Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

MEDIUM

Description

Description:

Ensure 'log_retention_days' on 'PostgreSQL Servers' is set to an appropriate value.

Rationale:

Configuring 'log_retention_days' determines the duration in days that 'Azure Database for PostgreSQL' retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy a large amount of disk space. In this case you may want to set this to a lower number.

Remediation

From Azure Portal

From Azure Home select the Portal Menu.
Go to 'Azure Database for PostgreSQL servers'.
For each database, click on 'Server parameters'.
Search for 'log_retention_days'.
Input a value between 4 and 7 (inclusive) and click 'Save'.

From Azure CLI

Use the below command to update 'log_retention_days' configuration.

az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>

From Powershell

Use the below command to update 'log_retention_days' configuration.

Update-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_retention_days -Value <4-7>

Policy Details

Rule Reference ID: AC_AZURE_0590

CSP: Azure

Remediation Available: No

Domain: Resilience

Resource: azurerm_postgresql_server

Resource Category: Database

Resource Type: PostgreSQL

Frameworks

CIS Azure Foundations v1.5.0 Level 1
CIS Azure Foundations v1.3.0
CIS Azure Foundations v1.4.0 Level 1
CIS Azure Foundations v2.0.0 Level 1
CSCv8
NIST-800-53
NIST-CSF
GDPR
HIPAA
CSCv7
SOC2
NY-DFS

Detections

Analytics