On this page本页内容
MongoDB Atlas supports auditing for all MongoDB Atlas支持所有M10 and larger clusters. M10和更大集群的审计。Atlas supports specifying a JSON-formatted audit filter as documented below and using the Atlas audit filter builder for simplified auditing configuration. Atlas支持指定JSON格式的审核筛选器,如下所述,并使用Atlas审核筛选器生成器简化审核配置。To learn more, see the Atlas documentation for Set Up Database Auditing and Configure a Custom Auditing Filter.要了解更多信息,请参阅Atlas文档以设置数据库审核和配置自定义审核筛选器。
MongoDB Enterprise supports auditing of various operations. MongoDB企业版支持对各种操作的审计。When enabled, the audit facility, by default, records all auditable operations as detailed in Audit Event Actions, Details, and Results. 启用后,默认情况下,审核功能将记录所有可审核操作,如审核事件操作、详细信息和结果中所述。You can specify event filters to limit which events are recorded. 您可以指定事件筛选器以限制记录的事件。Filters can be configured at startup or MongoDB can be configured to allow runtime specification.筛选器可以在启动时配置,或者MongoDB可以配置为允许运行时规范。
Starting in MongoDB 5.0, audit configurations for 从MongoDB 5.0开始,可以在运行时配置mongod and mongos nodes can be configured at runtime. mongod和mongos节点的审计配置。A group of these nodes can take part in a distributed audit configuration.这些节点的一组可以参与分布式审计配置。
To include a node in a distributed audit configuration, update the node's configuration file as follows and restart the server.要在分布式审核配置中包含节点,请按以下方式更新节点的配置文件,然后重新启动服务器。
auditLog.runtimeConfiguration | true |
auditLog.filter | Unset |
auditAuthorizationSuccess | Unset |
The server logs an error and fails to start if:如果出现以下情况,服务器将记录错误并无法启动:
runtimeConfigurationtrue andtrue,而且auditLog.filter or auditAuthorizationSuccess is set.auditLog.filter或auditAuthorizationSuccess。To modify audit filters and the 要在运行时修改审核筛选器和auditAuthorizationSuccess parameter at runtime, see setAuditConfig.auditAuthorizationSuccess参数,请参阅setAuditConfig。
Audit filters can be specified on the command line or else in the configuration file used to start the 审计筛选器可以在命令行或用于启动mongod or mongos instance.mongod或mongos实例的配置文件中指定。
Filters can be specified in YAML under the 筛选器可以在配置文件的auditLog session of the configuration file. auditLog会话下的YAML中指定。See the examples below for sample configurations.有关示例配置,请参阅下面的示例。
If 如果启用了runtimeConfiguration is enabled, then the configuration file cannot be used to specify audit filters.runtimeConfiguration,则配置文件不能用于指定审核筛选器。
The following example audits only the 以下示例通过使用筛选器仅审核createCollection and dropCollection actions by using the filter:createCollection和dropCollection操作:
{ atype: { $in: [ "createCollection", "dropCollection" ] } }
To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档用单引号括起来,以字符串形式传递文档。
mongod --dbpath data/db --auditDestination file --auditFilter '{ atype: { $in: [ "createCollection", "dropCollection" ] } }' --auditFormat BSON --auditPath data/db/auditLog.bson
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。
storage: dbPath: data/db auditLog: destination: file format: BSON path: data/db/auditLog.bson filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'
The <field> can include any field in the audit message. <field>可以包括审核消息中的任何字段。For authentication operations (i.e. 对于身份验证操作(即atype: "authenticate"), the audit messages include a db field in the param document.atype: "authenticate"),审核消息在param文档中包含一个db字段。
The following example audits only the 以下示例通过使用筛选器仅审核针对authenticate operations that occur against the test database by using the filter:test数据库发生的authenticate(身份验证)操作:
{ atype: "authenticate", "param.db": "test" }
To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档用单引号括起来,以字符串形式传递文档。
mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ atype: "authenticate", "param.db": "test" }' --auditFormat BSON --auditPath data/db/auditLog.bson
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。
storage: dbPath: data/db security: authorization: enabled auditLog: destination: file format: BSON path: data/db/auditLog.bson filter: '{ atype: "authenticate", "param.db": "test" }'
To filter on all 要筛选跨数据库的所有authenticate operations across databases, omit "param.db": "test" and use the filter { atype: "authenticate" }.authenticate(身份验证)操作,请省略"param.db": "test",并使用筛选器{ atype: "authenticate" }。
The <field> can include any field in the audit message. <field>可以包括审核消息中的任何字段。For collection creation and drop operations (i.e. 对于集合创建和删除操作(即atype: "createCollection" and atype: "dropCollection"), the audit messages include a namespace ns field in the param document.atype: "createCollection"和atype: "dropCollection"),审核消息在param文档中包含一个名称空间ns字段。
