF NOT EXISTS %I.logged_actions ( + event_id bigserial PRIMARY KEY, + schema_name text NOT NULL, + table_name text NOT NULL, + relid oid NOT NULL, + session_user_name text, + action_tstamp_tx TIMESTAMP WITH TIME ZONE NOT NULL, + action_tstamp_stm TIMESTAMP WITH TIME ZONE NOT NULL, + action_tstamp_clk TIMESTAMP WITH TIME ZONE NOT NULL, + transaction_id bigint, + application_name text, + client_addr inet, + client_port integer, + client_query text, + action TEXT NOT NULL CHECK (action IN ('I', 'D', 'U', 'T')), + row_data jsonb, + changed_fields jsonb, + statement_only boolean NOT NULL, + row_id text + ) + $sql$, p_audit_schema); + EXECUTE _sql; + + _sql := format('REVOKE ALL ON %I.logged_actions FROM public', p_audit_schema); + EXECUTE _sql; + + -- Create indexes + _sql := format('CREATE INDEX IF NOT EXISTS logged_actions_relid_idx ON %I.logged_actions(relid)', p_audit_schema); + EXECUTE _sql; + + _sql := format('CREATE INDEX IF NOT EXISTS logged_actions_action_tstamp_tx_stm_idx ON %I.logged_actions(action_tstamp_stm)', p_audit_schema); + EXECUTE _sql; + + _sql := format('CREATE INDEX IF NOT EXISTS logged_actions_action_idx ON %I.logged_actions(action)', p_audit_schema); + EXECUTE _sql; + + _sql := format('CREATE INDEX IF NOT EXISTS logged_actions_table_row_idx ON %I.logged_actions(table_name, row_id) WHERE row_id IS NOT NULL', p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create logged_relations table + -- ======================================================================== + _sql := format($sql$ + CREATE TABLE IF NOT EXISTS %I.logged_relations ( + relation_name regclass NOT NULL, + uid_column text NOT NULL, + PRIMARY KEY (relation_name, uid_column) + ) + $sql$, p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create get_transaction_id function + -- ======================================================================== + _sql := format($sql$ + CREATE OR REPLACE FUNCTION %I.get_transaction_id() + RETURNS bigint AS $func$ + BEGIN + BEGIN + RETURN pg_current_xact_id(); + EXCEPTION WHEN undefined_function THEN + RETURN txid_current(); + END; + END; + $func$ LANGUAGE plpgsql STABLE + $sql$, p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create main trigger function + -- ======================================================================== + _sql := format($sql$ + CREATE OR REPLACE FUNCTION %I.if_modified_func() + RETURNS TRIGGER AS $trigger$ + DECLARE + audit_row %I.logged_actions; + excluded_cols text[] = ARRAY[]::text[]; + pk_col_names text[] = ARRAY[]::text[]; + pk_col_name text; + pk_value text; + composite_key_value text DEFAULT NULL; + i integer; + h_old jsonb; + h_new jsonb; + BEGIN + IF TG_WHEN <> 'AFTER' THEN + RAISE EXCEPTION '%%.if_modified_func() may only run as an AFTER trigger', '%s'; END IF; - -- Concatenate the value to form the composite key - IF pk_value IS NOT NULL THEN - composite_key_value := composite_key_value || pk_value; + + -- Get primary key column names + SELECT array_agg(a.attname ORDER BY array_position(i.indkey, a.attnum)) + INTO pk_col_names + FROM pg_index i + JOIN pg_attribute a ON a.attrelid = i.indrelid AND a.attnum = ANY(i.indkey) + WHERE i.indrelid = (TG_TABLE_SCHEMA || '.' || TG_TABLE_NAME)::regclass + AND i.indisprimary; + + -- Build composite key value + IF pk_col_names IS NOT NULL AND array_length(pk_col_names, 1) > 0 THEN + composite_key_value := ''; + FOR i IN 1..array_length(pk_col_names, 1) LOOP + pk_col_name := pk_col_names[i]; + IF TG_OP = 'INSERT' THEN + EXECUTE format('SELECT ($1).%%I::text', pk_col_name) INTO pk_value USING NEW; + ELSE + EXECUTE format('SELECT ($1).