Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure "log_error_verbosity" Flag for PostgreSQL Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudSQL-031

Ensure that "log_error_verbosity" database flag configured for your Google Cloud PostgreSQL database instances is set to DEFAULT or to a stricter value. The "log_error_verbosity" configuration flag defines the level of detail recorded in the server log for every logged message. It accepts three valid values: TERSE, DEFAULT, and VERBOSE. Each value adds additional fields to the displayed messages. TERSE excludes the logging of DETAIL, HINT, QUERY, and CONTEXT information. VERBOSE output includes the SQLSTATE error code, as well as the source code file name, function name, and line number that produced the error.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Performance
efficiency
Cost
optimisation

PostgreSQL database auditing can help in troubleshooting operational issues and permit administrators to perform forensic analysis. If the "log_error_verbosity" flag is not set to the correct value, an excessive or insufficient amount of details may be recorded in the logs. It is important to configure this configuration flag with a value of DEFAULT or with a more stricter value to ensure optimal logging behavior.

Note: Some database flag settings can affect instance availability and/or stability, and eventually remove the PostgreSQL instance from the Google Cloud SQL Service Level Agreement (SLA).


Audit

To determine if the "log_error_verbosity" flag set for your Cloud PostgreSQL database instances has the appropriate configuration value, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances available console at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter box, select Type and choose PostgreSQL to list only the PostgreSQL database instances provisioned for the selected GCP project.

05 Click on the name (ID) of the database instance that you want to examine.

06 In the navigation panel, select Overview to access the configuration details available for the selected instance.

07 In the Configuration section, under Database flags, check the name of the severity level set for the log_error_verbosity database flag. If log_error_verbosity is not available in the Database flags list or the flag value is different than DEFAULT, or is not set to a stricter value than DEFAULT, the "log_error_verbosity" flag configuration set for the selected Google Cloud PostgreSQL database instance is not compliant.

08 Repeat steps no. 5 – 7 to check the "log_error_verbosity" flag configuration for each PostgreSQL database instance available within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the ID of each Google Cloud Platform (GCP) project available in your cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-web-project-112233
cc-gov-project-123123

03 Run sql instances list command (Windows/macOS/Linux) with custom filtering to describe the name of each PostgreSQL database instance provisioned for the selected Google Cloud project:

gcloud sql instances list
  --project cc-web-project-112233
  --filter='DATABASE_VERSION:POSTGRES*'
  --format="(NAME)"

04 The command output should return the requested database instance names:

NAME
cc-app-postgres-instance
cc-web-postgres-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the PostgreSQL database instance that you want to examine as the identifier parameter and custom query filters to describe the "log_error_verbosity" flag configuration value set for the selected database instance:

gcloud sql instances describe cc-app-postgres-instance
  --format=json | jq '.settings.databaseFlags[] | select(.name=="log_error_verbosity")|.value'

06 The command output should return the requested flag configuration value:

"terse"

If the sql instances describe command does not produce an output, the "log_error_verbosity" flag configuration is not compliant. If the sql instances describe command output returns a value but that value is different than "default" or is not stricter than "default", the "log_error_verbosity" flag configuration for the selected Google Cloud PostgreSQL database instance is not compliant.

07 Repeat steps no. 5 and 6 to verify the "log_error_verbosity" flag configuration value for each PostgreSQL database instance created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To ensure that your PostgreSQL database instances have the appropriate value set for the "log_error_verbosity" configuration flag, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances console available at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter box, select Type and choose PostgreSQL to list only the PostgreSQL database instances provisioned for the selected GCP project.

05 Click on the name (ID) of the database instance that you want to configure.

06 In the resource navigation panel, select Overview, and choose EDIT from the console top menu.

07 In the Customize your instance section, choose Flags to expand the panel with the database flags configured for the selected PostgreSQL instance.

08 Find the log_error_verbosity flag and select the appropriate value (i.e. default or a stricter value) from the flag configuration dropdown list. If the flag has not been set on the selected instance before, choose ADD A DATABASE FLAG, select the log_error_verbosity flag from the Choose a flag dropdown menu, and set its value accordingly. Choose DONE to close the panel. IMPORTANT: Configuring the "log_error_verbosity" flag restarts automatically the selected database instance.

09 Choose SAVE to apply the configuration changes.

10 Repeat steps no. 5 – 8 to configure the required flag for each PostgreSQL database instance available within the selected project.

11 Repeat steps no. 2 – 10 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run sql instances patch command (Windows/macOS/Linux) using the name of the PostgreSQL database instance that you want to reconfigure as the identifier parameters, to set the correct value for the "log_error_verbosity" configuration flag, i.e. default or a stricter value:

gcloud sql instances patch cc-app-postgres-instance
  --database-flags log_error_verbosity=default

IMPORTANT: Configuring the "log_error_verbosity" flag restarts automatically the selected database instance.

02 Type Y to confirm the database configuration change:

The following message will be used for the patch API method.
{"name": "cc-app-postgres-instance", "project": "cc-web-project-112233", "settings": {"databaseFlags": [{"name": "log_error_verbosity", "value": "default"}]}}
WARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags - https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.
Do you want to continue (Y/n)? Y

03 The output should return the sql instances patch command request status:

Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-web-project-112233/instances/cc-app-postgres-instance].

04 Repeat steps no. 1 – 3 to configure the required flag for each PostgreSQL database instance provisioned for the selected project.

05 Repeat steps no. 1 – 4 for each project created within your Google Cloud Platform (GCP) account.

References

Publication date Jun 29, 2023