System Event Audit Messages
On this page
Note
Available only in MongoDB Enterprise .
Audit Message
The event auditing feature can record events in JSON format. To configure auditing output, see Configure Auditing
The recorded JSON messages have the following syntax:
{
atype: <String>,
ts : { "$date": <timestamp> },
local: { ip: <String>, port: <int> },
remote: { ip: <String>, port: <int> },
users : [ { user: <String>, db: <String> }, ... ],
roles: [ { role: <String>, db: <String> }, ... ],
param: <document>,
result: <int>
}
| Field | Type | Description |
|---|---|---|
atype |
string | Action type. See Audit Event Actions, Details, and Results. |
ts |
document | Document that contains the date and UTC time of the event, in ISO 8601 format. |
local |
document | Document that contains the local ip address and the port number of the running instance. |
remote |
document | Document that contains the remote ip address and the port number of the incoming connection associated with the event. |
users |
array | Array of user identification documents. Because MongoDB allows a session to log in with different user per database, this array can have more than one user. Each document contains a user field for the username and a db field for the authentication database for that user. |
roles |
array | Array of documents that specify the roles granted to the user. Each document contains a role field for the name of the role and a db field for the database associated with the role. |
param |
document | Specific details for the event. See Audit Event Actions, Details, and Results. |
result |
integer | Error code. See Audit Event Actions, Details, and Results. |
Audit Event Actions, Details, and Results
The following table lists for each atype or action type, the associated param details and the result values, if any.
atype |
param |
result |
|---|---|---|
authenticate |
|
0 - Success
18 - Authentication Failed
|
authCheck |
ns field is optional.
args field may be redacted.
|
0 - Success
13 - Unauthorized to perform the operation.
By default, the auditing system logs only the authorization failures. To enable the system to log authorization successes, use the |
createCollection |
|
0 - Success |
createDatabase |
|
0 - Success |
createIndex |
|
0 - Success |
renameCollection |
|
0 - Success |
dropCollection |
|
0 - Success |
dropDatabase |
|
0 - Success |
dropIndex |
|
0 - Success |
createUser |
The |
0 - Success |
dropUser |
|
0 - Success |
dropAllUsersFromDatabase |
|
0 - Success |
updateUser |
The |
0 - Success |
grantRolesToUser |
|
0 - Success |
revokeRolesFromUser |
|
0 - Success |
createRole |
The For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. |
0 - Success |
updateRole |
The For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. |
0 - Success |
dropRole |
|
0 - Success |
dropAllRolesFromDatabase |
|
0 - Success |
grantRolesToRole |
|
0 - Success |
revokeRolesFromRole |
|
0 - Success |
grantPrivilegesToRole |
For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. |
0 - Success |
revokePrivilegesFromRole |
For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions. |
0 - Success |
New in version 3.6.9. |
For details on the replica set configuration document, see Replica Set Configuration. |
0 - Success |
enableSharding |
|
0 - Success |
shardCollection |
|
0 - Success |
addShard |
When a shard is a replica set, the |
0 - Success |
removeShard |
|
0 - Success |
shutdown |
Indicates commencement of database shutdown. |
0 - Success |
applicationMessage |
|