Audit Events

Auditing is only available in theEnterprise Edition,also available as managed service.

Unless otherwise noted, all events are logged to their respective topics at theinfo level. To suppress events from a given topic, set the topic to the warnlevel or higher. By default, each topic will be set to the most verbose levelat which events are logged (either debug or info) so that all events arelogged.

Authentication

Unknown authentication methods

  1. 2016-10-03 15:44:23 | server1 | audit-authentication | n/a | database1 | 127.0.0.1:61525 | n/a | unknown authentication method | /_api/version

This message will occur when a request contains an Authorization header withan unknown authentication method. Typically, only basic and bearer areaccepted.

Missing credentials

  1. 2016-10-03 15:39:49 | server1 | audit-authentication | n/a | database1 | 127.0.0.1:61498 | n/a | credentials missing | /_api/version

This message will occur when authentication is enabled and a request omits anAuthorization header. Note that this may naturally occur when making aninitial request to e.g. log in or load the web interface. For this reason, wehave logged these low-priority events at the debug level.

Wrong credentials

  1. 2016-10-03 15:47:26 | server1 | audit-authentication | n/a | database1 | 127.0.0.1:61528 | http basic | credentials wrong | /_api/version

or

  1. 2016-10-03 17:21:22 | server1 | audit-authentication | root | database1 | 127.0.0.1:64214 | http jwt | user 'root' wrong credentials | /_open/auth

Please note, that the user given as fourth part is the user that requestedthe login. In general it may be unavailable.

This message will occur when a user makes an attempt to log in with incorrectcredentials, or passes a JWT with invalid credentials.

JWT login succeeded

  1. 2016-10-03 17:21:22 | server1 | audit-authentication | root | database1 | 127.0.0.1:64214 | http jwt | user 'root' authenticated | /_open/auth

Please note, that the user given as fourth part is the user that requested the login.

The message will occur when a user successfully logs in and is given a JWT tokenfor further use.

Authorization

User not authorized to access database

  1. 2016-10-03 16:20:52 | server1 | audit-authorization | user1 | database2 | 127.0.0.1:62262 | http basic | not authorized | /_api/version

This message will occur when a user attempts to access a database in a manner inwhich they have not been granted access.

Databases

Create a database

  1. 2016-10-04 15:33:25 | server1 | audit-database | user1 | database1 | 127.0.0.1:56920 | http basic | create database 'database1' | ok | /_api/database

This message will occur whenever a user attempts to create a database. Ifsuccessful, the status will read ok, otherwise failed.

Drop a database

  1. 2016-10-04 15:33:25 | server1 | audit-database | user1 | database1 | 127.0.0.1:56920 | http basic | delete database 'database1' | ok | /_api/database

This message will occur whenever a user attempts to drop a database. Ifsuccessful, the status will read ok, otherwise failed.

Collections

Create a collection

  1. 2016-10-05 17:35:57 | server1 | audit-collection | user1 | database1 | 127.0.0.1:51294 | http basic | create collection 'collection1' | ok | /_api/collection

This message will occur whenever a user attempts to create a collection. Ifsuccessful, the status will read ok, otherwise failed.

Truncate a collection

  1. 2016-10-05 17:36:08 | server1 | audit-collection | user1 | database1 | 127.0.0.1:51294 | http basic | truncate collection 'collection1' | ok | /_api/collection/collection1/truncate

This message will occur whenever a user attempts to truncate a collection. Ifsuccessful, the status will read ok, otherwise failed.

Drop a collection

  1. 2016-10-05 17:36:30 | server1 | audit-collection | user1 | database1 | 127.0.0.1:51294 | http basic | delete collection 'collection1' | ok | /_api/collection/collection1

This message will occur whenever a user attempts to drop a collection. Ifsuccessful, the status will read ok, otherwise failed.

Indexes

Create a index

  1. 2016-10-05 18:19:40 | server1 | audit-collection | user1 | database1 | 127.0.0.1:52467 | http basic | create index in 'collection1' | ok | {"fields":["a"],"sparse":false,"type":"skiplist","unique":false} | /_api/index?collection=collection1

This message will occur whenever a user attempts to create an index. Ifsuccessful, the status will read ok, otherwise failed.

Drop a index

  1. 2016-10-05 18:18:28 | server1 | audit-collection | user1 | database1 | 127.0.0.1:52464 | http basic | drop index 'collection1/44051' | ok | /_api/index/collection1/44051

This message will occur whenever a user attempts to drop an index. Ifsuccessful, the status will read ok, otherwise failed.

Documents

If statistics are enabled, the system will periodically perform several documentoperations on a few system collections. These low-priority operations are loggedto the audit-document topic at the debug level.

Reading a single document

  1. 2016-10-04 12:27:55 | server1 | audit-document | user1 | database1 | 127.0.0.1:53699 | http basic | read document in 'collection1' | ok | /_api/document/collection1

This message will occur whenever a user attempts to read a document. Ifsuccessful, the status will read ok, otherwise failed.

Creating a single document

  1. 2016-10-04 12:27:55 | server1 | audit-document | user1 | database1 | 127.0.0.1:53699 | http basic | create document in 'collection1' | ok | /_api/document/collection1

This message will occur whenever a user attempts to create a document. Ifsuccessful, the status will read ok, otherwise failed.

Replacing a single document

  1. 2016-10-04 12:28:08 | server1 | audit-document | user1 | database1 | 127.0.0.1:53699 | http basic | replace document 'collection1/21456' | ok | /_api/document/collection1/21456?ignoreRevs=false

This message will occur whenever a user attempts to replace a document. Ifsuccessful, the status will read ok, otherwise failed.

Modifying a single document

  1. 2016-10-04 12:28:15 | server1 | audit-document | user1 | database1 | 127.0.0.1:53699 | http basic | modify document 'collection1/21456' | ok | /_api/document/collection1/21456?keepNull=true&ignoreRevs=false

This message will occur whenever a user attempts to update a document. Ifsuccessful, the status will read ok, otherwise failed.

Deleting a single document

  1. 2016-10-04 12:28:23 | server1 | audit-document | user1 | database1 | 127.0.0.1:53699 | http basic | delete document 'collection1/21456' | ok | /_api/document/collection1/21456?ignoreRevs=false

This message will occur whenever a user attempts to delete a document. Ifsuccessful, the status will read ok, otherwise failed.

Queries

  1. 2016-10-06 12:12:10 | server1 | audit-document | user1 | database1 | 127.0.0.1:54232 | http basic | query document | ok | for i in collection1 return i | /_api/cursor

This message will occur whenever a user attempts to execute a query. Ifsuccessful, the status will read ok, otherwise failed.