Docs Menu
Docs Home
/
MongoDB Manual
/
Security
/
Auditing

System Event Audit Messages

On this page

  • Audit Message
  • Audit Event Actions, Details, and Results

Note

Available only in MongoDB Enterprise and MongoDB Atlas.

Audit Message

The event auditing feature can record events in JSON format. To configure auditing output, see Configure Auditing.

The recorded JSON messages have the following syntax:

{
  atype: <String>,
  ts : { "$date": <timestamp> },
  local: { ip: <String>, port: <int> },
  remote: { ip: <String>, port: <int> },
  users : [ { user: <String>, db: <String> }, ... ],
  roles: [ { role: <String>, db: <String> }, ... ],
  param: <document>,
  result: <int>
}
Field
Type
Description
atype
string
ts
document
Document that contains the date and UTC time of the event, in ISO 8601 format.
local
document
Document that contains the local ip address and the port number of the running instance.
remote
document
Document that contains the remote ip address and the port number of the incoming connection associated with the event.
users
array
Array of user identification documents. Because MongoDB allows a session to log in with different user per database, this array can have more than one user. Each document contains a user field for the username and a db field for the authentication database for that user.
roles
array
Array of documents that specify the roles granted to the user. Each document contains a role field for the name of the role and a db field for the database associated with the role.
param
document
Specific details for the event. See Audit Event Actions, Details, and Results.
result
integer

Audit Event Actions, Details, and Results

The following table lists for each atype or action type, the associated param details and the result values, if any.

atype
param
result

authenticate

{
  user: <user name>,
  db: <database>,
  mechanism: <mechanism>
}
0 - Success
18 - Authentication Failed
334 - Mechanism Unavailable

authCheck

{
  command: <name>,
  ns: <database>.<collection>,
  args: <command object>
}
ns field is optional.
args field may be redacted.
0 - Success
13 - Unauthorized to perform the operation.

By default, the auditing system logs only the authorization failures. To enable the system to log authorization successes, use the auditAuthorizationSuccess parameter. [1]

{ ns: <database>.<collection> }
0 - Success
createDatabase
{ ns: <database> }
0 - Success
{
  ns: <database>.<collection>,
  indexName: <index name>,
  indexSpec: <index specification>
}
0 - Success
renameCollection
{
  old: <database>.<collection>,
  new: <database>.<collection>
}
0 - Success
{ ns: <database>.<collection> }
0 - Success
{ ns: <database> }
0 - Success
{
  ns: <database>.<collection>,
  indexName: <index name>
}
0 - Success
{
  user: <user name>,
  db: <database>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

The customData field is optional.

0 - Success
{
  user: <user name>,
  db: <database>
}
0 - Success
dropAllUsersFromDatabase
{ db: <database> }
0 - Success
updateUser
{
  user: <user name>,
  db: <database>,
  passwordChanged: <boolean>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

The customData field is optional.

0 - Success
grantRolesToUser
{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
revokeRolesFromUser
{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

The roles and the privileges fields are optional.

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success
updateRole
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

The roles and the privileges fields are optional.

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success
{
  role: <role name>,
  db: <database>
}
0 - Success
dropAllRolesFromDatabase
{ db: <database> }
0 - Success
grantRolesToRole
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
revokeRolesFromRole
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
grantPrivilegesToRole
{
  role: <role name>,
  db: <database>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success
revokePrivilegesFromRole
{
  role: <role name>,
  db: <database name>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success
replSetReconfig
{
  old: {
   _id: <replicaSetName>,
   version: <number>,
   ...
   members: [ ... ],
   settings: { ... }
  },
  new: {
   _id: <replicaSetName>,
   version: <number>,
   ...
   members: [ ... ],
   settings: { ... }
  }
}

For details on the replica set configuration document, see Replica Set Configuration.

0 - Success
{ ns: <database> }
0 - Success
shardCollection
{
  ns: <database>.<collection>,
  key: <shard key pattern>,
  options: { unique: <boolean> }
}
0 - Success
{
  shard: <shard name>,
  connectionString: <hostname>:<port>,
  maxSize: <maxSize>
}

When a shard is a replica set, the connectionString includes the replica set name and can include other members of the replica set.

0 - Success
{
  ns: <database>.<collection>,
  key: <shard key pattern>
}
0 - Success
{ shard: <shard name> }
0 - Success
{ }

Indicates commencement of database shutdown.

0 - Success
{ msg: <custom message string> }

See logApplicationMessage.

0 - Success
[1] Enabling auditAuthorizationSuccess degrades performance more than logging only the authorization failures.

Back

Configure Audit Filters

Next

Network and Configuration Hardening