---
title: >-
  PostgreSQL instances should have the 'cloudsql.enable_pgaudit' database flag
  set to 'on'
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > PostgreSQL instances should have the
  'cloudsql.enable_pgaudit' database flag set to 'on'
---

# PostgreSQL instances should have the 'cloudsql.enable_pgaudit' database flag set to 'on'
 
## Description{% #description %}

Setting the `cloudsql.enable_pgaudit` database flag to `on` enables the [pgAudit](https://www.pgaudit.org/) extension on a Cloud SQL PostgreSQL instance. pgAudit emits detailed session and object audit log entries via the standard PostgreSQL logging facility, providing the level of detail expected by compliance frameworks for centralized audit logging.

## Rationale{% #rationale %}

Without pgAudit, the default `log_statement` setting only records statements at coarse levels (`none`, `ddl`, `mod`, `all`) and does not classify events as audit events for downstream pipelines. pgAudit produces classified audit records that downstream SIEMs and log-export pipelines can route, alert on, and retain separately from operational logs. Enabling pgAudit is also a prerequisite for satisfying the CIS GCP Foundation Benchmark v5.0.0 control 6.2.8.

## Impact{% #impact %}

Enabling pgAudit increases log volume and storage costs proportional to database activity. Plan for the additional sink/retention cost in Cloud Logging or whichever export destination the project uses. Setting custom flags through the command line on certain instances can also reset omitted flags to defaults; apply flag changes during a window of low usage and re-assert the full set of custom flags when patching.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

1. Navigate to the [Cloud SQL Instances page](https://console.cloud.google.com/sql/instances) in the Google Cloud Console.
1. Select the PostgreSQL instance to update.
1. Click **Edit**.
1. Scroll to the **Flags** section.
1. Click **Add item**, choose `cloudsql.enable_pgaudit` from the dropdown, and set the value to `on`.
1. Click **Save** and confirm the change.

### From the command line{% #from-the-command-line %}

```
gcloud sql instances patch <INSTANCE_NAME> --database-flags cloudsql.enable_pgaudit=on
```

`patch` overwrites all previously set database flags. To preserve existing flags, pass the full set on every patch call (for example, `--database-flags cloudsql.enable_pgaudit=on,log_statement=ddl,log_connections=on`). For flags that do not take a value, append an equals sign with no value.

After enabling the flag, install the pgAudit extension on each database that should emit audit events:

```
gcloud sql connect <INSTANCE_NAME> --user=postgres --quiet
CREATE EXTENSION pgaudit;
```

## Default Value{% #default-value %}

By default, `cloudsql.enable_pgaudit` is unset (equivalent to `off`).

## References{% #references %}

1. [pgAudit project](https://www.pgaudit.org/)
1. [Cloud SQL Instances console](https://console.cloud.google.com/sql/instances)
1. [Cloud SQL for PostgreSQL: Use pgAudit](https://cloud.google.com/sql/docs/postgres/pg-audit)
1. [Cloud SQL for PostgreSQL: Configure database flags](https://cloud.google.com/sql/docs/postgres/flags)

## CIS Controls{% #cis-controls %}

Version 8, 8.5 - Collect Detailed Audit Logs

- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.