System Event Audit Messages
Note
Available only in MongoDB Enterprise and MongoDB Atlas.
Audit Message
The event auditing feature can record events in JSON format. To configure auditing output, see Configure Auditing.
The recorded JSON messages have the following syntax:
{ atype: <String>, ts : { "$date": <timestamp> }, local: { ip: <String>, port: <int> }, remote: { ip: <String>, port: <int> }, users : [ { user: <String>, db: <String> }, ... ], roles: [ { role: <String>, db: <String> }, ... ], param: <document>, result: <int> }
Field | Type | Description |
---|---|---|
atype | string | Action type. See Audit Event Actions, Details, and Results. |
ts | document | Document that contains the date and UTC time of the event, in ISO
8601 format. |
local | document | Document that contains the local ip address and the port
number of the running instance. |
remote | document | Document that contains the remote ip address and the port number of
the incoming connection associated with the event. |
users | array | Array of user identification documents. Because MongoDB allows a
session to log in with different user per database, this array can
have more than one user. Each document contains a user field for
the username and a db field for the authentication database for
that user. |
roles | array | Array of documents that specify the roles granted to the user. Each document contains a
role field for the name of the role and a db field for the
database associated with the role. |
param | document | Specific details for the event. See Audit Event Actions, Details, and Results. |
result | integer | Error code. See Audit Event Actions, Details, and Results. |
Audit Event Actions, Details, and Results
The following table lists for each atype
or action type, the
associated param
details and the result
values, if any.
atype | param | result | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| 0 - Success18 - Authentication Failed334 - Mechanism Unavailable | ||||||||||||||||||
|
ns field is optional.args field may be redacted. | 0 - Success13 - Unauthorized to perform the operation.By default, the auditing system logs only the authorization
failures. To enable the system to log authorization successes, use
the | ||||||||||||||||||
| 0 - Success | |||||||||||||||||||
createDatabase |
| 0 - Success | ||||||||||||||||||
| 0 - Success | |||||||||||||||||||
renameCollection |
| 0 - Success | ||||||||||||||||||
| 0 - Success | |||||||||||||||||||
| 0 - Success | |||||||||||||||||||
| 0 - Success | |||||||||||||||||||
The | 0 - Success | |||||||||||||||||||
| 0 - Success | |||||||||||||||||||
dropAllUsersFromDatabase |
| 0 - Success | ||||||||||||||||||
updateUser |
The | 0 - Success | ||||||||||||||||||
grantRolesToUser |
| 0 - Success | ||||||||||||||||||
revokeRolesFromUser |
| 0 - Success | ||||||||||||||||||
The For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. | 0 - Success | |||||||||||||||||||
updateRole |
The For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. | 0 - Success | ||||||||||||||||||
| 0 - Success | |||||||||||||||||||
dropAllRolesFromDatabase |
| 0 - Success | ||||||||||||||||||
grantRolesToRole |
| 0 - Success | ||||||||||||||||||
revokeRolesFromRole |
| 0 - Success | ||||||||||||||||||
grantPrivilegesToRole |
For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. | 0 - Success | ||||||||||||||||||
revokePrivilegesFromRole |
For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. | 0 - Success | ||||||||||||||||||
replSetReconfig |
For details on the replica set configuration document, see Replica Set Configuration. | 0 - Success | ||||||||||||||||||
| 0 - Success | |||||||||||||||||||
shardCollection |
| 0 - Success | ||||||||||||||||||
When a shard is a replica set, the | 0 - Success | |||||||||||||||||||
| 0 - Success | |||||||||||||||||||
| 0 - Success | |||||||||||||||||||
Indicates commencement of database shutdown. | 0 - Success | |||||||||||||||||||
| 0 - Success |
[1] | Enabling auditAuthorizationSuccess degrades performance
more than logging only the authorization failures. |