%%I::text', pk_col_name) INTO pk_value USING OLD; + END IF; + IF i > 1 THEN + composite_key_value := composite_key_value || '|'; + END IF; + composite_key_value := composite_key_value || COALESCE(pk_value, 'NULL'); + END LOOP; ELSE - composite_key_value := composite_key_value || ''; + IF TG_LEVEL = 'ROW' THEN + RAISE NOTICE '%%.if_modified_func: No primary key found for table %%.%%. Replay/rollback will not be available.', + '%s', TG_TABLE_SCHEMA, TG_TABLE_NAME; + END IF; END IF; - END LOOP; - END IF; -audit_row = ROW( - nextval('audit.logged_actions_event_id_seq'), - -- event_id - TG_TABLE_SCHEMA::text, - -- schema_name - TG_TABLE_NAME::text, - -- table_name - TG_RELID, - -- relation OID for much quicker searches - session_user::text, - -- session_user_name - current_timestamp, - -- action_tstamp_tx - statement_timestamp(), - -- action_tstamp_stm - clock_timestamp(), - -- action_tstamp_clk - txid_current(), - -- transaction ID - current_setting('application_name'), - -- client application - inet_client_addr(), - -- client_addr - inet_client_port(), - -- client_port - current_query(), - -- top-level query or queries (if multistatement) from client - substring(TG_OP, 1, 1), - -- action - NULL, - NULL, - -- row_data, changed_fields - 'f', -- statement_only, - composite_key_value -- pk ID of the row -); -IF NOT TG_ARGV [0]::boolean IS DISTINCT -FROM 'f'::boolean THEN audit_row.client_query = NULL; -END IF; -IF TG_ARGV [1] IS NOT NULL THEN excluded_cols = TG_ARGV [1]::text []; -END IF; -IF ( - TG_OP = 'UPDATE' - AND TG_LEVEL = 'ROW' -) THEN audit_row.row_data = row_to_json(OLD)::JSONB - excluded_cols; ---Computing differences -SELECT jsonb_object_agg(tmp_new_row.key, tmp_new_row.value) AS new_data INTO audit_row.changed_fields -FROM jsonb_each_text(row_to_json(NEW)::JSONB) AS tmp_new_row - JOIN jsonb_each_text(audit_row.row_data) AS tmp_old_row ON ( - tmp_new_row.key = tmp_old_row.key - AND tmp_new_row.value IS DISTINCT - FROM tmp_old_row.value - ); -IF audit_row.changed_fields = '{}'::JSONB THEN -- All changed fields are ignored. Skip this update. -RETURN NULL; -END IF; -ELSIF ( - TG_OP = 'DELETE' - AND TG_LEVEL = 'ROW' -) THEN audit_row.row_data = row_to_json(OLD)::JSONB - excluded_cols; -ELSIF ( - TG_OP = 'INSERT' - AND TG_LEVEL = 'ROW' -) THEN audit_row.row_data = row_to_json(NEW)::JSONB - excluded_cols; -ELSIF ( - TG_LEVEL = 'STATEMENT' - AND TG_OP IN ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE') -) THEN audit_row.statement_only = 't'; -ELSE RAISE EXCEPTION '[audit.if_modified_func] - Trigger func added as trigger for unhandled case: %, %', -TG_OP, -TG_LEVEL; -RETURN NULL; -END IF; -INSERT INTO audit.logged_actions -VALUES (audit_row.*); -RETURN NULL; -END; -$body$ LANGUAGE plpgsql SECURITY DEFINER -SET search_path = pg_catalog, - public; -COMMENT ON FUNCTION audit.if_modified_func() IS $body$ Track changes to a table at the statement -and / -or row level.Optional parameters to trigger in CREATE TRIGGER call: param 0: boolean, -whether to log the query text.Default 't'.param 1: text [], -columns to ignore in updates.Default [].Updates to ignored cols are omitted -from changed_fields.Updates with only ignored cols changed are not inserted into the audit log.Almost all the processing work is still done for updates that ignored.If you need to save the load, - you need to use - WHEN clause on the trigger instead.No warning - or error is issued if ignored_cols contains columns that do not exist in the target table.This lets you specify a standard -set of ignored columns.There is no parameter to disable logging of -values. -Add this trigger as a 'FOR EACH STATEMENT' rather than 'FOR EACH ROW' trigger if you do not want to log row -values.Note that the user name logged is the login role for the session.The audit trigger cannot obtain the active role because it is reset by the SECURITY DEFINER invocation of the audit trigger its self.