Getting PostgreSQL logs into Honeycomb

Our connector pulls your PostgreSQL logs into Honeycomb for analysis, so you can finally get a quick handle on the database queries triggered by your application logic. It surfaces attributes like:

The normalized query shape
Time spent executing the query
Transaction ID
Client information
… and more!

Honeycomb is unique in its ability to calculate metrics and statistics on the fly, while retaining the full-resolution log lines (and the original query that started it all!).

Note: This document is for folks running PostgreSQL directly. If you’re running PostgreSQL on RDS, check out our RDS connector page to set up your RDS instance instead.

The agent you’ll use to translate logs to events and send them to Honeycomb is called honeytail.

Configure PostgreSQL query logging 🔗

Before running honeytail, you’ll want to turn slow query logging on for all queries if possible. To turn on slow query logging, edit your postgresql.conf and set

log_min_duration_statement = 0
log_statement='none'

Note: log_statement indicates which types of queries are logged, but is superseded when setting log_min_duration_statement to 0, as this effectively logs all queries. Setting log_statement to any other value will change the format of the query logs in a way that isn’t currently supported by the Honeycomb PostgreSQL parser.

Alternatively, you can set this from the psql shell by running

ALTER SYSTEM SET log_min_duration_statement=0;
ALTER SYSTEM SET log_statement='none';
SELECT pg_reload_conf();

Finally, take note of the value of the log_line_prefix config line. It’ll look something like this:

log_line_prefix = '%t [%p-%l] %q%u@%d '

Install and run Honeytail 🔗

On your PostgreSQL host, download and install the latest honeytail by running:

deb-amd64

      # Download and install the AMD64 debian package
      wget -q https://honeycomb.io/download/honeytail/v1.6.0/honeytail_1.6.0_amd64.deb && \
      echo '7bbca7355573abc4d16a8faa42b1f3d615e63063a7246b1c6b6dc4ec041f56d7  honeytail_1.6.0_amd64.deb' | sha256sum -c && \
      sudo dpkg -i honeytail_1.6.0_amd64.deb

      # Download and install the ARM64 debian package
      wget -q https://honeycomb.io/download/honeytail/v1.6.0/honeytail_1.6.0_arm64.deb && \
      echo 'a5c930f6bfd5e08727f4d7cc4d452e67f892e6fc24dcb6bd357325545e6e30d1  honeytail_1.6.0_arm64.deb' | sha256sum -c && \
      sudo dpkg -i honeytail_1.6.0_arm64.deb

      # Download and install the rpm package
      wget -q https://honeycomb.io/download/honeytail/v1.6.0/honeytail-1.6.0-1.x86_64.rpm && \
      echo '20782faf592948abd9ec91c6fbbb9961e43101d1aa8b8f743f7f763960f1d38a  honeytail-1.6.0-1.x86_64.rpm' | sha256sum -c && \
      sudo rpm -i honeytail-1.6.0-1.x86_64.rpm

wget -q -O honeytail https://honeycomb.io/download/honeytail/v1.6.0/honeytail-linux-amd64 && \
      echo 'ade48161cbf79173ed7e2e476a53c45d1c9962c3332f0774f8dca67a067e1e12  honeytail' | sha256sum -c && \
      chmod 755 ./honeytail

wget -q -O honeytail https://honeycomb.io/download/honeytail/v1.6.0/honeytail-linux-arm64 && \
      echo '83a0b0267c020206bbd1c624aca53418cc55ea7c5c3176809d48f3fab009bd16  honeytail' | sha256sum -c && \
      chmod 755 ./honeytail

wget -q -O honeytail https://honeycomb.io/download/honeytail/v1.6.0/honeytail-darwin-amd64 && \
      echo '88bf9220c88cd8b1e6d7c8ff88594099f5f8965742e39d2c6ac063d409db2f4c  honeytail' | shasum -a 256 -c && \
      chmod 755 ./honeytail

      # Build from latest source after setting up go
      git clone https://github.com/honeycombio/honeytail
      cd honeytail; go install

The packages install honeytail, its config file /etc/honeytail/honeytail.conf, and some start scripts. Build honeytail from source if you need it in an unpackaged form or for ad-hoc use.

