---
title: PostgreSQL misconfigured log messages flag
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > PostgreSQL misconfigured log messages flag
---

# PostgreSQL misconfigured log messages flag

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `28a757fc-3d8f-424a-90c0-4233363b2711`

**Cloud Provider:** GCP

**Platform:** Ansible

**Severity:** Low

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags)

### Description{% #description %}

PostgreSQL instances must have the `log_min_messages` flag set to a valid verbosity level. This ensures critical database events are recorded for detection and forensic analysis, while avoiding overly verbose debug logs that can expose sensitive information.

For Ansible Google Cloud SQL resources using the `google.cloud.gcp_sql_instance` (or `gcp_sql_instance`) module, ensure `settings.database_flags` contains an entry with `name: "log_min_messages"` and `value` set to one of the following: `fatal`, `panic`, `log`, `error`, `warning`, `notice`, `info`, `debug1`, `debug2`, `debug3`, `debug4`, or `debug5`. Resources missing this entry or using a value outside the allowed set are flagged.

Secure configuration example:

```yaml
- name: Create Cloud SQL instance with secure logging
  google.cloud.gcp_sql_instance:
    name: my-sql-instance
    settings:
      database_flags:
        - name: log_min_messages
          value: warning
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    database_version: SQLSERVER_13_1
    name: '{{ resource_name }}-2'
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      database_flags:
      - name: log_min_messages
        value: log
      tier: db-n1-standard-1
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    database_version: SQLSERVER_13_1
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      database_flags:
      - name: log_min_messages
        value: debug6
      tier: db-n1-standard-1
    state: present
```