Verify that Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Why this matters
Log files are a critical source of visibility into the behavior and health of your PostgreSQL server. Retaining these logs for at least 4 days ensures you can identify misconfigurations, troubleshoot incidents, and investigate suspicious activity effectively.
The default setting of 3 days may not be sufficient for forensic analysis or long-term monitoring—especially in high-traffic environments. Raising this threshold helps improve your security posture and audit readiness.
What this check does
This Auto Check verifies that:
- The PostgreSQL server parameter
log_retention_days
is set to at least 4 days (i.e., greater than 3). - It applies to both single server and flexible server deployments in Azure.
- The check passes if the configured value is between 4 and 7 days, inclusive.
How to fix it
You can update the log_retention_days
parameter using the Azure Portal, CLI, or PowerShell.
Azure Portal:
- Go to Azure Database for PostgreSQL servers.
- Select your server and navigate to Server parameters.
- Search for
log_retention_days
. - Set the value to a number between 4 and 7.
- Save the configuration.
Azure CLI:
az postgres server configuration set \
--resource-group <resourceGroupName> \
--server-name <serverName> \
--name log_retention_days \
--value 4
PowerShell:
Update-AzPostgreSqlConfiguration `
-ResourceGroupName "<ResourceGroupName>" `
-ServerName "<ServerName>" `
-Name "log_retention_days" `
-Value 4
Replace the placeholder values with those relevant to your environment.
Exceptions
If log data is exported to an external SIEM or retained elsewhere for longer periods, this check may be marked as Not Applicable. In such cases, appropriate documentation must be maintained.
Further resources
Configure server parameters in Azure PostgreSQL
Azure REST API: List PostgreSQL configurations
Azure Security Benchmark: Logging and Threat Detection