System Event Audit Messages in Self-Managed Deployments
Note
System Event Audit Messages are available in MongoDB Enterprise and MongoDB Atlas.
To learn more about this feature in MongoDB Atlas, see the Atlas documentation for Set Up Database Auditing and View and Download MongoDB Logs.
Audit Message
The event auditing feature can record events in JSON format. To configure auditing output, see Configure Auditing on Self-Managed Deployments.
Changed in version 5.0.
The recorded JSON messages have the following syntax:
{ atype: <string>, ts : { $date: <timestamp> }, uuid : { $binary: <string>, $type: <string> }, local: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> }, remote: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> }, users : [ { user: <string>, db: <string> }, ... ], roles: [ { role: <string>, db: <string> }, ... ], param: <document>, result: <int> }
Field | Type | Description |
---|---|---|
atype | string | Action type. See Audit Event Actions, Details, and Results. |
ts | document | Document that contains the date and UTC time of the event, in ISO
8601 format. |
| document | A document that contains a message identifier. The UUID identifies a client connection. Use the UUID to track audit events connected to that client. The value of the New in version 5.0. |
| document | A document that contains the Starting in MongoDB 5.0, can alternatively be a document with one of these fields:
NoteStarting in MongoDB 5.0, the Changed in version 5.0. |
remote | document | A document that contains the Starting in MongoDB 5.0, can alternatively be a document with one of these fields:
Changed in version 5.0. |
users | array | Array of user identification documents. Because MongoDB allows a
session to log in with different user per database, this array can
have more than one user. Each document contains a user field for
the username and a db field for the authentication database for
that user. |
roles | array | Array of documents that specify the roles granted to the user. Each document contains a
role field for the name of the role and a db field for the
database associated with the role. |
param | document | Specific details for the event. See Audit Event Actions, Details, and Results. |
result | integer | Error code. See Audit Event Actions, Details, and Results. |
Audit Event Actions, Details, and Results
The following table lists for each atype
or action type, the
associated param
details and the result
values, if any.
atype | param | result | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Starting in MongoDB 5.0,
Changed in version 5.0. | 0 - Success18 - Authentication Failed334 - Mechanism Unavailable | |||||||||||||||||||||||||
|
ns field is optional.args field may be redacted.By default, the auditing system logs only the authorization
failures. To enable the system to log authorization successes,
use the Enabling Starting in MongoDB 5.0, Changed in version 5.0. | 0 - Success13 - Unauthorized to perform the operation. | |||||||||||||||||||||||||
|
Contains the client metadata. Logged when the client runs the
New in version 5.0. | 0 - Success | |||||||||||||||||||||||||
Logged when a:
Starting in MongoDB 5.0, this additional information is logged for a view:
Changed in version 5.0. | 0 - Success | ||||||||||||||||||||||||||
createDatabase |
| 0 - Success | |||||||||||||||||||||||||
Possible values for
Starting in MongoDB 5.0,
Changed in version 5.0. | 0 - Success276 - Index build aborted.The audit message contains result code | ||||||||||||||||||||||||||
|
Logged when a database operation directly modifies the contents
of the New in version 5.0. | 0 - Success | |||||||||||||||||||||||||
renameCollection |
| 0 - Success | |||||||||||||||||||||||||
Logged when a:
Starting in MongoDB 5.0, this additional information is logged for a view:
In addition, starting in MongoDB 5.0, a
Changed in version 5.0. | 0 - Success26 - NamespaceNotFound If the collection or view does not exist, the audit message shows
the return code as | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
The | 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
dropAllUsersFromDatabase |
| 0 - Success | |||||||||||||||||||||||||
updateUser |
The | 0 - Success | |||||||||||||||||||||||||
grantRolesToUser |
| 0 - Success | |||||||||||||||||||||||||
revokeRolesFromUser |
| 0 - Success | |||||||||||||||||||||||||
The For details on the resource document, see Resource Document on Self-Managed Deployments. For a list of actions, see Privilege Actions for Self-Managed Deployments. | 0 - Success | ||||||||||||||||||||||||||
updateRole |
The For details on the resource document, see Resource Document on Self-Managed Deployments. For a list of actions, see Privilege Actions for Self-Managed Deployments. | 0 - Success | |||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
dropAllRolesFromDatabase |
| 0 - Success | |||||||||||||||||||||||||
grantRolesToRole |
| 0 - Success | |||||||||||||||||||||||||
revokeRolesFromRole |
| 0 - Success | |||||||||||||||||||||||||
grantPrivilegesToRole |
For details on the resource document, see Resource Document on Self-Managed Deployments. For a list of actions, see Privilege Actions for Self-Managed Deployments. | 0 - Success | |||||||||||||||||||||||||
revokePrivilegesFromRole |
For details on the resource document, see Resource Document on Self-Managed Deployments. For a list of actions, see Privilege Actions for Self-Managed Deployments. | 0 - Success | |||||||||||||||||||||||||
replSetReconfig |
For details on the replica set configuration document, see Self-Managed Replica Set Configuration. | 0 - Success | |||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
shardCollection |
| 0 - Success | |||||||||||||||||||||||||
When a shard is a replica set, the | 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
Indicates commencement of database shutdown. | 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
|
New in version 5.0. | 0 - Success | |||||||||||||||||||||||||
|
The New in version 5.0. | 0 - Success |