要监控Atlas平台活动,请使用审核功能。
Atlas审核功能
数据库审核可在 M10+ 集群上使用,可让您追踪具有多个用户的部署的系统活动。
作为Atlas管理员,您可以在MongoDB中创建自定义JSONAtlas 审核过滤,以精确控制系统中的审核内容。
与Atlas用户界面中的标准过滤构建器相比,这种方法可以让您准确指定应监控哪些操作、数据库用户和Atlas角色,从而更精细地控制审核进程。
通过 手动审核配置,您可以监控Atlas中几乎所有记录的系统事件操作。
全面的数据库审核功能提供对以下内容的详细跟踪:
数据定义语言(DDL)操作
DML(数据操作语言)操作
DCL(数据控制语言)操作。
这提供了对数据库模式更改、数据修改和权限调整的完整可见性。
有关实施指导,包括完整的事件列表和实际配置示例,请参阅MongoDB审核和审核筛选器示例文档。设置数据库审核部分提供了其他设置说明。
在Atlas中创建并启用审核筛选器
您可以创建Atlas 审核筛选器,将审核限制为仅对某些关注的操作进行。当您启用操作审核时, Atlas会记录所有可审核的操作,详见审核事件操作、详情和结果。
要限制Atlas应记录的事件,您可以指定事件Atlas 审核筛选器。
以下文档定义了一个Atlas 审核过滤,该筛选器将审核限制为仅针对test 数据库进行的身份验证操作。要学习;了解更多信息,请参阅配置审核筛选器。
{ "atype": "authenticate", "param.db": "test" }
要启用Atlas 审核过滤,请使用 标志运行atlas auditing 更新命令,并用单引号指定Atlas--enabled 审核过滤文档,以将该文档作为字符串传递:
atlas auditing update --enabled --auditFilter '{"atype": "authenticate", "param.db": "test"}'
自定义Atlas 审核筛选器可让您放弃托管{atlas-ui+} 审核过滤构建器,转而对事件审核进行手工定制的精细控制。 Atlas仅检查自定义过滤是否使用有效的JSON语法,而不会验证或测试筛选器的功能。
Atlas 审核过滤文档:
必须解析为与Atlas 审核事件消息中的一个或多个字段匹配的查询。
可以使用查询运算符和相等条件的组合来匹配所需的Atlas 审核消息。
Atlas支持指定JSON格式的Atlas 审核过滤以自定义MongoDB审核。
为自定义过滤配置JSON配置文件也很有用,因为如果您需要创建大型过滤,并将筛选器的配置存储在单独的文件中,则更容易管理和维护过滤。
以下Atlas CLI命令启用指定 JSON配置文件中定义的Atlas 审核过滤:
atlas auditing update --enabled -f filter.json
Atlas审核建议
以下建议应用于所有 部署范例。
数据库审核会增加集群资源使用量和运营费用。
为了保持最佳性能并控制成本,请考虑仅审核基本用户,并在不需要的开发环境中关闭审核。
出于合规原因,某些行业(例如医疗保健和金融服务)可能会选择在开发环境中继续启用审核。
我们建议您至少Atlas 审核以下事件:
登录失败
会话活动
登录和注销
尝试执行未经授权的功能
更改密码
数据库用户访问权限更改
DDL 和系统配置存储过程
修改原生审核
执行备份或恢复操作
更改 DBMS 原生审核设置
更改安全设置
运行数据库启动和停止命令
自动化示例: Atlas审核
以下示例展示了如何使用 Atlas 自动化工具来检索和下载日志并配置审核。
更新审核配置
要更新项目的Atlas 审核配置,请使用 atlas auditing 更新命令并指定新的Atlas 审核过滤。以下命令将现有Atlas 审核过滤配置替换为新过滤审核项目中已知用户的所有身份验证事件:
atlas auditing update --enabled --auditFilter '{"atype": "authenticate"}'
描述审核配置
运行 atlas auditing describe 命令以返回指定项目的审核配置:
atlas auditing describe --output json
以下示例演示了如何为部署启用审核。在使用 Terraform 创建资源之前,您必须:
创建付款组织并为付款组织创建API密钥。通过在终端中运行以下命令,将公钥和私钥存储为环境变量:
export MONGODB_ATLAS_PUBLIC_KEY="<insert your public key here>" export MONGODB_ATLAS_PRIVATE_KEY="<insert your private key here>"
启用审核并创建审核筛选器
您可以通过创建Atlas 审核筛选器来配置对大多数记录的系统事件操作的手动审核。要学习;了解有关配置Atlas 审核筛选器的更多信息,请参阅配置审核筛选器。
以下 Terraform脚本设置具有全面数据库审核功能的完整MongoDB Atlas基础架构。脚本:
在组织内创建新项目,并预配部署在美国东部地区AWS 上的三节点副本集集群(M10 个实例)。
使用JSON过滤启用详细的审核功能,该筛选器监控身份验证事件、用户管理操作以及各种数据库命令,包括数据操作和查询操作。
审核配置专门针对管理员和外部数据库用户,同时跟踪关键操作,例如身份验证尝试、角色修改以及常用数据库命令,例如 find、insert、update 和 delete 操作。
Add the MongoDB Atlas Provider terraform { required_providers { mongodbatlas = { source = "mongodb/mongodbatlas" version = "1.34.0" } } } Configure the MongoDB Atlas Provider provider "mongodbatlas" { public_key = var.mongodbatlas_public_key private_key = var.mongodbatlas_private_key } Create a Project resource "mongodbatlas_project" "this" { org_id = var.atlas_org_id name = var.atlas_project_name } Create an Atlas Advanced Cluster resource "mongodbatlas_advanced_cluster" "atlas-cluster" { project_id = mongodbatlas_project.atlas-project.id name = "ClusterPortalProd" cluster_type = "REPLICASET" mongo_db_major_version = "8.0" replication_specs { region_configs { electable_specs { instance_size = "M10" node_count = 1 } provider_name = "AWS" priority = 7 region_name = "US_WEST_1" } } Advanced configuration backup_enabled = true pit_enabled = true version_release_system = "LTS" } Create comprehensive auditing configuration to capture all possible audit events resource "mongodbatlas_auditing" "atlas-auditing" { project_id = mongodbatlas_project.atlas-project.id Comprehensive audit filter to capture all possible audit events audit_filter = jsonencode({ "$or" = [ # Capture all authentication events { "atype" = { "$in" = [ "authenticate", "authCheck", "logout" ] } }, # Capture all authorization events { "atype" = "authCheck" }, # Capture all CRUD operations { "atype" = "authCheck", "param.command" = { "$in" = [ # Read operations "find", "getMore", "count", "distinct", "aggregate", "group", "mapReduce", "geoNear", "geoSearch", "parallelCollectionScan", "eval", "getLastError", "getPrevError", "resetError", # Write operations "insert", "update", "delete", "findAndModify", "save", # Index operations "createIndexes", "dropIndexes", "listIndexes", "reIndex", # Collection operations "create", "drop", "listCollections", "collMod", "convertToCapped", "emptycapped", "renameCollection", # Database operations "dropDatabase", "listDatabases", "copydb", "clone", # GridFS operations "filemd5" ] } }, # Capture all DDL (Data Definition Language) operations { "atype" = "authCheck", "param.command" = { "$in" = [ "create", "drop", "createIndexes", "dropIndexes", "collMod", "renameCollection", "dropDatabase", "createCollection", "dropCollection" ] } }, # Capture all user and role management operations { "atype" = "authCheck", "param.command" = { "$in" = [ "createUser", "dropUser", "dropAllUsersFromDatabase", "updateUser", "grantRolesToUser", "revokeRolesFromUser", "createRole", "updateRole", "dropRole", "dropAllRolesFromDatabase", "grantRolesToRole", "revokeRolesFromRole", "grantPrivilegesToRole", "revokePrivilegesFromRole" ] } }, # Capture replica set operations { "atype" = "authCheck", "param.command" = { "$in" = [ "replSetGetStatus", "replSetInitiate", "replSetReconfig", "replSetStepDown", "replSetSyncFrom", "replSetFreeze", "replSetMaintenance", "replSetGetConfig" ] } }, # Capture sharding operations { "atype" = "authCheck", "param.command" = { "$in" = [ "shardCollection", "addShard", "removeShard", "movePrimary", "enableSharding", "split", "moveChunk", "mergeChunks" ] } }, # Capture administrative operations { "atype" = "authCheck", "param.command" = { "$in" = [ "shutdown", "fsync", "getParameter", "setParameter", "serverStatus", "dbStats", "collStats", "currentOp", "killOp", "listCommands", "buildInfo", "hostInfo", "connectionStatus", "getCmdLineOpts", "logRotate", "planCacheClear", "planCacheListFilters", "planCacheSetFilter", "planCacheClearFilters" ] } }, # Capture diagnostic operations { "atype" = "authCheck", "param.command" = { "$in" = [ "explain", "profile", "validate", "dbHash", "ping", "ismaster", "isMaster", "hello" ] } }, # Capture connection and session events { "atype" = { "$in" = [ "createSession", "endSession", "refreshSession" ] } }, # Capture transaction events { "atype" = "authCheck", "param.command" = { "$in" = [ "abortTransaction", "commitTransaction", "startTransaction" ] } }, # Capture change stream events { "atype" = "authCheck", "param.command" = { "$in" = [ "aggregate" ] }, "param.pipeline" = { "$elemMatch" = { "$changeStream" = { "$exists" = true } } } } ] }) Enable comprehensive auditing settings audit_authorization_success = true # Audit both successful and failed operations enabled = true # Enable auditing } Variables variable "mongodbatlas_public_key" { default = "" description = "MongoDB Atlas Public Key" type = string sensitive = true } variable "mongodbatlas_private_key" { default = "" description = "MongoDB Atlas Private Key" type = string sensitive = true } variable "atlas_org_id" { default = "" description = "MongoDB Atlas Organization ID" type = string } variable "atlas_project_name" { description = "MongoDB Atlas Project Name" type = string default = "Atlas Auditing Example" } Outputs output "cluster_connection_string" { description = "Connection string for the Atlas cluster" value = mongodbatlas_advanced_cluster.atlas-cluster.connection_strings[0].standard_srv sensitive = true } output "cluster_id" { description = "Atlas cluster ID" value = mongodbatlas_advanced_cluster.atlas-cluster.cluster_id } output "project_id" { description = "Atlas project ID" value = mongodbatlas_project.atlas-project.id } output "auditing_enabled" { description = "Whether auditing is enabled" value = mongodbatlas_auditing.atlas-auditing.enabled }