Docs HomeMongoDB Manual

System Event Audit Messages系统事件审核消息

On this page本页内容

Note

Available only in MongoDB Enterprise and MongoDB Atlas.仅在MongoDB EnterpriseMongoDB Atlas中提供。

Audit Message审核消息

The event auditing feature can record events in JSON format. To configure auditing output, see Configure Auditing.事件审核功能可以以JSON格式记录事件。要配置审核输出,请参阅配置审核

Changed in version 5.0.5.0版更改。

The recorded JSON messages have the following syntax:记录的JSON消息具有以下语法:

{
  atype: <string>,
  ts : { $date: <timestamp> },
  uuid : { $binary: <string>, $type: <string> },
  local: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> },
  remote: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> },
  users : [ { user: <string>, db: <string> }, ... ],
  roles: [ { role: <string>, db: <string> }, ... ],
  param: <document>,
  result: <int>
}
Field字段Type类型Description描述
atypestringAction type. See Audit Event Actions, Details, and Results.操作类型。请参阅审核事件操作、详细信息和结果
tsdocumentDocument that contains the date and UTC time of the event, in ISO 8601 format.包含事件日期和UTC时间的文档,格式为ISO 8601。
uuid documentA document that contains a message identifier.包含消息标识符的文档。
The UUID identifies a client connection. Use the UUID to track audit events connected to that client.UUID标识客户端连接。使用UUID跟踪连接到该客户端的审核事件。
The value of the $type field is BSON type 04 which indicates that the $binary field contains a UUID. $type字段的值为BSON类型04,表示$binary字段包含UUID。
New in version 5.0. 5.0版新增。
local documentA document that contains the ip address and the port number of the running instance.包含正在运行的实例的ip地址和port号的文档。
Starting in MongoDB 5.0, can alternatively be a document with one of these fields: 从MongoDB 5.0开始,也可以是一个包含以下字段之一的文档:
  • isSystemUser that indicates whether the user who caused the event was a system user. 其指示引起事件的用户是否是系统用户。Logged for self-referential jobs initiated by a background process that runs on the same server instance.记录由运行在同一服务器实例上的后台进程启动的自引用作业。
  • unix that contains the MongoDB socket file path if the client connects through a Unix domain socket.如果客户端通过Unix域套接字连接,则包含MongoDB套接字文件路径。
Note
Starting in MongoDB 5.0, the local field is deprecated. 从MongoDB 5.0开始,不赞成使用local字段。Use the localEndpoint field in the clientMetadata audit message instead. 请改用clientMetadata审核消息中的localEndpoint字段。
Changed in version 5.0.5.0版更改。
remotedocumentA document that contains the ip address and the port number of the incoming connection associated with the event.包含与事件相关联的传入连接的ip地址和port号的文档。
Starting in MongoDB 5.0, can alternatively be a document with one of these fields:从MongoDB 5.0开始,也可以是一个包含以下字段之一的文档:
  • isSystemUser that indicates whether the user who caused the event was a system user. 其指示引起事件的用户是否是系统用户。Logged for self-referential jobs initiated by a background process that runs on the same server instance.记录由运行在同一服务器实例上的后台进程启动的自引用作业。
  • unix that contains the MongoDB socket file path if the client connects through a Unix domain socket.unix,如果客户端通过unix域套接字连接,则包含MongoDB套接字文件路径。
Changed in version 5.0.5.0版更改。
usersarrayArray of user identification documents. Because MongoDB allows a session to log in with different user per database, this array can have more than one user. Each document contains a user field for the username and a db field for the authentication database for that user.用户身份证明文件数组。因为MongoDB允许一个会话在每个数据库中使用不同的用户登录,所以这个数组可以有多个用户。每个文档都包含一个用于用户名的user字段和一个用于该用户的身份验证数据库的db字段。
rolesarrayArray of documents that specify the roles granted to the user. 指定授予用户的角色的文档数组。Each document contains a role field for the name of the role and a db field for the database associated with the role.每个文档都包含一个用于角色名称的role字段和一个用于与角色关联的数据库的db字段。
paramdocumentSpecific details for the event. 活动的具体细节。See Audit Event Actions, Details, and Results.请参阅审核事件操作、详细信息和结果
resultintegerError code. See Audit Event Actions, Details, and Results.错误代码。请参阅审核事件操作、详细信息和结果