$body$; -CREATE OR REPLACE FUNCTION audit.audit_table( - target_table regclass, - audit_rows boolean, - audit_query_text boolean, - audit_inserts boolean, - ignored_cols text [] - ) RETURNS void AS $body$ -DECLARE stm_targets text = 'INSERT OR UPDATE OR DELETE OR TRUNCATE'; -_q_txt text; -_ignored_cols_snip text = ''; -BEGIN PERFORM audit.deaudit_table(target_table); -IF audit_rows THEN IF array_length(ignored_cols, 1) > 0 THEN _ignored_cols_snip = ', ' || quote_literal(ignored_cols); -END IF; -_q_txt = 'CREATE TRIGGER audit_trigger_row AFTER ' || CASE - WHEN audit_inserts THEN 'INSERT OR ' - ELSE '' -END || 'UPDATE OR DELETE ON ' || target_table || ' FOR EACH ROW EXECUTE PROCEDURE audit.if_modified_func(' || quote_literal(audit_query_text) || _ignored_cols_snip || ');'; -RAISE NOTICE '%', -_q_txt; -EXECUTE _q_txt; -stm_targets = 'TRUNCATE'; -ELSE -END IF; -_q_txt = 'CREATE TRIGGER audit_trigger_stm AFTER ' || stm_targets || ' ON ' || target_table || ' FOR EACH STATEMENT EXECUTE PROCEDURE audit.if_modified_func(' || quote_literal(audit_query_text) || ');'; -RAISE NOTICE '%', -_q_txt; -EXECUTE _q_txt; -END; -$body$ language 'plpgsql'; -COMMENT ON FUNCTION audit.audit_table(regclass, boolean, boolean, boolean, text []) IS $body$ -Add auditing support to a table.Arguments: target_table: Table name, - schema qualified if not on search_path audit_rows: Record each row change, - or only audit at a statement level audit_query_text: Record the text of the client query that triggered the audit event ? audit_inserts: Audit -insert statements - or only updates / deletes / truncates ? ignored_cols: Columns to exclude -from -update diffs, - ignore updates that change only ignored cols.$body$; --- Adaptor to older variant without the audit_inserts parameter for backwards compatibility -CREATE OR REPLACE FUNCTION audit.audit_table( - target_table regclass, - audit_rows boolean, - audit_query_text boolean, - ignored_cols text [] - ) RETURNS void AS $body$ -SELECT audit.audit_table($1, $2, $3, BOOLEAN 't', ignored_cols); -$body$ LANGUAGE SQL; --- Pg doesn't allow variadic calls with 0 params, so provide a wrapper -CREATE OR REPLACE FUNCTION audit.audit_table( - target_table regclass, - audit_rows boolean, - audit_query_text boolean, - audit_inserts boolean - ) RETURNS void AS $body$ -SELECT audit.audit_table($1, $2, $3, $4, ARRAY []::text []); -$body$ LANGUAGE SQL; --- Older wrapper for backwards compatibility -CREATE OR REPLACE FUNCTION audit.audit_table( - target_table regclass, - audit_rows boolean, - audit_query_text boolean - ) RETURNS void AS $body$ -SELECT audit.audit_table($1, $2, $3, BOOLEAN 't', ARRAY []::text []); -$body$ LANGUAGE SQL; --- And provide a convenience call wrapper for the simplest case --- of row-level logging with no excluded cols and query logging enabled. --- -CREATE OR REPLACE FUNCTION audit.audit_table(target_table regclass) RETURNS void AS $body$ -SELECT audit.audit_table($1, BOOLEAN 't', BOOLEAN 't', BOOLEAN 't'); -$body$ LANGUAGE 'sql'; -COMMENT ON FUNCTION audit.audit_table(regclass) IS $body$ -Add auditing support to the given table.Row - level changes will be logged with full client query text.No cols are ignored.$body$; -CREATE OR REPLACE FUNCTION audit.deaudit_table(target_table regclass) RETURNS void AS $body$ BEGIN EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_row ON ' || target_table; -EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_stm ON ' || target_table; + -- Build audit row + audit_row = ROW( + nextval('%I.logged_actions_event_id_seq'), + TG_TABLE_SCHEMA::text, + TG_TABLE_NAME::text, + TG_RELID, + session_user::text, + current_timestamp, + statement_timestamp(), + clock_timestamp(), + %I.get_transaction_id(), + current_setting('application_name'), + inet_client_addr(), + inet_client_port(), + current_query(), + substring(TG_OP, 