Setting Up Database Monitoring for self hosted Postgres
Database Monitoring provides deep visibility into your Postgres databases by exposing query metrics, query samples, explain plans, database states, failovers, and events.
The Agent collects telemetry directly from the database by logging in as a read-only user. Do the following setup to enable Database Monitoring with your Postgres database:
- Configure database parameters
- Grant the Agent access to the database
- Install the Agent
Before you begin
- Supported PostgreSQL versions
- 9.6, 10, 11, 12, 13, 14, 15, 16
- Prerequisites
- Postgres additional supplied modules must be installed. For most installations, this is included by default but less conventional installations might require an additional installation of your version of the
postgresql-contrib package. - Supported Agent versions
- 7.36.1+
- Performance impact
- The default Agent configuration for Database Monitoring is conservative, but you can adjust settings such as the collection interval and query sampling rate to better suit your needs. For most workloads, the Agent represents less than one percent of query execution time on the database and less than one percent of CPU.
Database Monitoring runs as an integration on top of the base Agent (see benchmarks). - Proxies, load balancers, and connection poolers
- The Datadog Agent must connect directly to the host being monitored. For self-hosted databases,
127.0.0.1 or the socket is preferred. The Agent should not connect to the database through a proxy, load balancer, or connection pooler such as pgbouncer. If the Agent connects to different hosts while it is running (as in the case of failover, load balancing, and so on), the Agent calculates the difference in statistics between two hosts, producing inaccurate metrics. - Data security considerations
- See Sensitive information for information about what data the Agent collects from your databases and how to ensure it is secure.
Configure Postgres settings
Configure the following parameters in the postgresql.conf file and then restart the server for the settings to take effect. For more information about these parameters, see the Postgres documentation.
| Parameter | Value | Description |
|---|
shared_preload_libraries | pg_stat_statements | Required for postgresql.queries.* metrics. Enables collection of query metrics using the pg_stat_statements extension. |
track_activity_query_size | 4096 | Required for collection of larger queries. Increases the size of SQL text in pg_stat_activity. If left at the default value then queries longer than 1024 characters will not be collected. |
pg_stat_statements.track | ALL | Optional. Enables tracking of statements within stored procedures and functions. |
pg_stat_statements.max | 10000 | Optional. Increases the number of normalized queries tracked in pg_stat_statements. This setting is recommended for high-volume databases that see many different types of queries from many different clients. |
pg_stat_statements.track_utility | off | Optional. Disables utility commands like PREPARE and EXPLAIN. Setting this value to off means only queries like SELECT, UPDATE, and DELETE are tracked. |
track_io_timing | on | Optional. Enables collection of block read and write times for queries. |
Grant the Agent access
The Datadog Agent requires read-only access to the database server in order to collect statistics and queries.
The following SQL commands should be executed on the primary database server (the writer) in the cluster if Postgres is replicated. Choose a PostgreSQL database on the database server for the Agent to connect to. The Agent can collect telemetry from all databases on the database server regardless of which one it connects to, so a good option is to use the default postgres database. Choose a different database only if you need the Agent to run custom queries against data unique to that database.
Connect to the chosen database as a superuser (or another user with sufficient permissions). For example, if your chosen database is postgres, connect as the postgres user using psql by running:
psql -h mydb.example.com -d postgres -U postgres
Create the datadog user:
CREATE USER datadog WITH password '<PASSWORD>';
Give the datadog user permission to relevant tables:
ALTER ROLE datadog INHERIT;
Create the following schema in every database:
CREATE SCHEMA datadog;
GRANT USAGE ON SCHEMA datadog TO datadog;
GRANT USAGE ON SCHEMA public TO datadog;
GRANT pg_monitor TO datadog;
CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
Create the following schema in every database:
CREATE SCHEMA datadog;
GRANT USAGE ON SCHEMA datadog TO datadog;
GRANT USAGE ON SCHEMA public TO datadog;
GRANT pg_monitor TO datadog;
CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
Create the following schema in every database:
CREATE SCHEMA datadog;
GRANT USAGE ON SCHEMA datadog TO datadog;
GRANT USAGE ON SCHEMA public TO datadog;
GRANT SELECT ON pg_stat_database TO datadog;
CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
Create functions in every database to enable the Agent to read the full contents of pg_stat_activity and pg_stat_statements:
CREATE OR REPLACE FUNCTION datadog.pg_stat_activity() RETURNS SETOF pg_stat_activity AS
$$ SELECT * FROM pg_catalog.pg_stat_activity; $$
LANGUAGE sql
SECURITY DEFINER;
CREATE OR REPLACE FUNCTION datadog.pg_stat_statements() RETURNS SETOF pg_stat_statements AS
$$ SELECT * FROM pg_stat_statements; $$
LANGUAGE sql
SECURITY DEFINER;
For data collection or custom metrics that require querying additional tables, you may need to grant the
SELECT permission on those tables to the
datadog user. Example:
grant SELECT on <TABLE_NAME> to datadog;. See
PostgreSQL custom metric collection for more information.