Audit Event Actions, Details, and Results审核事件操作、详细信息和结果

The following table lists for each atype or action type, the associated param details and the result values, if any.下表列出了每个atype或操作类型、关联的param详细信息和result值(如果有的话)。

atypeparamresult
authenticate 
{
  user: <user name>,
  db: <database>,
  mechanism: <mechanism>
}
Starting in MongoDB 5.0, authenticate: 从MongoDB 5.0开始,authenticate
  • Is logged for incomplete authentication attempts.记录了不完整的身份验证尝试。
  • Includes the principle name and identifier in mechanism for external authentication mechanisms such as x.509 and Amazon Web Services Identity and Access Management (AWS-IAM) (see authMechanism).在外部身份验证mechanism(如x.509和Amazon Web服务标识和访问管理(AWS-IAM))的机制中包括主要名称和标识符(请参阅authMechanism)。
Changed in version 5.0.5.0版更改。		0 - Success成功
18 - Authentication Failed身份验证失败
334 - Mechanism Unavailable机制不可用
authCheck 
{
  command: <name>,
  ns: <database>.<collection>,
  args: <command object>
}
ns field is optional.字段是可选的。
args field may be redacted.字段可能会被编辑。
By default, the auditing system logs only the authorization failures. 默认情况下,审核系统只记录授权失败。To enable the system to log authorization successes, use the auditAuthorizationSuccess parameter.要使系统能够记录授权成功,请使用auditAuthorizationSuccess参数。
Enabling auditAuthorizationSuccess degrades performance more than logging only the authorization failures.启用auditAuthorizationSuccess比只记录授权失败更能降低性能。
Starting in MongoDB 5.0, authCheck is not logged for actions that are generated internally. 从MongoDB 5.0开始,authCheck不会记录内部生成的操作。
Changed in version 5.0.5.0版更改。		0 - Success成功
13 - Unauthorized to perform the operation.未经授权执行操作。
clientMetadata 
{
   localEndpoint : {
      ip : <IP address of running instance>,
      port : <port of running instance>
   } || {
      unix : <MongoDB socket file path if connecting through
              a Unix domain socket>
   },
   clientMetadata : {
      driver : {
         name : <client driver name>,
         version : <client driver version>
      },
      os : {
         type : <client operating system type>,
         name : <client operating system name>,
         architecture : <client operating system architecture>,
         version : <client operating system version>
      },
      platform : <client platform name>,
      application : {
         name : <client application name>
      }
   }
}
Contains the client metadata. Logged when the client runs the hello command. 包含客户端元数据。在客户端运行hello命令时记录。
Tip

See also: 另请参阅:

Client Data
New in version 5.0. 5.0版新增。		0 - Success成功
createCollection 
{
   ns: <database>.<collection || view>,
   viewOn: <database>.<collection>,
   pipeline: [ <pipeline definition> ]
}
Logged when a: 在以下情况下记录:
  • Collection is created.集合已创建。
  • View is created, with the view name logged in the ns field.将创建视图,并在ns字段中记录视图名称。
Starting in MongoDB 5.0, this additional information is logged for a view: 从MongoDB 5.0开始,将记录以下附加信息以获取视图:
  • viewOn field with the database and collection for the view.字段,其中包含视图的数据库和集合。
  • pipeline field with the aggregation pipeline definition for the view.具有视图的聚合管道定义的pipeline字段。

Changed in version 5.0.5.0版更改。		0 - Success成功
createDatabase 
{ ns: <database> }
0 - Success成功
createIndex 
{
  ns: <database>.<collection>,
  indexName: <index name>,
  indexSpec: <index specification>,
  indexBuildState: <index build state>
}
Possible values for indexBuildState are: indexBuildState的可能值为:
  • IndexBuildStarted
  • IndexBuildSucceeded
  • IndexBuildAborted
Starting in MongoDB 5.0, createIndex audit events are: 从MongoDB 5.0开始,createIndex审核事件包括:
  • Logged at the start and end of index creation, and includes a message indicating if the index was successfully created or not.在索引创建开始和结束时记录,并包含一条消息,指示索引是否已成功创建。
  • Attributed to the originating user for the action that caused the createIndex audit event.归因于导致createIndex审核事件的操作的发起用户。
  • Logged for a createCollection event if the collection has an index.如果集合具有索引,则记录createCollection事件。