1, 1), + NULL, + NULL, + 'f', + composite_key_value + ); + + IF NOT TG_ARGV[0]::boolean IS DISTINCT FROM 'f'::boolean THEN + audit_row.client_query = NULL; + END IF; + + IF TG_ARGV[1] IS NOT NULL THEN + excluded_cols = TG_ARGV[1]::text[]; + END IF; + + + IF (TG_OP = 'UPDATE' AND TG_LEVEL = 'ROW') THEN + h_old := to_jsonb(OLD); + h_new := to_jsonb(NEW); + + IF array_length(excluded_cols, 1) > 0 THEN + h_old := h_old - excluded_cols; + h_new := h_new - excluded_cols; + END IF; + + audit_row.row_data := h_old; + + SELECT jsonb_object_agg(n.key, n.value) + INTO audit_row.changed_fields + FROM jsonb_each(h_new) n + WHERE h_old->n.key IS DISTINCT FROM n.value; + + audit_row.changed_fields := COALESCE(audit_row.changed_fields, '{}'::jsonb); + + -- Skip if no relevant changes + IF audit_row.changed_fields = '{}'::jsonb THEN + RETURN NULL; + END IF; + + ELSIF (TG_OP = 'DELETE' AND TG_LEVEL = 'ROW') THEN + audit_row.row_data = to_jsonb(OLD) - excluded_cols; + ELSIF (TG_OP = 'INSERT' AND TG_LEVEL = 'ROW') THEN + audit_row.row_data = to_jsonb(NEW) - excluded_cols; + ELSIF (TG_LEVEL = 'STATEMENT' AND TG_OP IN ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE')) THEN + audit_row.statement_only = 't'; + ELSE + RAISE EXCEPTION '[%%.if_modified_func] - Trigger func added as trigger for unhandled case: %%, %%', '%s', TG_OP, TG_LEVEL; + END IF; + + INSERT INTO %I.logged_actions VALUES (audit_row.*); + RETURN NULL; + END; + $trigger$ + LANGUAGE plpgsql + SECURITY DEFINER + SET search_path = pg_catalog, public + $sql$, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create audit_table function + -- ======================================================================== + _sql := format($sql$ + CREATE OR REPLACE FUNCTION %I.audit_table( + target_table regclass, + audit_rows boolean DEFAULT true, + audit_query_text boolean DEFAULT true, + audit_inserts boolean DEFAULT true, + ignored_cols text[] DEFAULT ARRAY[]::text[] + ) RETURNS void AS $func$ + DECLARE + stm_targets text = 'INSERT OR UPDATE OR DELETE OR TRUNCATE'; + _q_txt text; + _ignored_cols_snip text = ''; + pk_exists boolean; + BEGIN + EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_row ON ' || target_table; + EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_stm ON ' || target_table; + + SELECT EXISTS ( + SELECT 1 FROM pg_index i + WHERE i.indrelid = target_table AND i.indisprimary + ) INTO pk_exists; + + IF NOT pk_exists THEN + RAISE WARNING 'Table %% has no primary key. Audit logging will work but replay/rollback functions will not be available.', target_table; + END IF; + + IF audit_rows THEN + IF array_length(ignored_cols, 1) > 0 THEN + _ignored_cols_snip = ', ' || quote_literal(ignored_cols); + END IF; + _q_txt = 'CREATE TRIGGER audit_trigger_row AFTER ' || + CASE WHEN audit_inserts THEN 'INSERT OR ' ELSE '' END || + 'UPDATE OR DELETE ON ' || target_table || + ' FOR EACH ROW EXECUTE PROCEDURE %I.if_modified_func(' || + quote_literal(audit_query_text) || _ignored_cols_snip || ');'; + RAISE NOTICE '%%', _q_txt; + EXECUTE _q_txt; + stm_targets = 'TRUNCATE'; + END IF; + + _q_txt = 'CREATE TRIGGER audit_trigger_stm AFTER ' || stm_targets || ' ON ' || + target_table || + ' FOR EACH STATEMENT EXECUTE PROCEDURE %I.if_modified_func(' || + quote_literal(audit_query_text) || ');'; + RAISE NOTICE '%%', _q_txt; + EXECUTE _q_txt; + + IF pk_exists THEN + INSERT INTO %I.logged_relations (relation_name, uid_column) + SELECT target_table, a.attname + FROM pg_index i + JOIN pg_attribute a ON a.attrelid = i.indrelid AND a.attnum = ANY(i.indkey) + WHERE i.indrelid = target_table AND i.indisprimary + ON CONFLICT (relation_name, uid_column) DO NOTHING; + END IF; + END; + $func$ LANGUAGE plpgsql + $sql$, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create