Create the function in every database to enable the Agent to collect explain plans.
CREATE OR REPLACE FUNCTION datadog.explain_statement(
l_query TEXT,
OUT explain JSON
)
RETURNS SETOF JSON AS
$$
DECLARE
curs REFCURSOR;
plan JSON;
BEGIN
OPEN curs FOR EXECUTE pg_catalog.concat('EXPLAIN (FORMAT JSON) ', l_query);
FETCH curs INTO plan;
CLOSE curs;
RETURN QUERY SELECT plan;
END;
$$
LANGUAGE 'plpgsql'
RETURNS NULL ON NULL INPUT
SECURITY DEFINER;
Securely store your password
Store your password using secret management software such as Vault. You can then reference this password as ENC[<SECRET_NAME>] in your Agent configuration files: for example, ENC[datadog_user_database_password]. See Secrets Management for more information.
The examples on this page use datadog_user_database_password to refer to the name of the secret where your password is stored. It is possible to reference your password in plain text, but this is not recommended.
Verify
To verify the permissions are correct, run the following commands to confirm the Agent user is able to connect to the database and read the core tables:
psql -h localhost -U datadog postgres -A \
-c "select * from pg_stat_database limit 1;" \
&& echo -e "\e[0;32mPostgres connection - OK\e[0m" \
|| echo -e "\e[0;31mCannot connect to Postgres\e[0m"
psql -h localhost -U datadog postgres -A \
-c "select * from pg_stat_activity limit 1;" \
&& echo -e "\e[0;32mPostgres pg_stat_activity read OK\e[0m" \
|| echo -e "\e[0;31mCannot read from pg_stat_activity\e[0m"
psql -h localhost -U datadog postgres -A \
-c "select * from pg_stat_statements limit 1;" \
&& echo -e "\e[0;32mPostgres pg_stat_statements read OK\e[0m" \
|| echo -e "\e[0;31mCannot read from pg_stat_statements\e[0m"
psql -h localhost -U datadog postgres -A \
-c "select * from pg_stat_database limit 1;" \
&& echo -e "\e[0;32mPostgres connection - OK\e[0m" \
|| echo -e "\e[0;31mCannot connect to Postgres\e[0m"
psql -h localhost -U datadog postgres -A \
-c "select * from pg_stat_activity limit 1;" \
&& echo -e "\e[0;32mPostgres pg_stat_activity read OK\e[0m" \
|| echo -e "\e[0;31mCannot read from pg_stat_activity\e[0m"
psql -h localhost -U datadog postgres -A \
-c "select * from pg_stat_statements limit 1;" \
&& echo -e "\e[0;32mPostgres pg_stat_statements read OK\e[0m" \
|| echo -e "\e[0;31mCannot read from pg_stat_statements\e[0m"
When it prompts for a password, use the password you entered when you created the datadog user.
Install the Agent
Installing the Datadog Agent also installs the Postgres check, which is required for Database Monitoring on Postgres.
If you haven’t installed the Agent yet, see the Agent installation instructions, then return here to configure the Postgres check.
Follow the instructions below based on how you installed the Agent.
After you’ve installed the Host Agent, edit the Agent’s conf.d/postgres.d/conf.yaml file to point the Postgres instance you want to monitor. For a complete list of configuration options, see the sample postgres.d/conf.yaml.
init_config:
instances:
- dbm: true
host: localhost
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
## Required for Postgres 9.6: Uncomment these lines to use the functions created in the setup
# pg_stat_statements_view: datadog.pg_stat_statements()
# pg_stat_activity_view: datadog.pg_stat_activity()
## Optional: Connect to a different database if needed for `custom_queries`
# dbname: '<DB_NAME>'
Note: If your password includes special characters, wrap it in single quotes.
