System Event Audit Messages系统事件审核消息

~~On this page~~本页内容

~~Audit Message~~审核消息
~~Audit Event Actions, Details, and Results~~审核事件操作、详细信息和结果

~~Note~~注意

~~Available only in MongoDB Enterprise and MongoDB Atlas.~~仅在MongoDB Enterprise和MongoDB Atlas中可用。

Audit Message审核消息

~~The event auditing feature can record events in JSON format.~~ 事件审计功能可以以JSON格式记录事件。~~To configure auditing output, see Configure Auditing.~~要配置审核输出，请参阅配置审核。

Changed in version 5.0.在版本5.0中更改。

~~The recorded JSON messages have the following syntax:~~记录的JSON消息具有以下语法：

{
  atype: <string>,
  ts : { $date: <timestamp> },
  uuid : { $binary: <string>, $type: <string> },
  local: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> },
  remote: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> },
  users : [ { user: <string>, db: <string> }, ... ],
  roles: [ { role: <string>, db: <string> }, ... ],
  param: <document>,
  result: <int>
}

~~Field~~字段	~~Type~~类型	~~Description~~描述
`atype`	string	~~Action type.~~ 操作类型。~~See Audit Event Actions, Details, and Results.~~请参阅审核事件操作、详细信息和结果。
`ts`	document	~~Document that contains the date and UTC time of the event, in ISO 8601 format.~~包含事件日期和UTC时间的文档，采用ISO 8601格式。
`uuid`	document	~~Document that contains a universally unique identifier (UUID) for the audit message.~~ 包含审核消息的通用唯一标识符（UUID）的文档。~~The `$type` field specifies the BSON subtype for the `$binary` field.~~ `$type`字段指定`$binary`字段的BSON子类型。~~The `$type` value of `04` specifies that the `$binary` field contains a UUID.~~`$type`值`04`指定`$binary`字段包含UUID。 New in version 5.0.在版本5.0中新增。
`local`	document	~~A document that contains the `ip` address and the `port` number of the running instance.~~包含正在运行的实例的`ip`地址和`port`号的文档。 ~~Starting in MongoDB 5.0, can alternatively be a document with one of these fields:~~从MongoDB 5.0开始，也可以是具有以下字段之一的文档： `isSystemUser` ~~that indicates whether the user who caused the event was a system user.~~ 指示引起事件的用户是否是系统用户。~~Logged for self-referential jobs initiated by a background process that runs on the same server instance.~~已记录由在同一服务器实例上运行的后台进程启动的自引用作业。 ~~`unix` that contains the MongoDB socket file path if the client connects through a Unix domain socket.~~如果客户端通过Unix域套接字连接，则`unix`包含MongoDB套接字文件路径。 ~~Note~~注意 ~~Starting in MongoDB 5.0, the `local` field is deprecated.~~ 从MongoDB 5.0开始，不推荐使用`local`字段。~~Use the `localEndpoint` field in the clientMetadata audit message instead.~~请改用clientMetadata审核消息中的`localEndpoint`字段。 Changed in version 5.0.在版本5.0中更改。
`remote`	document	~~A document that contains the `ip` address and the `port` number of the incoming connection associated with the event.~~包含与事件关联的传入连接的`ip`地址和`port`号的文档。 ~~Starting in MongoDB 5.0, can alternatively be a document with one of these fields:~~从MongoDB 5.0开始，也可以是具有以下字段之一的文档： `isSystemUser` ~~that indicates whether the user who caused the event was a system user.~~ 它指示引起事件的用户是否是系统用户。~~Logged for self-referential jobs initiated by a background process that runs on the same server instance.~~已记录由在同一服务器实例上运行的后台进程启动的自引用作业。 ~~`unix` that contains the MongoDB socket file path if the client connects through a Unix domain socket.~~如果客户端通过unix域套接字连接，则`unix`包含MongoDB套接字文件路径。 Changed in version 5.0.在版本5.0中更改。
`users`	array	~~Array of user identification documents.~~ 用户身份文件数组。~~Because MongoDB allows a session to log in with different user per database, this array can have more than one user.~~ 因为MongoDB允许会话与每个数据库的不同用户登录，所以这个数组可以有多个用户。~~Each document contains a `user` field for the username and a `db` field for the authentication database for that user.~~每个文档都包含用户名的`user`字段和该用户的身份验证数据库的`db`字段。
`roles`	array	~~Array of documents that specify the roles granted to the user.~~ 指定授予用户的角色的文档数组。~~Each document contains a `role` field for the name of the role and a `db` field for the database associated with the role.~~每个文档都包含角色名称的`role`字段和与角色关联的数据库的`db`字段。
`param`	document	~~Specific details for the event.~~ 活动的具体细节。~~See Audit Event Actions, Details, and Results.~~请参阅审核事件操作、详细信息和结果。
`result`	integer	~~Error code.~~ 错误代码。~~See Audit Event Actions, Details, and Results.~~请参阅审核事件操作、详细信息和结果。

