Choose based on the control objective. Native logging and PgAudit provide deeper database detail, while proxy logging reduces runtime load and is easier to keep always on. If the priority is forensic precision, stay closer to the database. If the priority is stable production performance, move the logging burden outward.
Why This Matters for Security Teams
Proxy logging and native PostgreSQL audit features solve different problems, and that distinction matters when database activity must support both operations and investigations. Native logging and PgAudit give deeper statement-level visibility, while proxy logging can preserve production stability by keeping audit overhead outside the database process. For teams managing NHIs, the logging choice also affects how well service accounts, API keys, and automated workflows can be traced after an incident.
The risk is not just whether activity is captured, but whether it is captured at the right layer for the control objective. NHI governance research shows how often teams lack visibility into service accounts, and that gap becomes more serious when database actions are carried out by machines rather than people. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives and Top 10 NHI Issues both frame visibility as a lifecycle issue, not a point-in-time logging decision. In practice, many security teams discover their logging model is too thin only after a service account has already moved data or altered records without a usable trail.
How It Works in Practice
Native PostgreSQL audit controls are best when the priority is precision. PostgreSQL logging can record connection events, errors, and selected statements, while PgAudit adds richer audit detail for class, object, and role activity. This is valuable when teams need to reconstruct exactly what a database actor did, which tables were touched, and whether privileged commands were used. The tradeoff is that deeper visibility can create more volume, more tuning effort, and more runtime impact inside the database process.
Proxy logging shifts the burden outward. A database proxy, gateway, or service mesh component can record connection metadata, query timing, source identity, and policy decisions without placing the full audit workload on PostgreSQL itself. That makes it easier to keep logging always on in production, especially for high-throughput environments. It also helps when the audit goal is to prove where traffic came from, which NHI or workload identity initiated it, and whether it matched expected access paths under NIST Cybersecurity Framework 2.0.
- Use native logging when you need statement detail, object-level tracing, or evidentiary quality for investigations.
- Use proxy logging when you need lower overhead, broad coverage, and consistent capture across many databases.
- Combine both when the proxy provides always-on telemetry and the database supplies selective forensic depth.
For NHI-heavy environments, align the logging source with the identity layer. The NHI Lifecycle Management Guide is useful here because it ties observability to issuance, rotation, revocation, and offboarding. These controls tend to break down when applications use connection pooling, shared service accounts, or short-lived batch jobs because attribution to the original workload becomes ambiguous.
Common Variations and Edge Cases
Tighter audit logging often increases storage, performance, and operational overhead, so organisations have to balance forensic depth against database stability. That tradeoff is especially real in mixed workloads where transactional systems, analytics jobs, and automated agents all hit the same PostgreSQL estate. There is no universal standard for this yet, but current guidance suggests choosing the lowest layer that still answers your primary question.
Proxy logging can miss SQL semantics, parameter values, and in-database privilege changes, so it is weaker for insider investigations and detailed compliance reviews. Native auditing can miss context about upstream caller identity if applications reuse pooled connections or if multiple NHIs share the same database role. Best practice is evolving toward layered visibility: proxy logs for coarse attribution, native logs for high-risk tables and privileged actions, and alerts tied to NHI lifecycle events such as credential rotation or revocation.
That layered model is most useful where database access is driven by NHIs with long-lived credentials or wide privileges. The Ultimate Guide to NHIs — Key Challenges and Risks notes how visibility gaps amplify exposure across machine identities, which is why audit design should be treated as part of identity governance rather than as a logging-only decision.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-06 | Auditability of non-human actions is central to choosing proxy or native logging. |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring depends on choosing logging that reliably records database activity. |
| NIST CSF 2.0 | PR.AA-5 | Identity-based access needs traceability for NHIs using PostgreSQL. |
Capture NHI activity at the layer that preserves attribution, then validate logs are complete and tamper-resistant.
