Verify that server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server

Framework Reference: A.8.20 Integration: Azure – PostgreSQL Server

Why this matters

The log_connections parameter controls whether PostgreSQL logs each incoming connection attempt, including successful authentications. Enabling this setting ensures that both legitimate access and potential unauthorized attempts are recorded in your query and error logs.

Without connection logging enabled, it becomes significantly harder to identify brute-force login attempts, misconfigurations, or usage anomalies that may impact system security and performance. This setting is a foundational part of any audit-ready logging configuration.


What this check does

This Auto Check verifies whether the PostgreSQL server parameter log_connections is enabled.

Check Logic:
Passes if:

log_connections is explicitly set to on.

Fails if:

log_connections is unset, null, or set to off.

Applies to:

  • Azure PostgreSQL Single Server
  • Azure PostgreSQL Flexible Server
  • The check inspects the parameter via Azure’s configuration API and expects an exact value of on.

How to fix it

You can enable the log_connections parameter using the Azure Portal, CLI, or PowerShell.

Azure Portal:

  1. Navigate to Azure Database for PostgreSQL servers.
  2. Select the server instance and go to Server parameters.
  3. Locate the log_connections parameter.
  4. Set it to ON.
  5. Save the changes.

Azure CLI:

az postgres server configuration set \  --resource-group <resourceGroupName> \  --server-name <serverName> \  --name log_connections \  --value on

PowerShell:

Update-AzPostgreSqlConfiguration `  -ResourceGroupName "<ResourceGroupName>" `  -ServerName "<ServerName>" `  -Name "log_connections" `  -Value "on"

Substitute the placeholder values with those specific to your Azure deployment.


Exceptions

There are no recommended exceptions for this setting. Even in high-traffic environments, connection logging should remain enabled. If disabled, justification must be documented and approved by security stakeholders, along with compensating controls for connection-level visibility.


Further resources

Was this article helpful?