I am auditing all database activity via audit using config setting auditAuthorizationSuccess: true. With this all crud activity is captured including the data values. Some of this info is nppi which shows as plain text in a json audit log. Is there any way to mask this data in the audit log to be able to show the crud operation but masking some values and displaying others? Or, is audit an all-or-nothing function displaying all values all the time? If it’s not possible in audit, is there another way to mask the data before it goes out to the file’s consumers i.e Splunk?
Welcome to the community @JamesT!
Can you confirm the specific version of MongoDB server you are using and whether this is self-hosted or managed (eg MongoDB Atlas)?
I have 4.0.18 and 4.2.8 in-house rhel 7 servers. Both versions perform the same.
Did you end up with an answer? I think you can use regex in the db audit configuration json config.
I have not; and, would you be able to provide an example of how you’d setup the regex to do this.