Changed in version 5.0.5.0版更改。		0 - Success成功
276 - Index build aborted.索引生成已中止。
The audit message contains result code 276 for createIndex audit events with IndexBuildState set to IndexBuildAborted. 审计消息包含IndexBuildState设置为IndexBuildAbortedcreateIndex审计事件的结果代码276
The audit message contains result code 0 for createIndex audit events with IndexBuildState set to IndexBuildStarted or IndexBuildSucceeded. 审核消息包含IndexBuildState设置为IndexBuildStartedIndexBuildSuccessedcreateIndex审核事件的结果代码0
directAuthMutation 
{
   document: {
      <collection modifications>
   },
   ns: <database>.<collection>,
   operation: <database operation>
}
Logged when a database operation directly modifies the contents of the admin.system.users or admin.system.roles collections. 当数据库操作直接修改admin.system.usersadmin.system.roles集合的内容时记录。
New in version 5.0. 5.0版新增。		0 - Success成功
renameCollection 
{
  old: <database>.<collection>,
  new: <database>.<collection>
}
0 - Success成功
dropCollection 
{
   ns: <database>.<collection || view>,
   viewOn: <database>.<collection>,
   pipeline: [ <pipeline definition> ]
}
Logged when a:在以下情况下记录:
  • Collection is dropped.集合已删除。
  • View is dropped, with the view name logged in the ns field.视图被删除,视图名称记录在ns字段中。
Starting in MongoDB 5.0, this additional information is logged for a view:从MongoDB 5.0开始,将记录以下附加信息以获取视图:
  • viewOn field with the database and collection for the view.字段,其中包含视图的数据库和集合。
  • pipeline field with the aggregation pipeline definition for the view.具有视图的聚合管道定义的pipeline字段。
In addition, starting in MongoDB 5.0, a dropCollection audit event is logged when a dropDatabase event occurs. 此外,从MongoDB 5.0开始,当发生dropCollection事件时,会记录一个dropDatabase审核事件。
Changed in version 5.0.5.0版更改。		0 - Success成功
26 - NamespaceNotFound
If the collection or view does not exist, the audit message shows the return code as result: 26. 如果集合或视图不存在,则审核消息将显示返回代码作为result: 26
dropDatabase 
{ ns: <database> }
0 - Success成功
dropIndex 
{
  ns: <database>.<collection>,
  indexName: <index name>
}
0 - Success成功
createUser 
{
  user: <user name>,
  db: <database>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
The customData field is optional. customData字段是可选的。		0 - Success成功
dropUser 
{
  user: <user name>,
  db: <database>
}
0 - Success成功
dropAllUsersFromDatabase 
{ db: <database> }
0 - Success成功
getClusterParameter 
{
    requestedClusterServerParameters: <parameters>
}
0 - Success成功
setClusterParameter 
{
    originalClusterServerParameter: <original parameter value>,
    updatedClusterServerParameter": <new parameter value>
}
0 - Success成功
updateCachedClusterServerParameter 
{
    originalClusterServerParameter: <original parameter value>,
    updatedClusterServerParameter": <new parameter value>
}
Logged when a parameter is changed because of: 由于以下原因更改参数时记录:
  • Propagation of a setClusterParameter commandsetClusterParameter命令的传播
  • Replication event such as rollback回滚等复制事件
  • A refresh of new cluster parameter values from the config server on mongosmongos上的配置服务器刷新新的集群参数值
0 - Success成功
updateUser 
{
  user: <user name>,
  db: <database>,
  passwordChanged: <boolean>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
The customData field is optional. customData字段是可选的。		0 - Success成功
grantRolesToUser 
{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success成功
revokeRolesFromUser 
{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success成功
createRole 
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}
The roles and the privileges fields are optional.rolesprivileges字段是可选的。
For details on the resource document, see Resource Document. 有关资源文档的详细信息,请参阅资源文档For a list of actions, see Privilege Actions.有关操作列表,请参阅权限操作 		0 - Success成功
