System Event Audit Messages
Note
Available only in MongoDB Enterprise and MongoDB Atlas.
Audit Message
The event auditing feature can record events in JSON format. To configure auditing output, see Configure Auditing.
Changed in version 5.0.
The recorded JSON messages have the following syntax:
{ atype: <string>, ts : { $date: <timestamp> }, uuid : { $binary: <string>, $type: <string> }, local: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> }, remote: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> }, users : [ { user: <string>, db: <string> }, ... ], roles: [ { role: <string>, db: <string> }, ... ], param: <document>, result: <int> }
Field | Type | Description |
---|---|---|
atype | string | Action type. See Audit Event Actions, Details, and Results. |
ts | document | Document that contains the date and UTC time of the event, in ISO
8601 format. |
| document | Document that contains a universally unique identifier (UUID) for
the audit message. The New in version 5.0. |
| document | A document that contains the Starting in MongoDB 5.0, can alternatively be a document with one of these fields:
NoteStarting in MongoDB 5.0, the Changed in version 5.0. |
remote | document | A document that contains the Starting in MongoDB 5.0, can alternatively be a document with one of these fields:
Changed in version 5.0. |
users | array | Array of user identification documents. Because MongoDB allows a
session to log in with different user per database, this array can
have more than one user. Each document contains a user field for
the username and a db field for the authentication database for
that user. |
roles | array | Array of documents that specify the roles granted to the user. Each document contains a
role field for the name of the role and a db field for the
database associated with the role. |
param | document | Specific details for the event. See Audit Event Actions, Details, and Results. |
result | integer | Error code. See Audit Event Actions, Details, and Results. |
Audit Event Actions, Details, and Results
The following table lists for each atype
or action type, the
associated param
details and the result
values, if any.
atype | param | result | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Starting in MongoDB 5.0,
Changed in version 5.0. | 0 - Success18 - Authentication Failed334 - Mechanism Unavailable | |||||||||||||||||||||||||
|
ns field is optional.args field may be redacted.By default, the auditing system logs only the authorization
failures. To enable the system to log authorization successes,
use the Enabling Starting in MongoDB 5.0, Changed in version 5.0. | 0 - Success13 - Unauthorized to perform the operation. | |||||||||||||||||||||||||
|
Contains the client metadata. Logged when the client runs the
New in version 5.0. | 0 - Success | |||||||||||||||||||||||||
Logged when a:
Starting in MongoDB 5.0, this additional information is logged for a view:
Changed in version 5.0. | 0 - Success | ||||||||||||||||||||||||||
createDatabase |
| 0 - Success | |||||||||||||||||||||||||
Possible values for
Starting in MongoDB 5.0,
Changed in version 5.0. | 0 - Success276 - Index build aborted.The audit message contains result code | ||||||||||||||||||||||||||
|
Logged when a database operation directly modifies the contents
of the New in version 5.0. | 0 - Success | |||||||||||||||||||||||||
renameCollection |
| 0 - Success | |||||||||||||||||||||||||
Logged when a:
Starting in MongoDB 5.0, this additional information is logged for a view:
In addition, starting in MongoDB 5.0, a
Changed in version 5.0. | 0 - Success26 - NamespaceNotFound If the collection or view does not exist, the audit message shows
the return code as | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
The | 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
dropAllUsersFromDatabase |
| 0 - Success | |||||||||||||||||||||||||
|
| 0 - Success | |||||||||||||||||||||||||
|
| 0 - Success | |||||||||||||||||||||||||
|
Logged when a parameter is changed because of:
| 0 - Success | |||||||||||||||||||||||||
updateUser |
The | 0 - Success | |||||||||||||||||||||||||
grantRolesToUser |
| 0 - Success | |||||||||||||||||||||||||
revokeRolesFromUser |
| 0 - Success | |||||||||||||||||||||||||
The For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. | 0 - Success | ||||||||||||||||||||||||||
updateRole |
The For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. | 0 - Success | |||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
dropAllRolesFromDatabase |
| 0 - Success | |||||||||||||||||||||||||
grantRolesToRole |
| 0 - Success | |||||||||||||||||||||||||
revokeRolesFromRole |
| 0 - Success | |||||||||||||||||||||||||
grantPrivilegesToRole |
For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. | 0 - Success | |||||||||||||||||||||||||
revokePrivilegesFromRole |
For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. | 0 - Success | |||||||||||||||||||||||||
replSetReconfig |
For details on the replica set configuration document, see Replica Set Configuration. | 0 - Success | |||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
shardCollection |
| 0 - Success | |||||||||||||||||||||||||
When a shard is a replica set, the | 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
Indicates commencement of database shutdown. | 0 - Success | ||||||||||||||||||||||||||
| 0 - Success | ||||||||||||||||||||||||||
|
New in version 5.0. | 0 - Success | |||||||||||||||||||||||||
|
New in version 5.0. Changed in version 6.1. | 0 - Success |