You can configure your M10+ Atlas clusters to export system logs every minute to an AWS S3 bucket.
This integration allows you to:
Specify which MongoDB log files you want to export to the S3 bucket. Atlas supports exporting the following log types:
mongodmongosmongod-auditmongos-audit
Set up to 10 export paths, allowing you to export logs to multiple AWS S3 buckets simultaneously.
Send logs to an S3 Multi-Region Access Point (MRAP) by configuring the integration with the MRAP ARN. You can currently only configure MRAP ARNs using the Atlas Administration API. MRAP aliases are not supported.
重要
Logs can contain sensitive information (including PII). You are responsible for the storage and treatment of your logs in your AWS S3 bucket. To have Atlas redact certain information before exporting logs, see Enable Log Redaction.
必需的访问权限
To export logs to an AWS S3 bucket, you must have Project Owner or Organization Owner access to Atlas.
Considerations
Each Atlas host typically produces 1 GB of logs per day. Exporting logs incurs a data transfer cost. The exact data transfer cost varies depending on the destination, region, and cloud provider.
Network issues or retries can cause duplicate log entries in your AWS S3 bucket.
先决条件
你需要:
An AWS IAM role with sts:AssumeRole that grants Atlas access to your AWS resource with a maximum session duration set to 12 hours.
An existing AWS S3 bucket.
An
M10+Atlas cluster running MongoDB 7.0 or later.
步骤
To export logs to an AWS S3 bucket, complete the following steps.
在Atlas中,转到Project Settings 页面。
如果尚未显示,请从导航栏上的 Organizations 菜单中选择包含所需项目的组织。
如果尚未显示,请从导航栏的Projects菜单中选择所需的项目。
在侧边栏中,单击 Project Settings。
显示项目设置页面。
在Atlas中,转到Project Integrations 页面。
单击 Integrations 标签页。
显示“项目集成”页面。
Grant Atlas access to your AWS account.
From the Authorize an AWS IAM Role dropdown, select your ARN. To add an ARN, see Set Up Unified AWS Access.
单击 Next(连接)。
Connect Atlas to your AWS S3 bucket.
In the Bucket Name field, enter the name of your S3 bucket as it appears in your AWS account.
In the Prefix field, enter a directory name to organize the contents of your S3 bucket. For example, entering
logs/creates alogsdirectory in your S3 bucket to store the exported logs.Under Log Type, select the types of logs you want to export.
MongoDB Logs (
mongodb.gz) Diagnostic logs written by eachmongodserver process. They record server startup and shutdown, configuration, connections, slow queries, replication, sharding activity, and other operational events.MongoDB Audit Logs (
mongodb-audit-log.gz) Auditing logs emitted bymongodthat track system event actions such as authentication attempts, authorization checks, role changes, and other security-relevant operations. These logs are separate from the main MongoDB log.MongoDB Router Logs (
mongos.gz) Diagnostic logs written by eachmongosrouter process in a sharded cluster. They capture router-specific behavior such as routing of queries to shards, sharding metadata refreshes, and general process diagnostics.MongoDB Router Audit Logs (
mongos-audit-log.gz) Auditing logs emitted bymongosrouter processes, recording the same kinds of audited system events but from the router's perspective in a sharded deployment.
To learn more, see View and Download MongoDB Logs.
(Optional) If you want to encrypt the logs in your S3 bucket, enter your AWS Key Management Service (KMS) key ARN in the KMS Key field. To learn more, see Manage Customer Keys with AWS KMS.
单击 Next(连接)。
Assign an access policy to your AWS IAM role.
Click to copy the access policy generated by Atlas and save it locally with the file name:
AtlasS3LogExportPolicy.Click to copy the CLI command generated by Atlas, then run the command in your terminal to attach the access policy to your AWS IAM role.
Click Validate to confirm your configuration and credentials are correct before enabling the export.