System Event Audit Messages

Note

Available only in MongoDB Enterpriseand MongoDB Atlas.

Audit Message

The event auditing feature can record events inJSON format. To configure auditing output, seeConfigure Auditing.

The recorded JSON messages have the following syntax:

  1. {
  2.   atype: <String>,
  3.   ts : { "$date": <timestamp> },
  4.   local: { ip: <String>, port: <int> },
  5.   remote: { ip: <String>, port: <int> },
  6.   users : [ { user: <String>, db: <String> }, ... ],
  7.   roles: [ { role: <String>, db: <String> }, ... ],
  8.   param: <document>,
  9.   result: <int>
  10. }
FieldTypeDescription
atypestringAction type. See Audit Event Actions, Details, and Results.
tsdocumentDocument that contains the date and UTC time of the event, in ISO8601 format.
localdocumentDocument that contains the local ip address and the portnumber of the running instance.
remotedocumentDocument that contains the remote ip address and the port number ofthe incoming connection associated with the event.
usersarrayArray of user identification documents. Because MongoDB allows asession to log in with different user per database, this array canhave more than one user. Each document contains a user field forthe username and a db field for the authentication database forthat user.
rolesarrayArray of documents that specify the roles granted to the user. Each document contains arole field for the name of the role and a db field for thedatabase associated with the role.
paramdocumentSpecific details for the event. See Audit Event Actions, Details, and Results.
resultintegerError code. See Audit Event Actions, Details, and Results.

Audit Event Actions, Details, and Results

The following table lists for each atype or action type, theassociated param details and the result values, if any.

atypeparamresult
authenticate
  1. {  user: <user name>,  db: <database>,  mechanism: <mechanism>}
0 - Success18 - Authentication Failed
authCheck
  1. {  command: <name>,  ns: <database>.<collection>,  args: <command object>}
ns field is optional.args field may be redacted.		0 - Success13 - Unauthorized to perform the operation.By default, the auditing system logs only the authorizationfailures. To enable the system to log authorization successes, usethe auditAuthorizationSuccess parameter. [1]
createCollection
  1. { ns: <database>.<collection> }
0 - Success
createDatabase
  1. { ns: <database> }
0 - Success
createIndex
  1. {  ns: <database>.<collection>,  indexName: <index name>,  indexSpec: <index specification>}
0 - Success
renameCollection
  1. {  old: <database>.<collection>,  new: <database>.<collection>}
0 - Success
dropCollection
  1. { ns: <database>.<collection> }
0 - Success
dropDatabase
  1. { ns: <database> }
0 - Success
dropIndex
  1. {  ns: <database>.<collection>,  indexName: <index name>}
0 - Success
createUser
  1. {  user: <user name>,  db: <database>,  customData: <document>,  roles: [     {       role: <role name>,       db: <database>     },       ]}
The customData field is optional.		0 - Success
dropUser
  1. {  user: <user name>,  db: <database>}
0 - Success
dropAllUsersFromDatabase
  1. { db: <database> }
0 - Success
updateUser
  1. {  user: <user name>,  db: <database>,  passwordChanged: <boolean>,  customData: <document>,  roles: [     {       role: <role name>,       db: <database>     },       ]}
The customData field is optional.		0 - Success
grantRolesToUser
  1. {  user: <user name>,  db: <database>,  roles: [     {       role: <role name>,       db: <database>     },       ]}
0 - Success
revokeRolesFromUser
  1. {  user: <user name>,  db: <database>,  roles: [     {       role: <role name>,       db: <database>     },       ]}
0 - Success
createRole
  1. {  role: <role name>,  db: <database>,  roles: [     {       role: <role name>,       db: <database>     },       ],  privileges: [    {      resource: <resource document>,      actions: [ <action>,  ]    },      ]}
The roles and the privileges fields are optional.For details on the resource document, see Resource Document.For a list of actions, see Privilege Actions.		0 - Success
updateRole
  1. {  role: <role name>,  db: <database>,  roles: [     {       role: <role name>,       db: <database>     },       ],  privileges: [    {      resource: <resource document>,      actions: [ <action>,  ]    },      ]}
The roles and the privileges fields are optional.For details on the resource document, see Resource Document.For a list of actions, see Privilege Actions.		0 - Success
dropRole
  1. {  role: <role name>,  db: <database>}
0 - Success
dropAllRolesFromDatabase
  1. { db: <database> }
0 - Success
grantRolesToRole
  1. {  role: <role name>,  db: <database>,  roles: [     {       role: <role name>,       db: <database>     },       ]}
0 - Success
revokeRolesFromRole
  1. {  role: <role name>,  db: <database>,  roles: [     {       role: <role name>,       db: <database>     },       ]}
0 - Success
grantPrivilegesToRole
  1. {  role: <role name>,  db: <database>,  privileges: [    {      resource: <resource document>,      actions: [ <action>,  ]    },      ]}
For details on the resource document, see Resource Document.For a list of actions, see Privilege Actions.		0 - Success
revokePrivilegesFromRole
  1. {  role: <role name>,  db: <database name>,  privileges: [    {      resource: <resource document>,      actions: [ <action>,  ]    },      ]}
For details on the resource document, see Resource Document.For a list of actions, see Privilege Actions.		0 - Success
replSetReconfig
  1. {  old: {   _id: <replicaSetName>,   version: <number>,      members: [  ],   settings: {  }  },  new: {   _id: <replicaSetName>,   version: <number>,      members: [  ],   settings: {  }  }}
For details on the replica set configuration document, seeReplica Set Configuration.		0 - Success
enableSharding
  1. { ns: <database> }
0 - Success
shardCollection
  1. {  ns: <database>.<collection>,  key: <shard key pattern>,  options: { unique: <boolean> }}
0 - Success
addShard
  1. {  shard: <shard name>,  connectionString: <hostname>:<port>,  maxSize: <maxSize>}
When a shard is a replica set, the connectionString includes thereplica set name and can include other members of the replica set.		0 - Success
removeShard
  1. { shard: <shard name> }
0 - Success
shutdown
  1. { }
Indicates commencement of database shutdown.		0 - Success
applicationMessage
  1. { msg: <custom message string> }
See logApplicationMessage.		0 - Success
[1]Enabling auditAuthorizationSuccess degrades performancemore than logging only the authorization failures.