Navigation
This version of the documentation is archived and no longer supported.

System Event Audit Messages

Note

Available only in MongoDB Enterprise.

Audit Message

The event auditing feature can record events in JSON format. To configure auditing output, see Configure Auditing

The recorded JSON messages have the following syntax:

{
  atype: <String>,
  ts : { "$date": <timestamp> },
  local: { ip: <String>, port: <int> },
  remote: { ip: <String>, port: <int> },
  users : [ { user: <String>, db: <String> }, ... ],
  roles: [ { role: <String>, db: <String> }, ... ],
  param: <document>,
  result: <int>
}
Field Type Description
atype string Action type. See Audit Event Actions, Details, and Results.
ts document Document that contains the date and UTC time of the event, in ISO 8601 format.
local document Document that contains the local ip address and the port number of the running instance.
remote document Document that contains the remote ip address and the port number of the incoming connection associated with the event.
users array Array of user identification documents. Because MongoDB allows a session to log in with different user per database, this array can have more than one user. Each document contains a user field for the username and a db field for the authentication database for that user.
roles array Array of documents that specify the roles granted to the user. Each document contains a role field for the name of the role and a db field for the database associated with the role.
param document Specific details for the event. See Audit Event Actions, Details, and Results.
result integer Error code. See Audit Event Actions, Details, and Results.

Audit Event Actions, Details, and Results

The following table lists for each atype or action type, the associated param details and the result values, if any.

atype param result
authenticate
{
  user: <user name>,
  db: <database>,
  mechanism: <mechanism>
}
0 - Success
18 - Authentication Failed
authCheck
{
  command: <name>,
  ns: <database>.<collection>,
  args: <command object>
}

ns field is optional.

args field may be redacted.

0 - Success
13 - Unauthorized to perform the operation.

By default, the auditing system logs only the authorization failures. To enable the system to log authorization successes, use the auditAuthorizationSuccess parameter. [1]

createCollection
{ ns: <database>.<collection> }
0 - Success
createDatabase
{ ns: <database> }
0 - Success
createIndex
{
  ns: <database>.<collection>,
  indexName: <index name>,
  indexSpec: <index specification>
}
0 - Success
renameCollection
{
  old: <database>.<collection>,
  new: <database>.<collection>
}
0 - Success
dropCollection
{ ns: <database>.<collection> }
0 - Success
dropDatabase
{ ns: <database> }
0 - Success
dropIndex
{
  ns: <database>.<collection>,
  indexName: <index name>
}
0 - Success
createUser
{
  user: <user name>,
  db: <database>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

The customData field is optional.

0 - Success
dropUser
{
  user: <user name>,
  db: <database>
}
0 - Success
dropAllUsersFromDatabase
{ db: <database> }
0 - Success
updateUser
{
  user: <user name>,
  db: <database>,
  passwordChanged: <boolean>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

The customData field is optional.

0 - Success
grantRolesToUser
{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
revokeRolesFromUser
{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
createRole
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

The roles and the privileges fields are optional.

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success
updateRole
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

The roles and the privileges fields are optional.

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success
dropRole
{
  role: <role name>,
  db: <database>
}
0 - Success
dropAllRolesFromDatabase
{ db: <database> }
0 - Success
grantRolesToRole
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
revokeRolesFromRole
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
grantPrivilegesToRole
{
  role: <role name>,
  db: <database>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success
revokePrivilegesFromRole
{
  role: <role name>,
  db: <database name>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.

0 - Success
enableSharding
{ ns: <database> }
0 - Success
shardCollection
{
  ns: <database>.<collection>,
  key: <shard key pattern>,
  options: { unique: <boolean> }
}
0 - Success
addShard
{
  shard: <shard name>,
  connectionString: <hostname>:<port>,
  maxSize: <maxSize>
}

When a shard is a replica set, the connectionString includes the replica set name and can include other members of the replica set.

0 - Success
removeShard
{ shard: <shard name> }
0 - Success
shutdown
{ }

Indicates commencement of database shutdown.

0 - Success
applicationMessage
{ msg: <custom message string> }

See logApplicationMessage.

0 - Success
[1]Enabling auditAuthorizationSuccess degrades performance more than logging only the authorization failures.