Configure Audit Filters配置审核筛选器

~~On this page~~本页内容

~~Filter Configuration at Runtime~~运行时的筛选器配置
~~Filter Configuration at System Startup~~系统启动时的筛选器配置
~~Examples~~实例

Note

Auditing in MongoDB AtlasMongoDB Atlas中的审计

~~MongoDB Atlas supports auditing for all M10 and larger clusters.~~ MongoDB Atlas支持对所有M10及更大集群的审计。Atlas supports specifying a JSON-formatted audit filter as documented below and using the Atlas audit filter builder for simplified auditing configuration. To learn more, see the Atlas documentation for Set Up Database Auditing and Configure a Custom Auditing Filter.Atlas支持指定JSON格式的审计筛选器，如下所述，并使用Atlas审计筛选器生成器简化审计配置。要了解更多信息，请参阅Atlas文档中的设置数据库审核和配置自定义审核筛选器。

~~MongoDB Enterprise supports auditing of various operations.~~ MongoDB Enterprise支持对各种操作的审计。When enabled, the audit facility, by default, records all auditable operations as detailed in Audit Event Actions, Details, and Results. You can specify event filters to limit which events are recorded. 启用后，默认情况下，审核功能会按照“审核事件操作”、“详细信息”和“结果”中的详细信息记录所有可审核操作。您可以指定事件筛选器来限制记录的事件。~~Filters can be configured at startup or MongoDB can be configured to allow runtime specification.~~筛选器可以在启动时配置，或者MongoDB可以配置为允许运行时规范。

Filter Configuration at Runtime运行时的筛选器配置

~~Starting in MongoDB 5.0, audit configurations for mongod and mongos nodes can be configured at runtime. A group of these nodes can take part in a distributed audit configuration.~~从MongoDB 5.0开始，可以在运行时配置mongod和mongos节点的审核配置。这些节点中的一组可以参与分布式审核配置。

~~To include a node in a distributed audit configuration, update the node's configuration file as follows and restart the server.~~要将节点包括在分布式审核配置中，请按如下方式更新节点的配置文件，然后重新启动服务器。

~~Parameter~~参数	~~Value~~值
`auditLog.runtimeConfiguration`	`true`
`auditLog.filter`	Unset
`auditAuthorizationSuccess`	Unset

~~The server logs an error and fails to start if:~~如果出现以下情况，服务器将记录错误并无法启动：

runtimeConfiguration ~~is true and~~为true，并且
~~either auditLog.filter or auditAuthorizationSuccess is set.~~设置了auditLog.filter或auditAuthorizationSuccess。

~~To modify audit filters and the auditAuthorizationSuccess parameter at runtime, see setAuditConfig.~~要在运行时修改审核筛选器和auditAuthorizationSuccess参数，请参阅setAuditConfig。

Filter Configuration at System Startup系统启动时的筛选器配置

~~Audit filters can be specified on the command line or else in the configuration file used to start the mongod or mongos instance.~~审计筛选器可以在命令行上指定，也可以在用于启动mongod或mongos实例的配置文件中指定。

Configuration File Usage配置文件使用情况

~~Filters can be specified in YAML under the auditLog session of the configuration file. See the examples below for sample configurations.~~筛选器可以在配置文件的auditLog会话下的YAML中指定。有关示例配置，请参阅下面的示例。

Note

~~If runtimeConfiguration is enabled, then the configuration file cannot be used to specify audit filters.~~如果启用了runtimeConfiguration，则配置文件不能用于指定审核筛选器。

Examples实例

Filter for Multiple Operation Types多种操作类型的筛选器

~~The following example audits only the createCollection and dropCollection actions by using the filter:~~以下示例使用筛选器仅审核createCollection和dropCollection操作：

{ atype: { $in: [ "createCollection", "dropCollection" ] } }

~~To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.~~若要指定审核筛选器，请将筛选器文档用单引号括起来，以字符串形式传递该文档。

mongod --dbpath data/db --auditDestination file --auditFilter '{ atype: { $in: [ "createCollection", "dropCollection" ] } }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. 包括配置所需的其他选项。例如，如果希望远程客户端连接到部署，或者部署成员在不同的主机上运行，请指定--bind_ip。~~For more information, see Localhost Binding Compatibility Changes.~~有关详细信息，请参阅Localhost绑定兼容性更改。

~~To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.~~要在配置文件中指定审核筛选器，必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'

Filter on Authentication Operations on a Single Database对单个数据库上的身份验证操作进行筛选

~~The <field> can include any field in the audit message. For authentication operations (i.e. atype: "authenticate"), the audit messages include a db field in the param document.~~<field>可以包括审核消息中的任何字段。对于身份验证操作（即atype: "authenticate"），审核消息在param文档中包含一个db字段。

~~The following example audits only the authenticate operations that occur against the test database by using the filter:~~以下示例使用筛选器仅审核针对test数据库进行的authenticate操作：

{ atype: "authenticate", "param.db": "test" }

mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ atype: "authenticate", "param.db": "test" }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.包括配置所需的其他选项。例如，如果希望远程客户端连接到部署，或者部署成员在不同的主机上运行，请指定--bind_ip。有关详细信息，请参阅Localhost绑定兼容性更改。