Restart the Agent to apply the changes.
To configure an integration for an Agent running in a Docker container, you have a couple of methods available, all of which are covered in detail in the Docker Configuration Documentation.
The examples below show how to use Docker Labels and Autodiscovery Templates to configure the Postgres integration.
Note: The Agent must have read access to the Docker socket for label-based Autodiscovery to work.
Command line
Run the following command from your command line to start the Agent. Replace the placeholder values with those for your account and environment.
export DD_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export DD_AGENT_VERSION=7.63.3
docker run -e "DD_API_KEY=${DD_API_KEY}" \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-l com.datadoghq.ad.checks='{"postgres": {
"init_config": {},
"instances": [{
"dbm": true,
"host": "<HOST>",
"port": 5432,
"username": "datadog",
"password": "ENC[datadog_user_database_password]"
}]
}}' \
gcr.io/datadoghq/agent:${DD_AGENT_VERSION}
Note: For Postgres 9.6, add the following lines to the instance config:
"pg_stat_statements_view": "datadog.pg_stat_statements()",
"pg_stat_activity_view": "datadog.pg_stat_activity()",
Dockerfile
You can also specify labels in a Dockerfile, allowing you to build and deploy a custom Agent without modifying your infrastructure configuration:
FROM gcr.io/datadoghq/agent:7.63.3
LABEL "com.datadoghq.ad.checks"='{"postgres": {"init_config": {}, "instances": [{"dbm": true, "host": "<HOST>", "port": 5432, "username": "datadog", "password": "ENC[datadog_user_database_password]"}]}}'
Note: For Postgres 9.6, add the following lines to the instance config where host and port are specified:
"pg_stat_statements_view": "datadog.pg_stat_statements()", "pg_stat_activity_view": "datadog.pg_stat_activity()",
To avoid exposing the datadog user’s password in plain text, use the Agent’s secret management package and declare the password using the ENC[] syntax. Alternatively, see the Autodiscovery template variables documentation to provide the password as an environment variable.
If you’re running a Kubernetes cluster, use the Datadog Cluster Agent to enable Database Monitoring.
Note: Make sure cluster checks are enabled for your Datadog Cluster Agent before proceeding.
Below are step-by-step instructions for configuring the Postgres integration using different Datadog Cluster Agent deployment methods.
Operator
Using the Operator instructions in Kubernetes and Integrations as a reference, follow the steps below to set up the Postgres integration:
Create or update the datadog-agent.yaml file with the following configuration:
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
name: datadog
spec:
global:
clusterName: <CLUSTER_NAME>
site: <DD_SITE>
credentials:
apiSecret:
secretName: datadog-agent-secret
keyName: api-key
features:
clusterChecks:
enabled: true
override:
nodeAgent:
image:
name: agent
tag: 7.63.3
clusterAgent:
extraConfd:
configDataMap:
postgres.yaml: |-
cluster_check: true
init_config:
instances:
- host: <HOST>
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
dbm: true
Note: For Postgres 9.6, add the following lines to the instance config where host and port are specified:
pg_stat_statements_view: datadog.pg_stat_statements()
pg_stat_activity_view: datadog.pg_stat_activity()
Apply the changes to the Datadog Operator using the following command:
kubectl apply -f datadog-agent.yaml
Helm
Using the Helm instructions in Kubernetes and Integrations as a reference, follow the steps below to set up the Postgres integration:
Update your datadog-values.yaml file (used in the Cluster Agent installation instructions) with the following configuration:
datadog:
clusterChecks:
enabled: true
clusterChecksRunner:
enabled: true
clusterAgent:
enabled: true
confd:
postgres.yaml: |-
cluster_check: true
init_config:
instances:
- dbm: true
host: <HOST>
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
Note: For Postgres 9.6, add the following lines to the instance config where host and port are specified:
pg_stat_statements_view: datadog.pg_stat_statements()
pg_stat_activity_view: datadog.pg_stat_activity()
Deploy the Agent with the above configuration file using the following command:
helm install datadog-agent -f datadog-values.yaml datadog/datadog
For Windows, append --set targetSystem=windows to the helm install command.
