Add pgAudit extension (#905)

* Add pgAudit extension

* Set shared_preload_libraries at global level

* Change 'enable' flag to 'enabled'

* Disable SSL to have the default value also on Ubuntu

* Add PostgreSQL logs to Filebeat

* Update docs

* Remove libs from shared_preload_libraries for disabled extensions

CHANGELOG-0.5.md

@@ -4,7 +4,9 @@
 
 ### Added
 
-- [#854](https://github.com/epiphany-platform/epiphany/issues/854) - PGBouncer implementation
+- PostgreSQL: PGBouncer implementation [#854](https://github.com/epiphany-platform/epiphany/issues/854)
+- PostgreSQL: pgAudit extension for audit logging [#905](https://github.com/epiphany-platform/epiphany/pull/905)
+- PostgreSQL: Send logs to Elasticsearch
 
 ## [0.5.1] 2020-01-23
 

core/src/epicli/data/common/ansible/playbooks/postgresql.yml

@@ -1,8 +1,9 @@
 ---
-# Ansible playbook that installs and performs basic configuration of postgresql
-- hosts: all
+# Ansible playbook that installs and performs basic configuration of PostgreSQL
+
+- hosts: repository
   gather_facts: yes
-  tasks: [ ]
+  tasks: []
 
 - hosts: postgresql
   become: true

core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2

@@ -24,8 +24,12 @@ filebeat.inputs:
 #   - /var/log/audit/audit.log
     - /var/log/auth.log
     - /var/log/firewalld
+{% if 'haproxy' in group_names %}
     - /var/log/haproxy.log
+{% endif %}
+{% if 'kafka' in group_names %}
     - /var/log/kafka/server.log
+{% endif %}
     - /var/log/messages
     - /var/log/secure
     - /var/log/syslog
@@ -63,12 +67,29 @@ filebeat.inputs:
   # that was (not) matched before or after or as long as a pattern is not matched based on negate.
   # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
   #multiline.match: after
+{% if 'postgresql' in group_names %}
+
+#--- PostgreSQL ---
 
+# Filebeat postgresql module doesn't support custom log_line_prefix (without patching), see https://discuss.elastic.co/t/filebeats-with-postgresql-module-custom-log-line-prefix/204457
+# Dedicated configuration to handle log messages spanning multiple lines.
+
+{# configuration based on postgresql module #}
+- type: log
+  enabled: true
+  paths:
+    - /var/log/postgresql/*.log*
+  multiline:
+    pattern: '^\d{4}-\d{2}-\d{2} '
+    negate: true
+    match: after
+{% endif %}
 {% if 'kubernetes_master' in group_names or 'kubernetes_node' in group_names %}
+
 #--- Kubernetes ---
 
-# K8s metadata are fetched from Docker labels to not make Filebeat on worker nodes dependent on a kubernetes master
-# since Filebeat should start even if the kubernetes master is not available
+# K8s metadata are fetched from Docker labels to not make Filebeat on worker nodes dependent on K8s master
+# since Filebeat should start even if K8s master is not available.
 
 - type: docker
   enabled: true
@@ -88,8 +109,7 @@ filebeat.inputs:
     - drop_fields:
         fields:
           - docker # Drop all fields added by 'add_docker_metadata' that were not renamed
-
-{% endif -%}
+{% endif %}
 
 #============================= Filebeat modules ===============================
 

core/src/epicli/data/common/ansible/playbooks/roles/postgresql/tasks/additional-components/configure-pgbouncer.yml

@@ -0,0 +1,30 @@
+---
+- name: Change pgbouncer configuration
+  lineinfile:
+    path: /etc/pgbouncer/pgbouncer.ini
+    insertafter: '\[databases\]'
+    line: postgres = host=127.0.0.1 port=5432 dbname=postgres
+    backup: yes
+
+- name: Change pool mode
+  lineinfile:
+    path: /etc/pgbouncer/pgbouncer.ini
+    regexp: '^pool_mode ='
+    line: "pool_mode = transaction"
+
+- name: Change pgbouncer users configuration
+  lineinfile:
+    path: /etc/pgbouncer/userlist.txt
+    line: '"postgres" "*"'
+    create: yes
+    backup: yes
+
+- name: Enable pgbouncer service
+  systemd:
+    name: pgbouncer
+    enabled: yes
+
+- name: Restart pgbouncer service
+  systemd:
+    name: pgbouncer
+    state: restarted