System Event Audit Messages

On this page

Audit Message

Audit Event Actions, Details, and Results

This version of the documentation is archived and no longer supported. View the current documentation to learn how to upgrade your version of MongoDB.

Note

Available only in MongoDB Enterprise and MongoDB Atlas.

Audit Message

The event auditing feature can record events in JSON format. To configure auditing output, see Configure Auditing.

The recorded JSON messages have the following syntax:

{
  atype: <String>,
  ts : { "$date": <timestamp> },
  local: { ip: <String>, port: <int> },
  remote: { ip: <String>, port: <int> },
  users : [ { user: <String>, db: <String> }, ... ],
  roles: [ { role: <String>, db: <String> }, ... ],
  param: <document>,
  result: <int>
}

Field	Type	Description
`atype`	string	Action type. See Audit Event Actions, Details, and Results.
`ts`	document	Document that contains the date and UTC time of the event, in ISO 8601 format.
`local`	document	Document that contains the local `ip` address and the `port` number of the running instance.
`remote`	document	Document that contains the remote `ip` address and the `port` number of the incoming connection associated with the event.
`users`	array	Array of user identification documents. Because MongoDB allows a session to log in with different user per database, this array can have more than one user. Each document contains a `user` field for the username and a `db` field for the authentication database for that user.
`roles`	array	Array of documents that specify the roles granted to the user. Each document contains a `role` field for the name of the role and a `db` field for the database associated with the role.
`param`	document	Specific details for the event. See Audit Event Actions, Details, and Results.
`result`	integer	Error code. See Audit Event Actions, Details, and Results.

Audit Event Actions, Details, and Results

The following table lists for each atype or action type, the associated param details and the result values, if any.

atype

param

result

authenticate

{
  user: <user name>,
  db: <database>,
  mechanism: <mechanism>
}

- Success
- Authentication Failed
- Mechanism Unavailable

authCheck

{
  command: <name>,
  ns: <database>.<collection>,
  args: <command object>
}

ns field is optional.

args field may be redacted.

0 - Success

13 - Unauthorized to perform the operation.

By default, the auditing system logs only the authorization failures. To enable the system to log authorization successes, use the auditAuthorizationSuccess parameter. [1]

createCollection

{ ns: <database>.<collection> }

0 - Success

createDatabase

{ ns: <database> }

0 - Success

createIndex

{
  ns: <database>.<collection>,
  indexName: <index name>,
  indexSpec: <index specification>
}

0 - Success

renameCollection

{
  old: <database>.<collection>,
  new: <database>.<collection>
}

0 - Success

dropCollection

{ ns: <database>.<collection> }

0 - Success

dropDatabase

{ ns: <database> }

0 - Success

dropIndex

{
  ns: <database>.<collection>,
  indexName: <index name>
}

0 - Success

createUser

{
  user: <user name>,
  db: <database>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

The customData field is optional.

0 - Success

dropUser

{
  user: <user name>,
  db: <database>
}

0 - Success

dropAllUsersFromDatabase

{ db: <database> }

0 - Success

updateUser

{
  user: <user name>,
  db: <database>,
  passwordChanged: <boolean>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

The customData field is optional.

0 - Success

grantRolesToUser

{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

0 - Success

revokeRolesFromUser

{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

0 - Success

createRole

{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

The roles and the privileges fields are optional.

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success

updateRole

{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

The roles and the privileges fields are optional.

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success

dropRole

{
  role: <role name>,
  db: <database>
}

0 - Success

dropAllRolesFromDatabase

{ db: <database> }

0 - Success

grantRolesToRole

{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

0 - Success

revokeRolesFromRole

{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

0 - Success

grantPrivilegesToRole

{
  role: <role name>,
  db: <database>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success

revokePrivilegesFromRole

{
  role: <role name>,
  db: <database name>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success

replSetReconfig

{
  old: {
   _id: <replicaSetName>,
   version: <number>,
   ...
   members: [ ... ],
   settings: { ... }
  },
  new: {
   _id: <replicaSetName>,
   version: <number>,
   ...
   members: [ ... ],
   settings: { ... }
  }
}

For details on the replica set configuration document, see Replica Set Configuration.

0 - Success

enableSharding

{ ns: <database> }

0 - Success

shardCollection

{
  ns: <database>.<collection>,
  key: <shard key pattern>,
  options: { unique: <boolean> }
}

0 - Success

addShard

{
  shard: <shard name>,
  connectionString: <hostname>:<port>,
  maxSize: <maxSize>
}

When a shard is a replica set, the connectionString includes the replica set name and can include other members of the replica set.

0 - Success

refineCollectionShardKey

{
  ns: <database>.<collection>,
  key: <shard key pattern>
}

0 - Success

removeShard

{ shard: <shard name> }

0 - Success

shutdown

{ }

Indicates commencement of database shutdown.

0 - Success

applicationMessage

{ msg: <custom message string> }

See logApplicationMessage.

0 - Success

[1]	Enabling `auditAuthorizationSuccess` degrades performance more than logging only the authorization failures.

Back

Configure Audit Filters

Network and Configuration Hardening