Configure Auditing
On this page
Note
Auditing in MongoDB Atlas
MongoDB Atlas supports auditing for all M10
and larger
clusters. Atlas supports specifying a JSON-formatted audit
filter as documented in Configure Audit Filters
and using the Atlas audit filter builder for simplified auditing
configuration. To learn more, see the Atlas documentation for
Set Up Database Auditing
and
Configure a Custom Auditing Filter.
MongoDB Enterprise
supports auditing of various operations. A complete
auditing solution must involve all mongod
server and
mongos
router processes.
The audit facility can write audit events to the console, the syslog (option is unavailable on Windows), a JSON file, or a BSON file. For details on the audited operations and the audit log messages, see System Event Audit Messages.
Enable and Configure Audit Output
Use the --auditDestination
option
to enable auditing and specify where to output the audit events.
Warning
Output to Syslog
To enable auditing and print audit events to the syslog (option
is unavailable on Windows) in JSON format, specify syslog
for the
--auditDestination
setting. For
example:
mongod --dbpath data/db --auditDestination syslog
Include additional options as required for your configuration. For
instance, if you wish remote clients to connect to your deployment
or your deployment members are run on different hosts, specify the
--bind_ip
. For more information, see
Localhost Binding Compatibility Changes.
Important
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.
Warning
The syslog message limit can result in the truncation of the audit messages. The auditing system will neither detect the truncation nor error upon its occurrence.
You may also specify these options in the configuration file:
storage: dbPath: data/db auditLog: destination: syslog
Output to Console
To enable auditing and print the audit events to standard
output (i.e. stdout
), specify console
for the
--auditDestination
setting. For
example:
mongod --dbpath data/db --auditDestination console
Include additional options as required for your configuration. For
instance, if you wish remote clients to connect to your deployment
or your deployment members are run on different hosts, specify the
--bind_ip
. For more information, see
Localhost Binding Compatibility Changes.
Important
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.
You may also specify these options in the configuration file:
storage: dbPath: data/db auditLog: destination: console
Output to JSON File
To enable auditing and print audit events to a file in JSON format, specify the following options:
Option | Value |
---|---|
file | |
JSON | |
The output filename. Accepts either the full path name or
relative path name. |
For example, the following enables auditing and records audit events to
a file with the relative path name of data/db/auditLog.json
:
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
Include additional options as required for your configuration. For
instance, if you wish remote clients to connect to your deployment
or your deployment members are run on different hosts, specify the
--bind_ip
. For more information, see
Localhost Binding Compatibility Changes.
Important
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.
The audit file is rotated
at the same time as
the server log file. Rotation specifics may be configured with the
systemLog.logRotate
configuration file option or the
--logRotate
command-line option.
You may also specify these options in the configuration file:
storage: dbPath: data/db auditLog: destination: file format: JSON path: data/db/auditLog.json
Note
Printing audit events to a file in JSON format degrades server performance more than printing to a file in BSON format.
Output to BSON File
To enable auditing and print audit events to a file in BSON binary format, specify the following options:
Option | Value |
---|---|
file | |
BSON | |
The output filename. Accepts either the full path name or
relative path name. |
For example, the following enables auditing and records audit events to
a BSON file with the relative path name of data/db/auditLog.bson
:
mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson
Include additional options as required for your configuration. For
instance, if you wish remote clients to connect to your deployment
or your deployment members are run on different hosts, specify the
--bind_ip
. For more information, see
Localhost Binding Compatibility Changes.
Important
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.
The audit file is rotated
at the same time as
the server log file. Rotation specifics may be configured with the
systemLog.logRotate
configuration file option or the
--logRotate
command-line option.
You may also specify these options in the configuration file:
storage: dbPath: data/db auditLog: destination: file format: BSON path: data/db/auditLog.bson
To view the contents of the file, pass the file to the MongoDB utility
bsondump
. For example, the following converts the audit log
into a human-readable form and output to the terminal:
bsondump data/db/auditLog.bson