Audit Event Actions, Details, and Results审核事件操作、详细信息和结果

~~The following table lists for each atype or action type, the associated param details and the result values, if any.~~下表列出了每个atype或操作类型、相关param详细信息和result值（如果有）。

`atype`	`param`	`result`
`authenticate`	{ user: <user name>, db: <database>, mechanism: <mechanism> } ~~Starting in MongoDB 5.0, `authenticate`:~~从MongoDB 5.0开始，`authenticate`： ~~Is logged for incomplete authentication attempts.~~记录未完成的身份验证尝试。 ~~Includes the principle name and identifier in `mechanism` for external authentication mechanisms such as x.509 and Amazon Web Services Identity and Access Management (AWS-IAM) (see `authMechanism`).~~包括外部`mechanism`机制（如x.509和亚马逊Web服务身份和访问管理（AWS-IAM）（请参阅`authMechanism`）的机制中的原则名称和标识符。 Changed in version 5.0.在版本5.0中更改。	`0` - ~~Success~~成功 `18` - ~~Authentication Failed~~身份验证失败 `334` - ~~Mechanism Unavailable~~机制不可用
`authCheck`	{ command: <name>, ns: <database>.<collection>, args: <command object> } `ns` ~~field is optional.~~字段是可选的。 `args` ~~field may be redacted.~~字段可以被编辑。 ~~By default, the auditing system logs only the authorization failures.~~ 默认情况下，审核系统只记录授权失败。~~To enable the system to log authorization successes, use the `auditAuthorizationSuccess` parameter.~~要使系统能够记录授权成功，请使用`auditAuthorizationSuccess`参数。 ~~Enabling `auditAuthorizationSuccess` degrades performance more than logging only the authorization failures.~~启用 `auditAuthorizationSuccess`比只记录授权失败更会降低性能。 ~~Starting in MongoDB 5.0, `authCheck` is not logged for actions that are generated internally.~~从MongoDB 5.0开始，内部生成的操作不会记录`authCheck`。 Changed in version 5.0.在版本5.0中更改。	`0` - ~~Success~~成功 `13` - ~~Unauthorized to perform the operation.~~未经授权执行该操作。
`clientMetadata`	{ localEndpoint : { ip : <IP address of running instance>, port : <port of running instance> } \|\| { unix : <MongoDB socket file path if connecting through a Unix domain socket> }, clientMetadata : { driver : { name : <client driver name>, version : <client driver version> }, os : { type : <client operating system type>, name : <client operating system name>, architecture : <client operating system architecture>, version : <client operating system version> }, platform : <client platform name>, application : { name : <client application name> } } } ~~Contains the client metadata.~~ 包含客户端元数据。~~Logged when the client runs the `hello` command.~~当客户端运行`hello`命令时记录。 ~~Tip~~提示 ~~See also:~~ 参阅： ~~Client Data~~客户端数据 New in version 5.0.在版本5.0中新增。	`0` - ~~Success~~成功
`createCollection`	{ ns: <database>.<collection \|\| view>, viewOn: <database>.<collection>, pipeline: [ <pipeline definition> ] } ~~Logged when a:~~在以下情况下记录： ~~Collection is created.~~集合已创建。 ~~View is created, with the view name logged in the `ns` field.~~创建视图，并将视图名称记录在`ns`字段中。 ~~Starting in MongoDB 5.0, this additional information is logged for a view:~~从MongoDB 5.0开始，将为视图记录以下附加信息： ~~`viewOn` field with the database and collection for the view.~~`viewOn`字段，其中包含视图的数据库和集合。 ~~`pipeline` field with the aggregation pipeline definition for the view.~~具有视图的聚合管道定义的`pipeline`字段。 Changed in version 5.0.在版本5.0中更改。	`0` - ~~Success~~成功
`createDatabase`	{ ns: <database> }	`0` - ~~Success~~成功
