On this page本页内容
MongoDB Atlas supports auditing for all MongoDB Atlas支持所有M10 and larger clusters. M10和更大集群的审计。Atlas supports specifying a JSON-formatted audit filter as documented in Configure Audit Filters and using the Atlas audit filter builder for simplified auditing configuration. Atlas支持指定JSON格式的审核筛选器,如配置审核筛选器中所述,并使用Atlas审核筛选器生成器简化审核配置。To learn more, see the Atlas documentation for Set Up Database Auditing and Configure a Custom Auditing Filter.要了解更多信息,请参阅Atlas文档以设置数据库审核和配置自定义审核筛选器。
MongoDB Enterprise supports auditing of various operations. MongoDB企业版支持对各种操作的审计。A complete auditing solution must involve all 完整的审计解决方案必须涉及所有mongod server and mongos router processes.mongod服务器和mongos路由器进程。
The audit facility can write audit events to the console, the syslog (option is unavailable on Windows), a JSON file, or a BSON file. 审计工具可以将审计事件写入控制台、syslog(选项在Windows上不可用)、JSON文件或BSON文件。For details on the audited operations and the audit log messages, see System Event Audit Messages.有关已审核操作和审核日志消息的详细信息,请参阅系统事件审核消息。
To enable auditing in MongoDB Enterprise, set an audit output destination with 要在MongoDB Enterprise中启用审计,请使用--auditDestination.--auditDestination设置审计输出目标。
To enable auditing and print audit events to the syslog (option is unavailable on Windows) in JSON format, specify 要启用审核并以JSON格式将审核事件打印到syslog(此选项在Windows上不可用),请为syslog for the --auditDestination setting. --auditDestination设置指定syslog。For example:例如:
mongod --dbpath data/db --auditDestination syslog
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用访问控制和安全检查表中列出的其他安全措施,以防止未经授权的访问。
The syslog message limit can result in the truncation of the audit messages. 系统日志消息限制可能导致审核消息被截断。The auditing system will neither detect the truncation nor error upon its occurrence.审计系统不会在截断或错误发生时检测到截断或错误。
You may also specify these options in the configuration file:您还可以在配置文件中指定以下选项:
storage: dbPath: data/db auditLog: destination: syslog
To enable auditing and print the audit events to standard output (i.e. 要启用审核并将审核事件打印到标准输出(即stdout), specify console for the --auditDestination setting. stdout),请为--auditDestination设置指定console。For example:
mongod --dbpath data/db --auditDestination console
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用的访问控制和安全检查表中列出其他安全措施,以防止未经授权的访问。
You may also specify these options in the configuration file:您还可以在配置文件中指定以下选项:
storage: dbPath: data/db auditLog: destination: console
To enable auditing and print audit events to a file in JSON format, specify the following options:要启用审核并将审核事件打印到JSON格式的文件,请指定以下选项:
| Option | |
|---|---|
--auditDestination | file |
--auditFormat | JSON |
--auditPath |
For example, the following enables auditing and records audit events to a file with the relative path name of 例如,以下选项启用审核并将审核事件记录到相对路径名为data/db/auditLog.json:data/db/auditLog.json的文件中:
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用访问控制和安全检查表中列出的其他安全措施,以防止未经授权的访问。
The audit file may be rotated with the 审计文件可以与服务器日志一起或独立地使用logRotate command, either alongside the server log or independently. logRotate命令进行旋转。Rotation specifics may be configured with the 可以使用systemLog.logRotate configuration file option or the --logRotate command-line option.systemLog.logRotate配置文件选项或--logRotate命令行选项配置旋转细节。
You may also specify these options in the configuration file:您还可以在配置文件中指定以下选项:
storage: dbPath: data/db auditLog: destination: file format: JSON path: data/db/auditLog.json
Printing audit events to a file in JSON format degrades server performance more than printing to a file in BSON format.将审核事件打印到JSON格式的文件比打印到BSON格式的的文件更会降低服务器性能。
To enable auditing and print audit events to a file in BSON binary format, specify the following options:要启用审核并将审核事件打印到BSON二进制格式的文件,请指定以下选项:
| Option | |
|---|---|
