Entries should be made only when statement execution fails because the user did not have the privilege set necessary to perform the request.
DENIALS is applied to only those actions listed in the BEGIN LOGGING request that contains it.
For example, two BEGIN LOGGING requests can specify the same object, user, and action, but different frequency and DENIALS options. This allows the user to log all denials, but only the first successful use of a privilege.
If this option is not specified, a log entry is made if the privilege check either fails or succeeds.
Also see the row-level security section for the operation variable later in this table.