deaudit_table function + -- ======================================================================== + _sql := format($sql$ + CREATE OR REPLACE FUNCTION %I.deaudit_table(target_table regclass) + RETURNS void AS $func$ + BEGIN + EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_row ON ' || target_table; + EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_stm ON ' || target_table; + DELETE FROM %I.logged_relations WHERE relation_name = target_table; + RAISE NOTICE 'Auditing removed from table %%', target_table; + END; + $func$ LANGUAGE plpgsql + $sql$, p_audit_schema, p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create replay_event function + -- ======================================================================== + _sql := format($sql$ + CREATE OR REPLACE FUNCTION %I.replay_event(pevent_id bigint) + RETURNS void AS $func$ + DECLARE + query text; + event record; + BEGIN + SELECT * INTO event FROM %I.logged_actions WHERE event_id = pevent_id; + IF NOT FOUND THEN + RAISE EXCEPTION 'Event ID %% not found in %I.logged_actions', pevent_id; + END IF; + IF event.statement_only THEN + RAISE EXCEPTION 'Cannot replay statement-level events (event_id: %%)', pevent_id; + END IF; + + WITH pk_columns AS ( + SELECT array_agg(uid_column ORDER BY uid_column) AS columns + FROM %I.logged_relations + WHERE relation_name = (event.schema_name || '.' || event.table_name)::regclass + ), + where_clause AS ( + SELECT string_agg( + uid_column || ' = ' || quote_literal(event.row_data->>uid_column), + ' AND ' ORDER BY uid_column + ) AS clause + FROM %I.logged_relations + WHERE relation_name = (event.schema_name || '.' || event.table_name)::regclass + ) + SELECT INTO query + CASE + WHEN event.action = 'I' THEN + 'INSERT INTO ' || event.schema_name || '.' || event.table_name || + ' (' || (SELECT string_agg(key, ', ') FROM jsonb_object_keys(event.row_data) AS key) || ') VALUES ' || + '(' || (SELECT string_agg( + CASE WHEN value = 'null'::jsonb THEN 'NULL' ELSE quote_literal(value #>> '{}') END, ', ' + ) FROM jsonb_each(event.row_data)) || ')' + WHEN event.action = 'D' THEN + 'INSERT INTO ' || event.schema_name || '.' || event.table_name || + ' (' || (SELECT string_agg(key, ', ') FROM jsonb_object_keys(event.row_data) AS key) || ') VALUES ' || + '(' || (SELECT string_agg( + CASE WHEN value = 'null'::jsonb THEN 'NULL' ELSE quote_literal(value #>> '{}') END, ', ' + ) FROM jsonb_each(event.row_data)) || ')' + WHEN event.action = 'U' THEN + 'UPDATE ' || event.schema_name || '.' || event.table_name || + ' SET ' || (SELECT string_agg( + key || ' = ' || CASE WHEN value = 'null'::jsonb THEN 'NULL' ELSE quote_literal(value #>> '{}') END, ', ' + ) FROM jsonb_each(event.changed_fields)) || + ' WHERE ' || (SELECT clause FROM where_clause) + END + FROM where_clause; + + IF query IS NULL THEN + RAISE EXCEPTION 'Could not build replay query for event_id: %%. Table may not have primary key defined in %I.logged_relations.', pevent_id; + END IF; + + RAISE NOTICE 'Executing: %%', query; + EXECUTE query; + END; + $func$ LANGUAGE plpgsql + $sql$, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create rollback_event function + -- ======================================================================== + _sql := format($sql$ + CREATE OR REPLACE FUNCTION %I.rollback_event(pevent_id bigint) + RETURNS void AS $func$ + DECLARE + event record; + last_event record; + query text; + pk_where_clause text; + BEGIN + SELECT * INTO event FROM %I.logged_actions WHERE event_id = pevent_id; + IF NOT FOUND THEN + RAISE EXCEPTION 'Event ID %% not found in %I.logged_actions', pevent_id; + END IF; + IF event.statement_only THEN + RAISE EXCEPTION 'Cannot rollback statement-level events (event_id: %%)', pevent_id; + END IF; + + WITH pk_where AS ( + SELECT