The following example audits only the 以下示例通过使用筛选器仅审核针对createCollection and dropCollection operations that occur against the test database by using the filter:test数据库发生的createCollection和dropCollection操作:
The regular expression requires two backslashes (正则表达式需要两个反斜杠(\\) to escape the dot (.).\\)来转义点(.)。
{ atype: { $in: [ "createCollection", "dropCollection" ] }, "param.ns": /^test\\./ } }
To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档用单引号括起来,以字符串形式传递文档。
mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ atype: { $in: [ "createCollection", "dropCollection" ] }, "param.ns": /^test\\./ } }' --auditFormat BSON --auditPath data/db/auditLog.bson
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。
storage: dbPath: data/db security: authorization: enabled auditLog: destination: file format: BSON path: data/db/auditLog.bson filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] }, "param.ns": /^test\\./ } }'
The following example audits operations by users with 以下示例使用筛选器审核readWrite role on the test database, including users with roles that inherit from readWrite, by using the filter:test数据库中具有readWrite角色的用户的操作,包括具有从readWrite继承的角色的用户:
{ roles: { role: "readWrite", db: "test" } }
To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档用单引号括起来,以字符串形式传递文档。
mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ roles: { role: "readWrite", db: "test" } }' --auditFormat BSON --auditPath data/db/auditLog.bson
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。
storage: dbPath: data/db security: authorization: enabled auditLog: destination: file format: BSON path: data/db/auditLog.bson filter: '{ roles: { role: "readWrite", db: "test" } }'
To capture read and write operations in the audit, you must also enable the audit system to log authorization successes using the 要捕获审核中的读和写操作,还必须启用审核系统使用auditAuthorizationSuccess parameter. auditAuthorizationSuccess参数记录授权成功。[1]
Enabling 与仅记录授权失败相比,启用auditAuthorizationSuccess degrades performance more than logging only the authorization failures.auditAuthorizationSuccess会降低性能。
This filter audits multiple read and write operations:此筛选器审核多个读写操作:
{
atype: "authCheck",
"param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] }
}
The audited operations include:经审计的业务包括:
To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档用单引号括起来,以字符串形式传递文档。
mongod --dbpath data/db --auth --setParameter auditAuthorizationSuccess=true --auditDestination file --auditFilter '{ atype: "authCheck", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }' --auditFormat BSON --auditPath data/db/auditLog.bson
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。
storage: dbPath: data/db security: authorization: enabled auditLog: destination: file format: BSON path: data/db/auditLog.bson filter: '{ atype: "authCheck", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }' setParameter: { auditAuthorizationSuccess: true }
To capture read and write operations in the audit, you must also enable the audit system to log authorization successes using the 要捕获审核中的读和写操作,还必须启用审核系统使用auditAuthorizationSuccess parameter. auditAuthorizationSuccess参数记录授权成功。[1]
Enabling 与仅记录授权失败相比,启用auditAuthorizationSuccess degrades performance more than logging only the authorization failures.auditAuthorizationSuccess会降低性能。
This filter audits multiple read and write operations on the 此筛选器审核orders collection in the test database:test数据库中orders集合的多个读写操作:
{
atype: "authCheck",
"param.ns": "test.orders",
"param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] }
}
The audited operations include:经审计的业务包括:
To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档用单引号括起来,以字符串形式传递文档。
mongod --dbpath data/db --auth --setParameter auditAuthorizationSuccess=true --auditDestination file --auditFilter '{ atype: "authCheck", "param.ns": "test.orders", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }' --auditFormat BSON --auditPath data/db/auditLog.bson
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。
storage: dbPath: data/db security: authorization: enabled auditLog: destination: file format: BSON path: data/db/auditLog.bson filter: '{ atype: "authCheck", "param.ns": "test.orders", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }' setParameter: { auditAuthorizationSuccess: true }
| [1] | (1, 2) auditAuthorizationSuccess parameter without enabling --auth; however, all operations will return success for authorization checks.--auth的情况下启用auditAuthorizationSuccess参数;但是,对于授权检查,所有操作都将返回成功。 |