How to decrypt audit logs?

stepcheung · April 21, 2024, 10:52am

Hello! We are working on the audit log encryption and use local audit key file for testing.
Configuration File Options — MongoDB Manual

We are able to encrypt the audit log and export those logs to a JSON file, which is good.

{"ts":{"$date":{"$numberLong":"1713424552181"}},"log":"<redacted_encrypted_string>"}

However, how do we decrypt the string and read the log? We know there is an admin command (getLog) to check the logs. But according to the document, it is not an appropriate way to check the audit logs since there is a 1024 limit.

getLog — MongoDB Manual

We have also tried to decrypt the string using openssl, but we are not able to do so, since we do not know the “IV”. It would be appreciated if someone can have a detailed guide to decrypt the audit logs. Thanks a lot!

chris · April 22, 2024, 4:54pm

Hi @stepcheung

The mongocli can be used to decrypt audit logs.

With all enterprise tooling you should have access to MongoDB support, I always recommend you open a support case with them for definitive answers.

mongocli  ops-manager logs decrypt -h
Decrypts an audit log file with the provided local key file or with a server that supports KMIP.

stepcheung · April 24, 2024, 7:54am

Hi @chris , thanks for your prompt reply. Apart from using mongocli, is it possible to do it with openssl?

chris · April 25, 2024, 11:14pm

Not aware of one, but I haven’t looked either.