To configure a cluster check with a mounted configuration file, mount the configuration file in the Cluster Agent container at the path: /conf.d/postgres.yaml:
cluster_check: true # Make sure to include this flag
init_config:
instances:
- dbm: true
host: '<HOST>'
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
## Required: For Postgres 9.6, uncomment these lines to use the functions created in the setup
# pg_stat_statements_view: datadog.pg_stat_statements()
# pg_stat_activity_view: datadog.pg_stat_activity()
Instead of mounting a file, you can declare the instance configuration as a Kubernetes Service. To configure this check for an Agent running on Kubernetes, create a Service in the same namespace as the Datadog Cluster Agent:
Autodiscovery annotations v2
apiVersion: v1
kind: Service
metadata:
name: postgres
labels:
tags.datadoghq.com/env: '<ENV>'
tags.datadoghq.com/service: '<SERVICE>'
annotations:
ad.datadoghq.com/<CONTAINER_NAME>.checks: |
{
"postgres": {
"init_config": <INIT_CONFIG>,
"instances": [
{
"dbm": true,
"host": "<HOST>",
"port": 5432,
"username": "datadog",
"password": "ENC[datadog_user_database_password]"
}
]
}
}
spec:
ports:
- port: 5432
protocol: TCP
targetPort: 5432
name: postgres
For more information, see Autodiscovery Annotations.
If you’re using Postgres 9.6, add the following to the instance configuration:
"pg_stat_statements_view": "datadog.pg_stat_statements()",
"pg_stat_activity_view": "datadog.pg_stat_activity()"
The Cluster Agent automatically registers this configuration and begins running the Postgres check.
To avoid exposing the datadog user’s password in plain text, use the Agent’s secret management package and declare the password using the ENC[] syntax.
Collecting logs (optional)
PostgreSQL default logging is to stderr, and logs do not include detailed information. It is recommended to log into a file with additional details specified in the log line prefix. Refer to the PostgreSQL documentation on this topic for additional details.
Logging is configured within the file /etc/postgresql/<VERSION>/main/postgresql.conf. For regular log results, including statement outputs, uncomment the following parameters in the log section:
logging_collector = on
log_directory = 'pg_log' # directory where log files are written,
# can be absolute or relative to PGDATA
log_filename = 'pg.log' # log file name, can include pattern
log_statement = 'all' # log all queries
#log_duration = on
log_line_prefix= '%m [%p] %d %a %u %h %c '
log_file_mode = 0644
## For Windows
#log_destination = 'eventlog'
To gather detailed duration metrics and make them searchable in the Datadog interface, they should be configured inline with the statement themselves. See below for the recommended configuration differences from above and note that both log_statement and log_duration options are commented out. See discussion on this topic here.
This config logs all statements, but to reduce the output to those which have a certain duration, set the log_min_duration_statement value to the desired minimum duration in milliseconds (check that logging the full SQL statement complies with your organization’s privacy requirements):
log_min_duration_statement = 0 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_statement = 'all'
#log_duration = on
Collecting logs is disabled by default in the Datadog Agent, enable it in your datadog.yaml file:
Add and edit this configuration block to your conf.d/postgres.d/conf.yaml file to start collecting your PostgreSQL logs:
logs:
- type: file
path: "<LOG_FILE_PATH>"
source: postgresql
service: "<SERVICE_NAME>"
#To handle multi line that starts with yyyy-mm-dd use the following pattern
#log_processing_rules:
# - type: multi_line
# pattern: \d{4}\-(0?[1-9]|1[012])\-(0?[1-9]|[12][0-9]|3[01])
# name: new_log_start_with_date
Change the service and path parameter values to configure for your environment. See the sample postgres.d/conf.yaml for all available configuration options.
Restart the Agent.
Validate
Run the Agent’s status subcommand and look for postgres under the Checks section. Or visit the Databases page to get started!
Example Agent Configurations
One agent connecting to multiple hosts
It is common to configure a single Agent host to connect to multiple remote database instances (see Agent installation architectures for DBM). To connect to multiple hosts, create an entry for each host in the Postgres integration config.