`createIndex`	{ ns: <database>.<collection>, indexName: <index name>, indexSpec: <index specification>, indexBuildState: <index build state> } ~~Possible values for `indexBuildState` are:~~`indexBuildState`的可能值为： `IndexBuildStarted` `IndexBuildSucceeded` `IndexBuildAborted` ~~Starting in MongoDB 5.0, `createIndex` audit events are:~~从MongoDB 5.0开始，`createIndex`审核事件包括： ~~Logged at the start and end of index creation, and includes a message indicating if the index was successfully created or not.~~在索引创建开始和结束时记录，并包含一条消息，指示索引是否成功创建。 ~~Attributed to the originating user for the action that caused the `createIndex` audit event.~~归因于导致`createIndex`审核事件的操作的原始用户。 ~~Logged for a `createCollection` event if the collection has an index.~~如果集合有索引，则记录`createCollection`事件。 Changed in version 5.0.在版本5.0中更改。	`0` - ~~Success~~成功 `276` - ~~Index build aborted.~~索引生成已中止。 ~~The audit message contains result code `276` for `createIndex` audit events with `IndexBuildState` set to `IndexBuildAborted`.~~ 审核消息包含`IndexBuildState`设置为`IndexBuildAborted`的`createIndex`审核事件的结果代码`276`。~~The audit message contains result code `0` for `createIndex` audit events with `IndexBuildState` set to `IndexBuildStarted` or `IndexBuildSucceeded`.~~审核消息包含`IndexBuildState`设置为`IndexBuildStarted`或`IndexBuildSucceed`的`createIndex`审核事件的结果代码`0`。
`directAuthMutation`	{ document: { <collection modifications> }, ns: <database>.<collection>, operation: <database operation> } ~~Logged when a database operation directly modifies the contents of the `admin.system.users` or `admin.system.roles` collections.~~当数据库操作直接修改`admin.system.users`或`admin.system.roles`集合的内容时记录。 New in version 5.0.在版本5.0中新增。	`0` - ~~Success~~成功
`renameCollection`	{ old: <database>.<collection>, new: <database>.<collection> }	`0` - ~~Success~~成功
`dropCollection`	{ ns: <database>.<collection \|\| view>, viewOn: <database>.<collection>, pipeline: [ <pipeline definition> ] } ~~Logged when a:~~在以下情况下记录： ~~Collection is dropped.~~集合已删除。 ~~View is dropped, with the view name logged in the `ns` field.~~视图已删除，视图名称记录在`ns`字段中。 ~~Starting in MongoDB 5.0, this additional information is logged for a view:~~从MongoDB 5.0开始，将为视图记录以下附加信息： ~~`viewOn` field with the database and collection for the view.~~`viewOn`字段，其中包含视图的数据库和集合。 ~~`pipeline` field with the aggregation pipeline definition for the view.~~具有视图的聚合管道定义的`pipeline`字段。 ~~In addition, starting in MongoDB 5.0, a `dropCollection` audit event is logged when a `dropDatabase` event occurs.~~此外，从MongoDB 5.0开始，当发生`dropDatabase`事件时，会记录`dropCollection`审核事件。 Changed in version 5.0.在版本5.0中更改。	`0` - Success `26` - `NamespaceNotFound` ~~If the collection or view does not exist, the audit message shows the return code as `result: 26`.~~如果集合或视图不存在，则审核消息将显示返回代码，为`result: 26`。
`dropDatabase`	{ ns: <database> }	`0` - ~~Success~~成功
`dropIndex`	{ ns: <database>.<collection>, indexName: <index name> }	`0` - ~~Success~~成功
`createUser`	{ user: <user name>, db: <database>, customData: <document>, roles: [ { role: <role name>, db: <database> }, ... ] } ~~The `customData` field is optional.~~`customData`字段是可选的。	`0` - ~~Success~~成功
`dropUser`	{ user: <user name>, db: <database> }	`0` - ~~Success~~成功
`dropAllUsersFromDatabase`	{ db: <database> }	`0` - ~~Success~~成功
`updateUser`	{ user: <user name>, db: <database>, passwordChanged: <boolean>, customData: <document>, roles: [ { role: <role name>, db: <database> }, ... ] } ~~The `customData` field is optional.~~`customData`字段是可选的。	`0` - ~~Success~~成功
`grantRolesToUser`	{ user: <user name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ] }	`0` - ~~Success~~成功
`revokeRolesFromUser`	{ user: <user name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ] }	`0` - ~~Success~~成功
`createRole`	{ role: <role name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ], privileges: [ { resource: <resource document>, actions: [ <action>, ... ] }, ... ] } ~~The `roles` and the `privileges` fields are optional.~~`roles`字段和`privileges`字段是可选的。 ~~For details on the resource document, see Resource Document.~~ 有关资源文档的详细信息，请参阅资源文档。~~For a list of actions, see Privilege Actions.~~有关操作列表，请参阅权限操作。	`0` - ~~Success~~成功
