In the OCSF schema, recorded log messages have this syntax:
{    "activity_id" : <int>,    "category_uid" : <int>,    "class_uid" : <int>,    "time" : <int>,    "severity_id" : <int>,    "type_uid" : <int>,    "metadata" : <document>    "actor" : {       "user" : {          "type_id" : <int>,          "name" : <string>,          "groups" : <array of documents>       }    },    "src_endpoint" : {       "ip": <string>,   // IP address for origin client computer       "port": <int>,    // Port for origin client computer       "intermediate_ips": [ {          // IP address and port for mongos or load balancer          "ip": <string>,          "port": <int>       }, {          // IP address and port for mongos or load balancer          "ip": <string>,          "port": <int>       } ]    },    "dst_endpoint" : {       // IP address and port for local MongoDB server       "ip": <string>,       "port": <int>    } } 
The following table describes the fields in the log message.
| Field | Type | Description | 
|---|---|---|
| 
 | Integer | Activity type. See OCSF Type Mapping. | 
| 
 | Integer | Audit event category. See OCSF Category Mapping. | 
| 
 | Integer | Audit event class. See OCSF Class Mapping. | 
| 
 | Integer | Number of milliseconds after the Unix epoch that the event occurred. | 
| 
 | Integer | Severity of the audited event. | 
| 
 | Integer | Combination of the audited event's class, activity, and category. See OCSF Type Mapping. | 
| 
 | Document | Metadata about the event such as product and schema version. | 
| 
 | Document | Information about the user who performed the action. | 
| 
 | Document | Starting in MongoDB 8.1, if a client application connects to  
 If the request passes through a load balancer: 
 If the audit event occurs on a shard: 
 Changed in version 8.1. | 
| 
 | Document | IP address and port of the local MongoDB server. Changed in version 8.1. | 
Note
Log messages may contain additional fields depending on the event that was logged.
OCSF Category Mapping
This table describes the category_uid values:
| category_uid | Category | 
|---|---|
| 
 | System Activity | 
| 
 | Findings | 
| 
 | IAM | 
| 
 | Network Activity | 
| 
 | Discovery | 
| 
 | Application Activity | 
OCSF Class Mapping
For a complete list of OCSF class_uids and how they map to
different classes, see the OCSF Documentation.
OCSF Type Mapping
The type_uid field represents a combination of the audited event's
class, activity, and category. The resulting UUID indicates the type of
activity that occurred.
Specifically, type_uid is ( class_uid * 100 ) + (activity_id),
with category_id being the thousands place in a class_id.
This table describes how audited actions map to type_uid:
| Action Type | type_uid | Category | Class | Activity | 
|---|---|---|---|---|
| 
 | 
 | Configuration | Device Config State | Log | 
| 
 | 
 | System | Process Activity | Other | 
| 
 | 
 | Discovery | Device Config State | 
 | 
| 
 | 
 | Application | API Activity | 
 | 
| 
 | 
 | IAM | Authentication | Logon | 
| 
 | 
 | Network | Network Activity | Open | 
| 
 | 
 | IAM | Entity Management | Create | 
| 
 | 
 | IAM | Entity Management | Create | 
| 
 | 
 | IAM | Entity Management | Create | 
| 
 | 
 | IAM | Account Change | Create | 
| 
 | 
 | IAM | Account Change | Create | 
| 
 | 
 | IAM | Account Change | Unknown | 
| 
 | 
 | IAM | Account Change | Delete | 
| 
 | 
 | IAM | Account Change | Delete | 
| 
 | 
 | IAM | Entity Management | Delete | 
| 
 | 
 | IAM | Entity Management | Delete | 
| 
 | 
 | IAM | Entity Management | Delete | 
| 
 | 
 | IAM | Account Change | Attach Policy | 
| 
 | 
 | IAM | Account Change | Delete | 
| 
 | 
 | IAM | Account Change | Delete | 
| 
 | 
 | Configuration | Device Config State | Log | 
| 
 | 
 | Application | API Activity | Read | 
| 
 | 
 | IAM | Account Change | Attach Policy | 
| 
 | 
 | IAM | Account Change | Attach Policy | 
| 
 | 
 | IAM | Entity Management | Create | 
| 
 | 
 | IAM | Authentication | Logoff | 
| 
 | 
 | Configuration | Device Config State | Log | 
| 
 | 
 | Configuration | Device Config State | Log | 
| 
 | 
 | IAM | Entity Management | Update | 
| 
 | 
 | Configuration | Device Config State | Log | 
| 
 | 
 | IAM | Account Change | Detach Policy | 
| 
 | 
 | IAM | Account Change | Detach Policy | 
| 
 | 
 | IAM | Account Change | Detach Policy | 
| 
 | 
 | System | Process | Other | 
| 
 | 
 | Configuration | Device Config State | Log | 
| 
 | 
 | Configuration | Device Config State | Log | 
| 
 | 
 | System | Process | Terminate | 
| 
 | 
 | System | Process | Launch | 
| 
 | 
 | Configuration | Device Config State | Log | 
| 
 | 
 | IAM | Account Change | Other | 
| 
 | 
 | IAM | Account Change | Other | 
Examples
The following examples show OCSF schema log messages for different action types.
Authenticate Action
{    "activity_id" : 1,    "category_uid" : 3,    "class_uid" : 3002,    "time" : 1710715316123,    "severity_id" : 1,    "type_uid" : 300201,    "metadata" : {       "correlation_uid" : "20ec4769-984d-445c-aea7-da0429da9122",       "product" : "MongoDB Server",       "version" : "1.0.0"    },    "actor" : {       "user" : {          "type_id" : 1,          "name" : "admin.admin",          "groups" : [ { "name" : "admin.root" } ]       }    },    "src_endpoint" : { "ip" : "127.0.0.1", "port" : 56692 },    "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 },    "user" : { "type_id" : 1, "name" : "admin.admin" },    "auth_protocol" : "SCRAM-SHA-256",    "unmapped" : { "atype" : "authenticate" } } 
AuthCheck Action
{    "activity_id" : 0,    "category_uid" : 6,    "class_uid" : 6003,    "time" : 1710715315002,    "severity_id" : 1,    "type_uid" : 600300,    "metadata" : {       "correlation_uid" : "af4510fb-0a9f-49aa-b988-06259a7a861d",       "product" : "MongoDB Server",       "version" : "1.0.0"    },    "actor" : {},    "src_endpoint" : { "ip" : "127.0.0.1", "port" : 45836 },    "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 },    "api" : {       "operation" : "getParameter",       "request" : { "uid" : "admin" },       "response" : { "code" : 13, "error" : "Unauthorized" }    } }