Make sure you’ve enabled query logging before running honeytail.

To consume the current slow query log from the beginning, run:

honeytail \
    --writekey=YOUR_API_KEY \
    --dataset=postgres-queries --parser=postgresql \
    --postgresql.log_line_prefix=YOUR_LOG_LINE_PREFIX \
    --file=/var/log/postgresql/postgresql-9.5-main.log \
    --tail.read_from=beginning

Troubleshooting 🔗

First, check out honeytail Troubleshooting for general debugging tips.

No data is being sent, and --debug doesn’t seem to show anything useful

Take a look at the --file being handed to honeytail and make sure it contains PostgreSQL query statements. An example excerpt from a PostgreSQL log file might look like:

2017-11-10 23:24:01 UTC [1998-1] LOG:  autovacuum launcher started
2017-11-10 23:24:01 UTC [2000-1] [unknown]@[unknown] LOG:  incomplete startup packet
2017-11-10 23:24:02 UTC [2003-1] postgres@postgres LOG:  duration: 4.356 ms  statement: SELECT d.datname as "Name",
               pg_catalog.pg_get_userbyid(d.datdba) as "Owner",
               pg_catalog.pg_encoding_to_char(d.encoding) as "Encoding",
               d.datcollate as "Collate",
               d.datctype as "Ctype",
               pg_catalog.array_to_string(d.datacl, E'\n') AS "Access privileges"
        FROM pg_catalog.pg_database d
        ORDER BY 1;

Also check that the value you’re passing in the --postgresql.log_line_prefix flag matches PostgreSQL’s configured value, which you can find using SHOW log_line_prefix at a psql prompt:

# SHOW log_line_prefix;
   log_line_prefix
---------------------
 %t [%p-%l] %q%u@%d

If your log file looks like a normal PostgreSQL output log but honeytail is still failing to send events to Honeycomb, let us know! We’re available to help anytime via email or chat .

Run Honeytail continuously 🔗

To run honeytail continuously as a daemon process, first modify the config file /etc/honeytail/honeytail.conf and uncomment and set:

ParserName to postgresql
WriteKey to your API key, available from the account page
LogFiles to the path for your PostgreSQL log file.
Dataset to the name of the dataset you wish to create with this log file.

Then start honeytail using upstart or systemd:

upstart

$ sudo initctl start honeytail

$ sudo systemctl start honeytail

$ honeytail -c /etc/honeytail/honeytail.conf

Backfill archived logs 🔗

You may have archived logs that you’d like to import into Honeycomb. If you have a log file located at /var/log/postgresql/postgresql-main.log, you can backfill using this command:

honeytail \
    --writekey=YOUR_API_KEY \
    --dataset=PostgreSQL \
    --parser=postgresql \
    --file=/var/log/postgresql/postgresql-main.log \
    --postgresql.log_line_prefix=YOUR_CONFIGURED_LOG_LINE_PREFIX \
    --backfill

This command can be used at any point to backfill from archived log files. You can read more about honeytail’s backfill behavior here.

Note: honeytail does not unzip log files, so you’ll need to do this before backfilling.

Once you’ve finished backfilling your old logs, we recommend transitioning to the default streaming behavior to stream live logs to Honeycomb.

Scrub personally identifiable information 🔗

While we believe strongly in the value of being able to track down the precise query causing a problem, we understand the concerns of exporting log data which may contain sensitive user information.

With that in mind, we recommend using honeytail’s PostgreSQL parser, but adding a --scrub_field=query flag to hash the concrete query value. The normalized_query attribute will still be representative of the shape of the query, and identifying patterns including specific queries will still be possible—but the sensitive information will be completely obscured before leaving your servers.

More information about dropping or scrubbing sensitive fields can be found here.

Open source 🔗

Honeytail and our installers are all open source, Apache 2.0 licensed. Their source can be found on GitHub:

Honeycomb.io Docs