updateRole 
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}
The roles and the privileges fields are optional.rolesprivileges字段是可选的。
For details on the resource document, see Resource Document. 有关资源文档的详细信息,请参阅资源文档For a list of actions, see Privilege Actions. 有关操作列表,请参阅权限操作		0 - Success成功
dropRole 
{
  role: <role name>,
  db: <database>
}
0 - Success成功
dropAllRolesFromDatabase 
{ db: <database> }
0 - Success成功
grantRolesToRole 
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success成功
revokeRolesFromRole 
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success成功
grantPrivilegesToRole 
{
  role: <role name>,
  db: <database>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}
For details on the resource document, see Resource Document. 有关资源文档的详细信息,请参阅资源文档For a list of actions, see Privilege Actions.有关操作列表,请参阅权限操作 		0 - Success成功
revokePrivilegesFromRole 
{
  role: <role name>,
  db: <database name>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}
For details on the resource document, see Resource Document. 有关资源文档的详细信息,请参阅资源文档For a list of actions, see Privilege Actions.有关操作列表,请参阅权限操作 		0 - Success成功
replSetReconfig 
{
  old: {
   _id: <replicaSetName>,
   version: <number>,
   ...
   members: [ ... ],
   settings: { ... }
  },
  new: {
   _id: <replicaSetName>,
   version: <number>,
   ...
   members: [ ... ],
   settings: { ... }
  }
}
For details on the replica set configuration document, see Replica Set Configuration. 有关副本集配置文档的详细信息,请参阅副本集配置		0 - Success成功
enableSharding 
{ ns: <database> }
0 - Success成功
shardCollection 
{
  ns: <database>.<collection>,
  key: <shard key pattern>,
  options: { unique: <boolean> }
}
0 - Success成功
addShard 
{
  shard: <shard name>,
  connectionString: <hostname>:<port>,
}
When a shard is a replica set, the connectionString includes the replica set name and can include other members of the replica set. 当分片是副本集时,connectionString包括副本集名称,并且可以包括副本集的其他成员。		0 - Success成功
refineCollectionShardKey 
{
  ns: <database>.<collection>,
  key: <shard key pattern>
}
0 - Success成功
removeShard 
{ shard: <shard name> }
0 - Success成功
shutdown 
{ }
Indicates commencement of database shutdown. 指示数据库关闭的开始时间。		0 - Success成功
applicationMessage 
{ msg: <custom message string> }
See logApplicationMessage. 请参阅logApplicationMessage		0 - Success成功
logout 
{
  reason: <string>,
  initialUsers: [ <document>, ... ],
  updatedUsers: [ <document>, ... ],
}
reason will be either:将是:
  • "Explicit logout from <database>"“从<database>显式注销”
  • "Implicit logout due to client connection closure"“由于客户端连接关闭而隐式注销”
initialUsers is an array of documents containing users authenticated on the current client prior to logout.是一组文档,其中包含注销前在当前客户端上经过身份验证的用户。
updatedUsers is an array of documents containing users expected to be authenticated on the current client after the logout event. 是一组文档,其中包含注销事件后期望在当前客户端上进行身份验证的用户。
Each document in initialUsers and updatedUsers contains:initialUsersupdatedUsers中的每个文档都包含:
  • user: the username:用户名
  • db: the database user is authenticated to:数据库user通过身份验证

New in version 5.0. 5.0版新增。		0 - Success成功
startup 
{
    startupOptions: <document>,
    initialClusterServerParameter: <array of documents>
}
  • startupOptions contains all of the options that the node has after startup包含节点启动后的所有选项
  • initialClusterServerParameters contains the initial values of the cluster server parameters that the node has at the end of startup: 包含节点在启动结束时具有的群集服务器参数的初始值:
    • after they have been loaded from storage (for mongod)从存储中加载后(对于mongod
    • after they have been refreshed from the config server (for mongos).在从配置服务器(对于mongos)刷新它们之后。

New in version 5.0. 5.0版新增。

Changed in version 6.1.6.1版更改。		0 - Success成功