--auditDestination | file |
--auditFormat | BSON |
--auditPath |
For example, the following enables auditing and records audit events to a BSON file with the relative path name of 例如,以下选项启用审核并将审核事件记录到相对路径名data/db/auditLog.bson:为data/db/auditLog.bson的BSON文件中:
mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用访问控制和安全检查表中列出的其他安全措施,以防止未经授权的访问。
The audit file is 审核文件与服务器日志文件同时旋转。rotated at the same time as the server log file. Rotation specifics may be configured with the 可以使用systemLog.logRotate configuration file option or the --logRotate command-line option.systemLog.logRotate配置文件选项或--logRotate命令行选项配置旋转细节。
You may also specify these options in the configuration file:您还可以在配置文件中指定以下选项:
storage: dbPath: data/db auditLog: destination: file format: BSON path: data/db/auditLog.bson
The following example converts the audit log into readable form using 以下示例使用bsondump and outputs the result:bsondump将审核日志转换为可读形式,并输出结果:
bsondump data/db/auditLog.bson
Starting in MongoDB 5.0, audit filters can be configured at runtime. 从MongoDB 5.0开始,可以在运行时配置审计筛选器。Runtime Audit Filter Management provides three benefits compared to audit filter configurations that are specified in a local 与本地mongod or mongos configuration file:mongod或mongos配置文件中指定的审计筛选器配置相比,运行时审计筛选器管理提供了三个好处:
Prior to MongoDB 5.0, anyone auditing a MongoDB 在MongoDB 5.0之前,任何审核MongoDB mongod or mongos instance had to have write access to the host server's file system in order to update audit filters. mongod或mongos实例的人都必须具有对主机服务器文件系统的写访问权限,才能更新审核筛选器。Runtime Audit Filter Management improves security by separating audit access from administrative access.运行时审核筛选器管理通过将审核访问与管理访问分离来提高安全性。
Using Runtime Audit Filter Management instead of editing configuration files directly means:使用运行时审核筛选器管理而不是直接编辑配置文件意味着:
mongod or mongos host server.mongod或mongos主机服务器。mongod or mongos instance's configuration file.mongod或mongos实例的配置文件。auditAuthorizationSuccess parameter.auditAuthorizationSuccess参数。Starting in MongoDB 5.0, when Runtime Audit Filter Management is enabled, auditing can be reconfigured at runtime without restarting the 从MongoDB 5.0开始,当启用运行时审计筛选器管理时,可以在运行时重新配置审计,而无需重新启动mongod or mongos instance. mongod或mongos实例。A statically configured instance has to be restarted to update its audit settings.必须重新启动静态配置的实例以更新其审核设置。
Audit filter modifications made at runtime persist when an instance is shutdown and restarted.当实例关闭并重新启动时,运行时所做的审核筛选器修改将持续存在。
Within a cluster, if all participating 在集群内,如果所有参与的mongod and mongos nodes are configured to use Runtime Audit Filter Management, then every node will use the same audit filters. mongod和mongos节点都配置为使用运行时审计筛选器管理,那么每个节点都将使用相同的审计筛选器。In contrast, if each node has its own locally configured audit filters, there is no guarantee of audit filter consistency across nodes.相反,如果每个节点都有自己的本地配置的审核筛选器,则无法保证跨节点的审核筛选器一致性。
Starting in MongoDB 5.0, audit configurations for 从MongoDB 5.0开始,可以在运行时配置mongod and mongos nodes can be configured at runtime. mongod和mongos节点的审计配置。A group of these nodes can take part in a distributed audit configuration.这些节点的一组可以参与分布式审计配置。
To include a node in a distributed audit configuration, update the node's configuration file as follows and restart the server.要在分布式审核配置中包含节点,请按以下方式更新节点的配置文件,然后重新启动服务器。
auditLog.runtimeConfiguration | true |
auditLog.filter | Unset |
auditAuthorizationSuccess | Unset |
The server logs an error and fails to start if:如果出现以下情况,服务器将记录错误并无法启动:
runtimeConfiguration is true andruntimeConfiguration为true,并且auditLog.filter or auditAuthorizationSuccess is set.auditLog.filter或auditAuthorizationSuccess。To modify audit filters and the 要在运行时修改审核筛选器和auditAuthorizationSuccess parameter at runtime, see setAuditConfig.auditAuthorizationSuccess参数,请参阅setAuditConfig。