📝 Google Cloud PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter 🟢

• Contextual name: 📝 PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter 🟢
• ID: /ce/ca/google/sql/postgresql-instance-log-error-verbosity-flag
• Located in: 📁 Google Cloud SQL

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • RELIABILITY

Similar Policies

• Cloud Conformity
  • Configure 'log_error_verbosity' Flag for PostgreSQL Instances

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are:

        • TERSE
        • DEFAULT
        • VERBOSE

TERSE excludes the logging of DETAIL, HINT, QUERY, and CONTEXT error information.

VERBOSE output includes the SQLSTATE error code, source code file name, function name, and line number that generated the error.

Ensure an appropriate value is set to DEFAULT or stricter.

Rationale

Auditing helps in troubleshooting operational problems and also permits forensic analysis. If log_error_verbosity is not set to the correct value, too many details or too few details may be logged. This flag should be configured with a value of DEFAULT or stricter. This recommendation is applicable to PostgreSQL database instances.

Impact

Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the PostgreSQL instance for which you want to enable the database flag.
3. Click Edit.
4. Scroll down to the Flags section.
5. To set a flag that has not been set on the instance before, click Add a Database Flag, choose the flag log_error_verbosity from the drop-down menu and set appropriate value.
6. Click Save to save your changes.
7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI

1. Configure the log_error_verbosity database flag for every Cloud SQL PosgreSQL database instance using the below command.

    gcloud sql instances patch INSTANCE_NAME --database-flags log_error_verbosity=<TERSE|DEFAULT|VERBOSE>

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 6.2.1 Ensure ‘Log_error_verbosity’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘DEFAULT’ or Stricter - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 System Configuration			24