Other Articles
- SQL Database – Enable Database Encryption
- SQL Server – Enable SQL Defender
- SQL Database – Monitor CPU Utilization
- SQL Database – Monitor IO Utilization
- SQL Database – Monitor Memory Utilization
- SQL Database – Protect From Direct Internet Traffic
- Storage Account – Enable Storage Encryption
- Storage Account – Disable Blob Public Access
- Storage Account – Disable Cross-Tenant Replication
- Storage Account – Disable Public Network Access
- Storage Account – Enable Microsoft Defender
- Storage Account – Enable Secure Transfer
- Storage Account – Enforce Minimum TLS Version
- Storage Account – Enforce Network Access Rule
- Storage Account – Enforce Private Endpoint Access
- User – Enable Azure MFA
- App Service – Disable Remote Debugging
- App Service – Enable Defender
- App Service – Enable Entra ID Registration
- App Service – Enable HTTP2
- App Service – Enforce Latest TLS Version
- App Service – Enforce Secure FTPS State
- App Service – Monitor Server Errors
- App Service – Redirect HTTP to HTTPS
- Cosmos DB – Enable Backup
- Cosmos DB – Enable Microsoft Defender
- Cosmos DB – Monitor Latency
- Cosmos DB – Ensure Private Connectivity
- Cosmos DB for PostgreSQL – Monitor CPU Utilization
- Cosmos DB for PostgreSQL – Monitor IO Utilization
- Cosmos DB for PostgreSQL – Monitor Memory Utilization
- Cosmos DB for PostgreSQL – Protect From Direct Internet Traffic
- Cosmos DB – Protect From Direct Internet Traffic
- Cosmos DB – Restrict Firewall Network Access
- Virtual Machine – Enable Defender
- Virtual Machine – Protect From Direct Internet Traffic
- Key Vault – Enable Defender
- Key Vault – Ensure Vault Recoverable
- Key Vault – Require Private Endpoint Access
- MySQL Flexible Server – Enable Audit Log Events Connection
- MySQL Flexible Server – Enable Audit Logs
- MySQL Flexible Server – Enforce Minimum TLS Version
- PostgreSQL Flexible Server – Enable Connection Logging
- PostgreSQL Flexible Server – Enable Connection Throttling
- PostgreSQL Flexible Server – Enable Disconnection Logging
- PostgreSQL Flexible Server – Enable Log Checkpoints
- Network Security Group – Ensure Flow Logs Captured
- General – Enable Auto Provisioning Log Analytics
- General – Enable Security Notifications
- General – Set Additional Email Address
PostgreSQL Flexible Server – Configure Log File Retention
This check ensures that the log_file_retention_days parameter is configured to retain PostgreSQL Flexible Server logs for more than three days. Proper log retention supports effective troubleshooting, auditing, and security monitoring.
Check Details
- Resource: Azure Database for PostgreSQL – Flexible Server
- Check: Ensure log_file_retention_days Is Greater Than 3
- Risk: If PostgreSQL logs are retained for an insufficient period, critical audit records and diagnostic information may be lost. This may hinder incident investigations, regulatory compliance, and long-term troubleshooting efforts.
Remediation via Azure Portal
-
Log in to the Azure Portal.
-
Navigate to Azure Database for PostgreSQL Flexible Servers and select the affected server.
-
Under Settings, select Server parameters.
- In the search bar, locate the parameter logfiles.retention_days.
-
Ensure the value is set to greater than 3 days (for example, 4 days or more).
- Click Save to apply the configuration.
Remediation via Azure CLI
-
Open Azure Cloud Shell or a local terminal with Azure CLI installed.
-
Check the current value of log_file_retention_days:
az postgres flexible-server parameter show \ --resource-group <resource-group> \ --server-name <server-name> \ --name logfiles.retention_days
-
Update the parameter to retain logs for more than three days:
az postgres flexible-server parameter set \ --resource-group <resource-group> \ --server-name <server-name> \ --name logfiles.retention_days \ --value 4
-
Verify the updated configuration:
az postgres flexible-server parameter show \ --resource-group <resource-group> \ --server-name <server-name> \ --name logfiles.retention_days \ --query value
Replace <resource-group> and
<server-name> with your actual values.
The output should confirm that the value of
log_file_retention_days is greater than 3.