Stay organized with collections
Save and categorize content based on your preferences.
To enable auditing on an AlloyDB instance, you perform two steps. First, you
enable alloydb.enable_pgaudit flag on the instance. Then, you connect to the
cluster's primary instance and create the pgaudit extension in the databases.
Enable pgAudit on the instance:
Console
In the Google Cloud console, go to the Clusters
page.
In the Overview page, go to Instances in your cluster,
select an instance, and then click Edit.
Add the alloydb.enable_pgaudit flag on your instance:
Click Add flag.
Select the alloydb.enable_pgaudit flag from the
New database flag list.
Select on from the Value list.
Click Done.
Click Update instance.
gcloud
Enable pgAudit on an instance by setting that instance's alloydb.enable_pgaudit flag to on. For more information on setting an instance's database flags using the Google Cloud CLI, see Configure an instance's database flags.
Note that AlloyDB automatically restarts the instance after
you update this flag.
Connect to the primary instance and create the extension in each database.
You must perform the following steps on the primary instance even if you are
enabling auditing on a read pool instance:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eAuditing on an AlloyDB instance requires enabling the \u003ccode\u003ealloydb.enable_pgaudit\u003c/code\u003e flag.\u003c/p\u003e\n"],["\u003cp\u003eAfter enabling the flag, connect to the cluster's primary instance to create the \u003ccode\u003epgaudit\u003c/code\u003e extension in each desired database.\u003c/p\u003e\n"],["\u003cp\u003eSetting \u003ccode\u003ealloydb.enable_pgaudit\u003c/code\u003e to true and \u003ccode\u003elogging_collector\u003c/code\u003e to on may cause a loss of audit logs in AlloyDB Omni.\u003c/p\u003e\n"],["\u003cp\u003eOnly users in the \u003ccode\u003ealloydbsuperuser\u003c/code\u003e role can create extensions, and the postgres user is part of it by default.\u003c/p\u003e\n"],["\u003cp\u003eEnabling the \u003ccode\u003epgAudit\u003c/code\u003e extension may lead to increased data storage requirements in the event of a service disruption.\u003c/p\u003e\n"]]],[],null,["# Enable pgAudit\n\nTo enable auditing on an AlloyDB instance, you perform two steps. First, you\nenable alloydb.enable_pgaudit flag on the instance. Then, you connect to the\ncluster's primary instance and create the pgaudit extension in the databases.\n| **Warning:** In AlloyDB Omni only, setting the `alloydb.enable_pgaudit` flag to `true` and the PostgreSQL `logging_collector` parameter to `on`, you might experience a loss of audit logs.\n| **Note:** Enabling the pgAudit extension can lead to increased data storage requirements if a service disruption occurs.\n| **Note:** Only users who are members of the `alloydbsuperuser` role can create extensions. The postgres user role that is created when you create a new cluster is a member of the `alloydbsuperuser` role.\n\n1. Enable pgAudit on the instance: \n\n ### Console\n\n 1. In the Google Cloud console, go to the **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n 2. Click a cluster in the **Resource Name** column.\n 3. In the **Overview** page, go to **Instances in your cluster** , select an instance, and then click **Edit**.\n 4. Add the `alloydb.enable_pgaudit` flag on your instance:\n 1. Click **Add flag**.\n 2. Select the `alloydb.enable_pgaudit` flag from the **New database flag** list.\n 3. Select **on** from the **Value** list.\n 4. Click **Done**.\n 5. Click **Update instance**.\n\n ### gcloud\n\n Enable pgAudit on an instance by setting that instance's `alloydb.enable_pgaudit` flag to `on`. For more information on setting an instance's database flags using the Google Cloud CLI, see [Configure an instance's database flags](/alloydb/docs/instance-configure-database-flags).\n\n Note that AlloyDB automatically restarts the instance after\n you update this flag.\n| **Note:** The default value for the \\`pgaudit.log\\` flag is \\`none\\`. To use the pgAudit extension, you must [set values for\n| this flag.](/alloydb/docs/pgaudit/configure-log-behavior)\n2. Connect to the primary instance and create the extension in each database. You must perform the following steps on the primary instance even if you are enabling auditing on a read pool instance:\n 1. Connect a psql client to the cluster's primary instance, as described in [Connect a psql client to an instance](/alloydb/docs/connect-psql).\n 2. At the psql command prompt, connect to the database and create the extension: \n\n ```\n \\c DB_NAME\n CREATE EXTENSION IF NOT EXISTS pgaudit;\n \n ```\n 3. Repeat the previous two steps to connect to other databases and create the extension in each one of them."]]