string_agg( + uid_column || ' = ' || quote_literal(event.row_data->>uid_column), + ' AND ' ORDER BY uid_column + ) AS clause + FROM %I.logged_relations + WHERE relation_name = (event.schema_name || '.' || event.table_name)::regclass + ) + SELECT clause INTO pk_where_clause FROM pk_where; + + IF pk_where_clause IS NULL THEN + RAISE EXCEPTION 'Cannot rollback event %% - no primary key information found in %I.logged_relations', pevent_id; + END IF; + + SELECT la.event_id INTO last_event + FROM %I.logged_actions la + WHERE la.schema_name = event.schema_name + AND la.table_name = event.table_name + AND la.row_id = event.row_id + AND la.statement_only = false + ORDER BY la.action_tstamp_clk DESC + LIMIT 1; + + IF last_event.event_id != pevent_id THEN + RAISE EXCEPTION 'Cannot rollback event %% - a more recent event (%%) exists for this row. Use row_id: %%', + pevent_id, last_event.event_id, event.row_id; + END IF; + + SELECT INTO query + CASE + WHEN event.action = 'I' THEN + 'DELETE FROM ' || event.schema_name || '.' || event.table_name || + ' WHERE ' || pk_where_clause + WHEN event.action = 'D' THEN + 'INSERT INTO ' || event.schema_name || '.' || event.table_name || + ' (' || (SELECT string_agg(key, ', ') FROM jsonb_object_keys(event.row_data) AS key) || ') VALUES ' || + '(' || (SELECT string_agg( + CASE WHEN value = 'null'::jsonb THEN 'NULL' ELSE quote_literal(value #>> '{}') END, ', ' + ) FROM jsonb_each(event.row_data)) || ')' + WHEN event.action = 'U' THEN + 'UPDATE ' || event.schema_name || '.' || event.table_name || + ' SET ' || (SELECT string_agg( + key || ' = ' || CASE + WHEN event.row_data->key = 'null'::jsonb THEN 'NULL' + ELSE quote_literal(event.row_data->>key) + END, ', ' + ) FROM jsonb_object_keys(event.changed_fields) AS key) || + ' WHERE ' || pk_where_clause + END; + + IF query IS NULL THEN + RAISE EXCEPTION 'Could not build rollback query for event_id: %%', pevent_id; + END IF; + + RAISE NOTICE 'Executing rollback: %%', query; + EXECUTE query; + END; + $func$ LANGUAGE plpgsql + $sql$, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema, p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create audit_view function + -- ======================================================================== + _sql := format($sql$ + CREATE OR REPLACE FUNCTION %I.audit_view( + target_view regclass, + audit_query_text boolean DEFAULT true, + ignored_cols text[] DEFAULT ARRAY[]::text[], + uid_cols text[] DEFAULT ARRAY[]::text[] + ) RETURNS void AS $func$ + DECLARE + _q_txt text; + _ignored_cols_snip text = ''; + BEGIN + EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_row ON ' || target_view; + EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_stm ON ' || target_view; + + IF array_length(ignored_cols, 1) > 0 THEN + _ignored_cols_snip = ', ' || quote_literal(ignored_cols); + END IF; + + _q_txt = 'CREATE TRIGGER audit_trigger_row INSTEAD OF INSERT OR UPDATE OR DELETE ON ' || + target_view::text || + ' FOR EACH ROW EXECUTE PROCEDURE %I.if_modified_func(' || + quote_literal(audit_query_text) || _ignored_cols_snip || ');'; + RAISE NOTICE '%%', _q_txt; + EXECUTE _q_txt; + + INSERT INTO %I.logged_relations (relation_name, uid_column) + SELECT target_view, unnest(uid_cols) + ON CONFLICT (relation_name, uid_column) DO NOTHING; + END; + $func$ LANGUAGE plpgsql + $sql$, p_audit_schema, p_audit_schema, p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create utility view: tableslist + -- ======================================================================== + _sql := format($sql$ + CREATE OR REPLACE VIEW %I.tableslist AS + SELECT DISTINCT + triggers.trigger_schema AS schema, + triggers.event_object_table AS auditedtable, + CASE + WHEN EXISTS ( + SELECT 1 FROM pg_index i + WHERE i.indrelid = (triggers.trigger_schema || '.' || triggers.event_object_table)::regclass + AND i.indisprimary + ) THEN 'Yes' + ELSE 'No (replay/rollback unavailable)' + END AS has_primary_key + FROM information_schema.triggers + WHERE triggers.trigger_name IN ('audit_trigger_row', 'audit_trigger_stm') + ORDER BY schema, auditedtable + $sql$, p_audit_schema); + EXECUTE _sql; + + -- ======================================================================== + -- Create get_row_history helper function + -- ======================================================================== + _sql := format($sql$ + CREATE OR REPLACE FUNCTION %I.get_row_history( + p_schema text, + p_table text, + p_row_id text + ) + RETURNS TABLE ( + event_id bigint, + action text, + action_time timestamp with time zone, + user_name text, + old_values jsonb, + new_values jsonb + ) AS $func$ + BEGIN + RETURN QUERY + SELECT + la.event_id, + CASE la.action + WHEN 'I' THEN 'INSERT' + WHEN 'U' THEN 'UPDATE' + WHEN 'D' THEN 'DELETE' + WHEN 'T' THEN 'TRUNCATE' + END AS action, + la.action_tstamp_clk, + la.session_user_name, + la.row_data, + la.changed_fields + FROM %I.logged_actions la + WHERE la.schema_name = p_schema + AND la.table_name = p_table + AND la.row_id = p_row_id + AND la.statement_only = false + ORDER BY la.action_tstamp_clk; + END; + $func$ LANGUAGE plpgsql + $sql$, p_audit_schema, p_audit_schema); + EXECUTE _sql; + + RAISE NOTICE '========================================'; + RAISE NOTICE 'Audit system initialized in schema: %', p_audit_schema; + RAISE NOTICE '========================================'; + RAISE NOTICE 'Available functions:'; + RAISE NOTICE ' - %.audit_table(regclass)', p_audit_schema; + RAISE NOTICE ' - %.deaudit_table(regclass)', p_audit_schema; + RAISE NOTICE ' - %.replay_event(bigint)', p_audit_schema; + RAISE NOTICE ' - %.rollback_event(bigint)', p_audit_schema; + RAISE NOTICE ' - %.audit_view(regclass, text[])', p_audit_schema; + RAISE NOTICE ' - %.get_row_history(text, text, text)', p_audit_schema; + RAISE NOTICE 'Available views:'; + RAISE NOTICE ' - %.tableslist', p_audit_schema; + RAISE NOTICE 'Available tables:'; + RAISE NOTICE ' - %.logged_actions', p_audit_schema; + RAISE NOTICE ' - %.logged_relations', p_audit_schema; + RAISE NOTICE '========================================'; + END; -$body$ language 'plpgsql'; -COMMENT ON FUNCTION audit.deaudit_table(regclass) IS $body$ Remove auditing support to the given table.$body$; -CREATE OR REPLACE VIEW audit.tableslist AS -SELECT DISTINCT triggers.trigger_schema AS schema, - triggers.event_object_table AS auditedtable -FROM information_schema.triggers -WHERE triggers.trigger_name::text IN ( - 'audit_trigger_row'::text, - 'audit_trigger_stm'::text - ) -ORDER BY schema, - auditedtable; -COMMENT ON VIEW audit.tableslist IS $body$ View showing all tables with auditing -set up.Ordered by schema, - then table.$body$; +$body$ LANGUAGE plpgsql; + +COMMENT ON FUNCTION audit_initialize(text) IS $body$ +Initialize the audit system in a specific schema. + +Usage: + -- Database-level auditing (creates 'audit' schema): + SELECT audit_initialize(); + + -- Schema-specific auditing (uses existing schema): + SELECT audit_initialize('myschema'); + +Arguments: + p_audit_schema: Schema name where audit objects will be created. + Defaults to 'audit' for database-level auditing. + For schema-specific auditing, the schema must already exist. +$body$; + +-- ============================================================================ +-- EXAMPLE USAGE +-- ============================================================================ + +/* +-- ============================================================================ +-- MODE 1: DATABASE-LEVEL AUDITING (Default) +-- ============================================================================ +-- All audit objects in dedicated 'audit' schema +-- Recommended for: Multi-schema databases, centralized audit management + +-- Initialize +SELECT audit_initialize(); -- Creates 'audit' schema + +-- Enable auditing on tables from any schema +SELECT audit.audit_table('public.users'::regclass); +SELECT audit.audit_table('sales.orders'::regclass); +SELECT audit.audit_table('hr.employees'::regclass); + +-- Query centralized audit log +SELECT * FROM audit.logged_actions +WHERE schema_name = 'public' AND table_name = 'users'; + +-- View all audited tables across all schemas +SELECT * FROM audit.tableslist; + + +-- ============================================================================ +-- MODE 2: SCHEMA-SPECIFIC AUDITING +-- ============================================================================ +-- All audit objects within a specific schema +-- Recommended for: Single-schema apps, isolated audit per business unit + +-- First, create your schema if it doesn't exist +CREATE SCHEMA myapp; + +-- Initialize audit system within that schema +SELECT audit_initialize('myapp'); + +-- Enable auditing on tables in the same schema +SELECT myapp.audit_table('myapp.users'::regclass); +SELECT myapp.audit_table('myapp.orders'::regclass); + +-- Query schema-specific audit log +SELECT * FROM myapp.logged_actions +WHERE table_name = 'users'; + +-- View audited tables in this schema +SELECT * FROM myapp.tableslist; + + +-- ============================================================================ +-- MULTIPLE SCHEMA-SPECIFIC AUDIT SYSTEMS +-- ============================================================================ +-- You can have separate audit systems for different schemas! + +-- Sales department audit +CREATE SCHEMA sales; +SELECT audit_initialize('sales'); +SELECT sales.audit_table('sales.orders'::regclass); +SELECT sales.audit_table('sales.customers'::regclass); + +-- HR department audit (completely separate) +CREATE SCHEMA hr; +SELECT audit_initialize('hr'); +SELECT hr.audit_table('hr.employees'::regclass); +SELECT hr.audit_table('hr.payroll'::regclass); + +-- Each has its own audit tables and functions +SELECT * FROM sales.logged_actions; -- Only sales data +SELECT * FROM hr.logged_actions; -- Only HR data + + +-- ============================================================================ +-- MIXING MODES +-- ============================================================================ +-- You can even mix database-level and schema-specific auditing! + +-- Database-level for shared/common tables +SELECT audit_initialize(); +SELECT audit.audit_table('public.users'::regclass); + +-- Schema-specific for isolated business units +CREATE SCHEMA finance; +SELECT audit_initialize('finance'); +SELECT finance.audit_table('finance.transactions'::regclass); + +-- Now you have: +-- - audit.logged_actions (database-level audit log) +-- - finance.logged_actions (finance-specific audit log) +*/ From a21ba8193211d4499214f78f223b8a16e4aab309 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matja=C5=BE=20Mori?= Date: Tue, 10 Mar 2026 07:53:52 +0100 Subject: [PATCH 4/4] Update README with changes and cleanup Removed unused variables from the README. --- README.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/README.md b/README.md index 8116437..603f971 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,2 @@ -Audit trigger for postgres. Fork from [this repo](https://github.com/iloveitaly/audit-trigger) including a bunch of changes: +Audit trigger for postgres. Fork from [this repo](https://github.com/iloveitaly/audit-trigger) -* converted from hstore to jsonb -* Add a function to stop auditing a table. -* Added option to not track insert statements. -* remove unused variables -* add pk to the table schema