`updateRole`	{ role: <role name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ], privileges: [ { resource: <resource document>, actions: [ <action>, ... ] }, ... ] } ~~The `roles` and the `privileges` fields are optional.~~`roles`字段和`privileges`字段是可选的。 ~~For details on the resource document, see Resource Document.~~ 有关资源文档的详细信息，请参阅资源文档。~~For a list of actions, see Privilege Actions.~~有关操作列表，请参阅权限操作。	`0` - ~~Success~~成功
`dropRole`	{ role: <role name>, db: <database> }	`0` - ~~Success~~成功
`dropAllRolesFromDatabase`	{ db: <database> }	`0` - ~~Success~~成功
`grantRolesToRole`	{ role: <role name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ] }	`0` - ~~Success~~成功
`revokeRolesFromRole`	{ role: <role name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ] }	`0` - ~~Success~~成功
`grantPrivilegesToRole`	{ role: <role name>, db: <database>, privileges: [ { resource: <resource document>, actions: [ <action>, ... ] }, ... ] } ~~For details on the resource document, see Resource Document.~~ 有关资源文档的详细信息，请参阅资源文档。~~For a list of actions, see Privilege Actions.~~有关操作列表，请参阅权限操作。	`0` - ~~Success~~成功
`revokePrivilegesFromRole`	{ role: <role name>, db: <database name>, privileges: [ { resource: <resource document>, actions: [ <action>, ... ] }, ... ] } ~~For details on the resource document, see Resource Document.~~ 有关资源文档的详细信息，请参阅资源文档。~~For a list of actions, see Privilege Actions.~~有关操作列表，请参阅权限操作。	`0` - ~~Success~~成功
`replSetReconfig`	{ old: { _id: <replicaSetName>, version: <number>, ... members: [ ... ], settings: { ... } }, new: { _id: <replicaSetName>, version: <number>, ... members: [ ... ], settings: { ... } } } ~~For details on the replica set configuration document, see Replica Set Configuration.~~有关副本集配置文档的详细信息，请参阅副本集配置。	`0` - ~~Success~~成功
`enableSharding`	{ ns: <database> }	`0` - ~~Success~~成功
`shardCollection`	{ ns: <database>.<collection>, key: <shard key pattern>, options: { unique: <boolean> } }	`0` - ~~Success~~成功
`addShard`	{ shard: <shard name>, connectionString: <hostname>:<port>, maxSize: <maxSize> } ~~When a shard is a replica set, the `connectionString` includes the replica set name and can include other members of the replica set.~~当分片是副本集时，`connectionString`包含副本集名称，并且可以包含副本集的其他成员。	`0` - ~~Success~~成功
`refineCollectionShardKey`	{ ns: <database>.<collection>, key: <shard key pattern> }	`0` - ~~Success~~成功
`removeShard`	{ shard: <shard name> }	`0` - ~~Success~~成功
`shutdown`	{ } ~~Indicates commencement of database shutdown.~~指示数据库关闭的开始。	`0` - ~~Success~~成功
`applicationMessage`	{ msg: <custom message string> } See `logApplicationMessage`.	`0` - ~~Success~~成功
`logout`	{ reason: <string>, initialUsers: [ <document>, ... ], updatedUsers: [ <document>, ... ], } `reason` ~~will be either:~~将是以下两者之一： ~~"Explicit logout from <database>"~~“从`<database>`显式注销” ~~"Implicit logout due to client connection closure"~~“由于客户端连接关闭导致隐式注销” `initialUsers` ~~is an array of documents containing users authenticated on the current client prior to logout.~~是一组文档，其中包含注销前在当前客户端上验证的用户。 `updatedUsers` ~~is an array of documents containing users expected to be authenticated on the current client after the logout event.~~是一个文档数组，其中包含注销事件后预期在当前客户端上进行身份验证的用户。 ~~Each document in `initialUsers` and `updatedUsers` contains:~~`initialUsers`和`updatedUsers`中的每个文档都包含： `user`: the username `db`~~: the database `user` is authenticated to~~：数据库`user`已通过身份验证 New in version 5.0.在版本5.0中新增。	`0` - ~~Success~~成功
`startup`	{ options: <document> } ~~The `options` document contains the options the instance was started with.~~`options`文档包含实例启动时使用的选项。 New in version 5.0.在版本5.0中新增。	`0` - ~~Success~~成功

← Configure Audit Filters Network and Configuration Hardening →