In these cases, Datadog recommends limiting the number of instances per Agent to a maximum of 10 database instances to guarantee reliable performance.
init_config:
instances:
- dbm: true
host: example-service-primary.example-host.com
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
tags:
- 'env:prod'
- 'team:team-discovery'
- 'service:example-service'
- dbm: true
host: example-service–replica-1.example-host.com
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
tags:
- 'env:prod'
- 'team:team-discovery'
- 'service:example-service'
- dbm: true
host: example-service–replica-2.example-host.com
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
tags:
- 'env:prod'
- 'team:team-discovery'
- 'service:example-service'
[...]
Monitoring multiple databases on a database host
Use the database_autodiscovery option to permit the Agent to discover all databases on your host to monitor. You can specify include or exclude fields to narrow the scope of databases discovered. See the sample postgres.d/conf.yaml for more details.
init_config:
instances:
- dbm: true
host: example-service-primary.example-host.com
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
database_autodiscovery:
enabled: true
# Optionally, set the include field to specify
# a set of databases you are interested in discovering
include:
- mydb.*
- example.*
tags:
- 'env:prod'
- 'team:team-discovery'
- 'service:example-service'
Running custom queries
To collect custom metrics, use the custom_queries option. See the sample postgres.d/conf.yaml for more details.
init_config:
instances:
- dbm: true
host: localhost
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
custom_queries:
- metric_prefix: employee
query: SELECT age, salary, hours_worked, name FROM hr.employees;
columns:
- name: custom.employee_age
type: gauge
- name: custom.employee_salary
type: gauge
- name: custom.employee_hours
type: count
- name: name
type: tag
tags:
- 'table:employees'
Monitoring relation metrics for multiple databases
In order to collect relation metrics (such as postgresql.seq_scans, postgresql.dead_rows, postgresql.index_rows_read, and postgresql.table_size), the Agent must be configured to connect to each database (by default, the Agent only connects to the postgres database).
Specify a single “DBM” instance to collect DBM telemetry from all databases. Use the database_autodiscovery option to avoid specifying each database name.
init_config:
instances:
# This instance is the "DBM" instance. It will connect to the
# all logical databases, and send DBM telemetry from all databases
- dbm: true
host: example-service-primary.example-host.com
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
database_autodiscovery:
enabled: true
exclude:
- ^users$
- ^inventory$
relations:
- relation_regex: .*
# This instance only collects data from the `users` database
# and collects relation metrics from tables prefixed by "2022_"
- host: example-service-primary.example-host.com
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
dbname: users
dbstrict: true
relations:
- relation_regex: 2022_.*
relkind:
- r
- i
# This instance only collects data from the `inventory` database
# and collects relation metrics only from the specified tables
- host: example-service-primary.example-host.com
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
dbname: inventory
dbstrict: true
relations:
- relation_name: products
- relation_name: external_seller_products
Collecting schemas
To enable this feature, use the collect_schemas option. You must also configure the Agent to connect to each logical database.
Use the database_autodiscovery option to avoid specifying each logical database. See the sample postgres.d/conf.yaml for more details.
init_config:
# This instance only collects data from the `users` database
# and collects relation metrics only from the specified tables
instances:
- dbm: true
host: example-service-primary.example-host.com
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
dbname: users
dbstrict: true
collect_schemas:
enabled: true
relations:
- products
- external_seller_products
# This instance detects every logical database automatically
# and collects relation metrics from every table
- dbm: true
host: example-service–replica-1.example-host.com
port: 5432
username: datadog
password: 'ENC[datadog_user_database_password]'
database_autodiscovery:
enabled: true
collect_schemas:
enabled: true
relations:
- relation_regex: .*
Working with hosts through a proxy
If the Agent must connect through a proxy such as the Cloud SQL Auth proxy, all telemetry is tagged with the hostname of the proxy rather than the database instance. Use the reported_hostname option to set a custom override of the hostname detected by the Agent.
init_config:
instances:
- dbm: true
host: localhost
port: 5000
username: datadog
password: 'ENC[datadog_user_database_password]'
reported_hostname: example-service-primary
- dbm: true
host: localhost
port: 5001
username: datadog
password: 'ENC[datadog_user_database_password]'
reported_hostname: example-service-replica-1
Troubleshooting
If you have installed and configured the integrations and Agent as described and it is not working as expected, see Troubleshooting
Further reading
Additional helpful documentation, links, and articles:
