Auditing Self-Managed Deployments
Note
Auditing in MongoDB Atlas
MongoDB Atlas supports auditing for M10
and larger clusters.
To learn more, see Set Up Database Auditing in the MongoDB Atlas
documentation.
MongoDB Enterprise includes an auditing capability for
mongod
and mongos
instances. The auditing
facility allows administrators and users to track system activity for
deployments with multiple users and applications.
Enable and Configure Audit Output
The auditing facility can write audit events to the console, the
syslog, a JSON file, or a BSON file. To enable auditing in
MongoDB Enterprise, set an audit output destination with
--auditDestination
. For details,
see Configure Auditing on Self-Managed Deployments.
For information on the audit log messages, see System Event Audit Messages in Self-Managed Deployments.
Audit Events and Filter
Once enabled, the auditing system can record the following operations [1]:
schema (DDL),
replica set and sharded cluster,
authentication and authorization, and
CRUD operations (requires
auditAuthorizationSuccess
set totrue
).
Note
Starting in MongoDB 5.0, secondaries do not log
DDL audit events for replicated changes. DDL audit events are still
logged for DDL operations that modify the local database and the system.profile
collection.
For details on audited actions, see Audit Event Actions, Details, and Results.
With the auditing system, you can set up filters to restrict the events captured. To set up filters, see Configure Audit Filters on Self-Managed Deployments.
[1] | Operations in an aborted transaction still generate audit events. However, there is no audit event that indicates that the transaction aborted. |
Audit Guarantee
The auditing system writes every audit event [2] to an in-memory buffer of audit events. MongoDB writes this buffer to disk periodically. For events collected from any single connection, the events have a total order: if MongoDB writes one event to disk, the system guarantees that it has written all prior events for that connection to disk.
If an audit event entry corresponds to an operation that affects the durable state of the database, such as a modification to data, MongoDB will always write the audit event to disk before writing to the journal for that entry.
That is, before adding an operation to the journal, MongoDB writes all audit events on the connection that triggered the operation, up to and including the entry for the operation.
These auditing guarantees require that MongoDB run with
journaling
enabled.
Warning
MongoDB may lose events if the server terminates before it commits the events to the audit log. The client may receive confirmation of the event before MongoDB commits to the audit log. For example, while auditing an aggregation operation, the server might terminate after returning the result but before the audit log flushes.
In addition, if the server cannot write to the audit log at the
audit destination
, the server
will terminate.
[2] | Audit configuration can include a filter to limit events to audit. |