Auditing

New in version 2.6.

MongoDB Enterprise includes an auditing capability formongod and mongos instances. The auditingfacility allows administrators and users to track system activity fordeployments with multiple users and applications.

Enable and Configure Audit Output

The auditing facility can write audit events to the console, the syslog, a JSONfile, or a BSON file. To enable auditing for MongoDB Enterprise, seeConfigure Auditing.

For information on the audit log messages, see System Event Audit Messages.

Audit Events and Filter

Once enabled, the auditing system can record the following operations [1]:

  • schema (DDL),
  • replica set and sharded cluster,
  • authentication and authorization, and
  • CRUD operations (requires auditAuthorizationSuccess set to true).

For details on audited actions, see Audit Event Actions, Details, and Results.

With the auditing system, you can set up filters to restrict theevents captured. To set up filters, see Configure Audit Filters.

[1]Operations in an aborted transaction still generate audit events.However, there is no audit event that indicates that the transactionaborted.

Audit Guarantee

The auditing system writes every audit event [2] to anin-memory buffer of audit events. MongoDB writes this buffer to diskperiodically. For events collected from any single connection, theevents have a total order: if MongoDB writes one event to disk, thesystem guarantees that it has written all prior events for thatconnection to disk.

If an audit event entry corresponds to an operation that affects thedurable state of the database, such as a modification to data, MongoDBwill always write the audit event to disk before writing to thejournal for that entry.

That is, before adding an operation to the journal, MongoDB writes allaudit events on the connection that triggered the operation, up to andincluding the entry for the operation.

These auditing guarantees require that MongoDB run withjournaling enabled.

Warning

MongoDB may lose events if the server terminatesbefore it commits the events to the audit log. The client mayreceive confirmation of the event before MongoDB commits to theaudit log. For example, while auditing an aggregation operation, theserver might crash after returning the result but before the auditlog flushes.

[2]Audit configuration can include a filter to limit events to audit.