-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
auditing.txt
110 lines (81 loc) · 3.75 KB
/
auditing.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
.. _auditing:
=================================
Auditing Self-Managed Deployments
=================================
.. default-domain:: mongodb
.. contents:: On this page
:local:
:backlinks: none
:depth: 1
:class: singlecol
.. note:: Auditing in {+atlas+}
{+atlas+} supports auditing for ``M10`` and larger clusters.
To learn more, see :ref:`<set-up-database-auditing>` in the {+atlas+}
documentation.
MongoDB Enterprise includes an auditing capability for
:binary:`~bin.mongod` and :binary:`~bin.mongos` instances. The auditing
facility allows administrators and users to track system activity for
deployments with multiple users and applications.
Enable and Configure Audit Output
---------------------------------
The auditing facility can write audit events to the console, the
:term:`syslog`, a JSON file, or a BSON file. To enable auditing in
MongoDB Enterprise, set an audit output destination with
:option:`--auditDestination <mongod --auditDestination>`. For details,
see :doc:`/tutorial/configure-auditing`.
For information on the audit log messages, see :doc:`/reference/audit-message`.
.. _auditing-audit-events-and-filter:
Audit Events and Filter
-----------------------
Once enabled, the auditing system can record the following operations
[#transactions]_:
- schema (DDL),
- replica set and sharded cluster,
- authentication and authorization, and
- CRUD operations (requires :parameter:`auditAuthorizationSuccess` set to ``true``).
.. note::
Starting in MongoDB 5.0, :term:`secondaries <secondary>` do not log
DDL audit events for replicated changes. DDL audit events are still
logged for DDL operations that modify the :ref:`local database
<replica-set-local-database>` and the :data:`system.profile
<<database>.system.profile>` collection.
For details on audited actions, see :ref:`audit-message-format`.
With the auditing system, you can :ref:`set up filters <audit-filter>` to restrict the
events captured. To set up filters, see :doc:`/tutorial/configure-audit-filters`.
.. [#transactions]
Operations in an aborted transaction still generate audit events.
However, there is no audit event that indicates that the transaction
aborted.
Audit Guarantee
---------------
The auditing system writes every audit event [#filter]_ to an
in-memory buffer of audit events. MongoDB writes this buffer to disk
periodically. For events collected from any single connection, the
events have a total order: if MongoDB writes one event to disk, the
system guarantees that it has written all prior events for that
connection to disk.
If an audit event entry corresponds to an operation that affects the
durable state of the database, such as a modification to data, MongoDB
will always write the audit event to disk *before* writing to the
:term:`journal` for that entry.
That is, before adding an operation to the journal, MongoDB writes all
audit events on the connection that triggered the operation, up to and
including the entry for the operation.
.. warning::
MongoDB may lose events **if** the server terminates before it
commits the events to the audit log. The client may receive
confirmation of the event before MongoDB commits to the audit log.
For example, while auditing an aggregation operation, the server
might terminate after returning the result but before the audit log
flushes.
In addition, if the server cannot write to the audit log at the
:option:`audit destination <mongod --auditDestination>`, the server
will terminate.
.. [#filter] Audit configuration can include a :ref:`filter
<audit-filter>` to limit events to audit.
.. toctree::
:titlesonly:
:hidden:
Configure </tutorial/configure-auditing>
Configure Filters </tutorial/configure-audit-filters>
Audit Messages </reference/audit-message>