<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How can I analyze Splunk Phantom's PostgreSQL logs using pgBadger? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-can-I-analyze-Splunk-Phantom-s-PostgreSQL-logs-using/m-p/493632#M84332</link>
    <description>&lt;P&gt;What are the best configuration settings for using pgBadger to analyze Splunk Phantom's PostgreSQL logs?&lt;/P&gt;</description>
    <pubDate>Mon, 11 May 2020 21:42:07 GMT</pubDate>
    <dc:creator>awilcox_splunk</dc:creator>
    <dc:date>2020-05-11T21:42:07Z</dc:date>
    <item>
      <title>How can I analyze Splunk Phantom's PostgreSQL logs using pgBadger?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-can-I-analyze-Splunk-Phantom-s-PostgreSQL-logs-using/m-p/493632#M84332</link>
      <description>&lt;P&gt;What are the best configuration settings for using pgBadger to analyze Splunk Phantom's PostgreSQL logs?&lt;/P&gt;</description>
      <pubDate>Mon, 11 May 2020 21:42:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-can-I-analyze-Splunk-Phantom-s-PostgreSQL-logs-using/m-p/493632#M84332</guid>
      <dc:creator>awilcox_splunk</dc:creator>
      <dc:date>2020-05-11T21:42:07Z</dc:date>
    </item>
    <item>
      <title>Re: How can I analyze Splunk Phantom's PostgreSQL logs using pgBadger?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-can-I-analyze-Splunk-Phantom-s-PostgreSQL-logs-using/m-p/493633#M84333</link>
      <description>&lt;P&gt;PostgreSQL provides configuration parameters to control error reporting and logging.  Increased PostgreSQL logging combined with the PostgreSQL log analysis tool pgBadger can provide a better understanding of queries. Logging can be run at an elevated level for a short period of time and once the log data has been collected it can be analyzed using pgBadger.&lt;/P&gt;

&lt;P&gt;Here are a few suggested parameters for increased logging, as well as a brief explanation of the pgBadger tool:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;Increasing PostgreSQL Logging&lt;/STRONG&gt;&lt;BR /&gt;
PostgreSQL uses only the last value that is set for a parameter. For more information, see &lt;A href="https://www.postgresql.org/docs/9.4/config-setting.html" target="_blank"&gt;https://www.postgresql.org/docs/9.4/config-setting.html&lt;/A&gt; . From an administration standpoint, the simplest way to increase logging is to create a separate logging configuration file and then include that configuration file at the end of the main PostgreSQL configuration file. In order to do that, follow these steps:&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Create the file &lt;CODE&gt;postgresql.logging.for.pgbadger.conf&lt;/CODE&gt; and include the following parameters in that file:
&lt;PRE&gt;
log_min_duration_statement = 200   # log those queries running longer than ... milliseconds
log_checkpoints = on
log_connections = on
log_disconnections = on
log_lock_waits = on
log_temp_files = 0
log_error_verbosity = default
log_line_prefix = '%m [%p]: '
log_rotation_size = 1GB   # or whatever size is manageable in the environment
log_filename = 'postgresql-%a-%H%M%S.log'
log_autovacuum_min_duration = 0
&lt;/PRE&gt;&lt;/LI&gt;
&lt;LI&gt;Place the new configuration file alongside PostgreSQL's main configuration file:   &lt;CODE&gt;postgresql.conf&lt;/CODE&gt;. In a default Splunk Phantom installation this would be the &lt;CODE&gt;PHANTOM_HOME/data/db&lt;/CODE&gt; directory.&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;Ensure the file ownership and file permissions are the same as the &lt;CODE&gt;postgresql.conf&lt;/CODE&gt; file. &lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;Edit the &lt;CODE&gt;postgresql.conf&lt;/CODE&gt; file to include the new parameters by adding the &lt;CODE&gt;include_if_exists 'postgresql.logging.for.pgbadger.conf'&lt;/CODE&gt; parameter as the last line in the &lt;CODE&gt;postgresql.conf&lt;/CODE&gt; file. &lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;Reload the PostgreSQL server to pick up the changes. Running queries will not be interrupted or otherwise impacted. Use the &lt;CODE&gt;systemctl reload postgresql-9.4&lt;/CODE&gt; command to reload the server. &lt;/P&gt;&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;The amount of additional log data that is generated will depend on the workload on the Splunk Phantom installation. Ideally, the additional logging should be enabled for a period of several hours or more during the system's typically busy time or while an issue under investigation is occurring.&lt;/P&gt;

&lt;P&gt;Because of the potential for PostgreSQL to generate more log data than is usual for your environment, the file system holding the logs should be actively monitored to ensure it doesn't run out of disk space. As a result of the &lt;CODE&gt;log_filename&lt;/CODE&gt; and &lt;CODE&gt;log_rotation_size&lt;/CODE&gt; parameters you will likely notice additional log files in the PostgreSQL log directory. In a default Splunk Phantom installation, the PostgreSQL log directory is the &lt;CODE&gt;PHANTOM_HOME/data/db/pg_log&lt;/CODE&gt; directory. &lt;/P&gt;

&lt;P&gt;To undo the changes and revert logging to what it previously was, edit the &lt;CODE&gt;postgresql.conf&lt;/CODE&gt; file again to comment the previously added &lt;CODE&gt;include_if_exists&lt;/CODE&gt; parameter and reload the system using the &lt;CODE&gt;systemctl reload postgresql-9.4&lt;/CODE&gt; command. &lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;Use pgBadger&lt;/STRONG&gt;&lt;BR /&gt;
pgBadger is a PostgreSQL log analyzer and report generator. Here are a few useful links:&lt;/P&gt;

&lt;P&gt;• Homepage: &lt;A href="http://pgbadger.darold.net/" target="_blank"&gt;http://pgbadger.darold.net/&lt;/A&gt;&lt;BR /&gt;
• Download pgBadger: &lt;A href="https://github.com/darold/pgbadger/releases" target="_blank"&gt;https://github.com/darold/pgbadger/releases&lt;/A&gt; &lt;BR /&gt;
• Documentation: &lt;A href="https://pgbadger.darold.net/documentation.html" target="_blank"&gt;https://pgbadger.darold.net/documentation.html&lt;/A&gt; &lt;/P&gt;

&lt;P&gt;To use PgBadger, follow these steps:&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Download pgBadger here: &lt;A href="https://github.com/darold/pgbadger/releases" target="_blank"&gt;https://github.com/darold/pgbadger/releases&lt;/A&gt; &lt;/LI&gt;
&lt;LI&gt;Transfer the downloaded file to the system on which the logs will be analyzed and unpack the archive. The perl executable is named &lt;CODE&gt;pgbadger&lt;/CODE&gt;.&lt;/LI&gt;
&lt;LI&gt;Transfer the PostgreSQL log files to the same system.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;There are many command line options explained in &lt;CODE&gt;pgbadger --help&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;A command like pgbadger /postgresql/logs/*.log can be used to generate an HTML report named &lt;CODE&gt;out.html&lt;/CODE&gt; if there are large volumes of log files one useful option is to enable parallel processing on multiple cores with the &lt;CODE&gt;-j&lt;/CODE&gt; option.&lt;/P&gt;

&lt;P&gt;Splunk Phantom is unable to answer questions regarding the support of pgBadger.&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 05:21:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-can-I-analyze-Splunk-Phantom-s-PostgreSQL-logs-using/m-p/493633#M84333</guid>
      <dc:creator>awilcox_splunk</dc:creator>
      <dc:date>2020-09-30T05:21:17Z</dc:date>
    </item>
  </channel>
</rss>