~~To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.~~要在配置文件中指定审核筛选器，必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: "authenticate", "param.db": "test" }'

~~To filter on all authenticate operations across databases, omit "param.db": "test" and use the filter { atype: "authenticate" }.~~若要筛选跨数据库的所有authenticate操作，请省略"param.db": "test"并使用筛选器{ atype: "authenticate" }。

Filter on Collection Creation and Drop Operations for a Single Database对单个数据库的集合创建和删除操作进行筛选

~~The <field> can include any field in the audit message.~~ <field>可以包括审核消息中的任何字段。~~For collection creation and drop operations (i.e. atype: "createCollection" and atype: "dropCollection"), the audit messages include a namespace ns field in the param document.~~对于集合的创建和删除操作（即atype: "createCollection"和atype: "dropCollection"），审核消息在param文档中包括命名空间ns字段。

~~The following example audits only the createCollection and dropCollection operations that occur against the test database by using the filter:~~以下示例通过使用筛选器仅审核针对测试数据库发生的createCollection和dropCollection操作：

Note

~~The regular expression requires two backslashes (\\) to escape the dot (.).~~正则表达式需要两个反斜杠（\\）来转义点（.）。

{ atype: { $in: [ "createCollection", "dropCollection" ] }, "param.ns": /^test\\./ }

mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ atype: { $in: [ "createCollection", "dropCollection" ] }, "param.ns": /^test\\./ }' --auditFormat BSON --auditPath data/db/auditLog.bson

~~Include additional options as required for your configuration.~~ 包括配置所需的其他选项。~~For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.~~ 例如，如果希望远程客户端连接到部署，或者部署成员在不同的主机上运行，请指定--bind_ip。~~For more information, see Localhost Binding Compatibility Changes.~~有关详细信息，请参阅Localhost绑定兼容性更改。

~~To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.~~要在配置文件中指定审核筛选器，必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] }, "param.ns": /^test\\./ }'

Filter by Authorization Role按授权角色筛选

~~The following example audits operations by users with readWrite role on the test database, including users with roles that inherit from readWrite, by using the filter:~~以下示例通过使用筛选器审核test数据库中具有readWrite角色的用户的操作，包括具有从readWrite继承的角色的用户：

{ roles: { role: "readWrite", db: "test" } }

mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ roles: { role: "readWrite", db: "test" } }' --auditFormat BSON --auditPath data/db/auditLog.bson

~~To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.~~要在配置文件中指定审核筛选器，必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ roles: { role: "readWrite", db: "test" } }'

Filter on Read and Write Operations读取和写入操作筛选

~~To capture read and write operations in the audit, you must also enable the audit system to log authorization successes using the auditAuthorizationSuccess parameter.~~ 要在审核中捕获读写操作，还必须启用审核系统，以便使用auditAuthorizationSuccess参数记录授权成功。[1]

Note

~~Enabling auditAuthorizationSuccess degrades performance more than logging only the authorization failures.~~启用auditAuthorizationSuccess比只记录授权失败更能降低性能。

~~This filter audits multiple read and write operations:~~此筛选器审核多个读写操作：

{
   atype: "authCheck",
   "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] }
}

~~The audited operations include:~~经审计的业务包括：

mongod --dbpath data/db --auth --setParameter auditAuthorizationSuccess=true --auditDestination file --auditFilter '{ atype: "authCheck", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }' --auditFormat BSON --auditPath data/db/auditLog.bson

~~To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.~~要在配置文件中指定审核筛选器，必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: "authCheck", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }'
setParameter: { auditAuthorizationSuccess: true }

Filter on Read and Write Operations for a Collection对集合的读写操作进行筛选

Note

~~Enabling auditAuthorizationSuccess degrades performance more than logging only the authorization failures.~~启用auditAuthorizationSuccess比只记录授权失败更能降低性能。

~~This filter audits multiple read and write operations on the orders collection in the test database:~~此筛选器审核test数据库中orders集合的多个读写操作：

{
    atype: "authCheck",
    "param.ns": "test.orders",
    "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] }
}

~~The audited operations include:~~经审计的业务包括：

mongod --dbpath data/db --auth --setParameter auditAuthorizationSuccess=true --auditDestination file --auditFilter '{ atype: "authCheck", "param.ns": "test.orders", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.包括配置所需的其他选项。例如，如果希望远程客户端连接到部署，或者部署成员在不同的主机上运行，请指定--bind_ip。有关详细信息，请参阅Localhost绑定兼容性更改。

~~To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.~~要在配置文件中指定审核筛选器，必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: "authCheck", "param.ns": "test.orders", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }'
setParameter: { auditAuthorizationSuccess: true }

Tip

Configure Audit Filters配置审核筛选器

Auditing in MongoDB AtlasMongoDB Atlas中的审计

Filter Configuration at Runtime运行时的筛选器配置

Filter Configuration at System Startup系统启动时的筛选器配置

Configuration File Usage配置文件使用情况

Examples实例

Filter for Multiple Operation Types多种操作类型的筛选器

Filter on Authentication Operations on a Single Database对单个数据库上的身份验证操作进行筛选

Filter on Collection Creation and Drop Operations for a Single Database对单个数据库的集合创建和删除操作进行筛选

Filter by Authorization Role按授权角色筛选

Filter on Read and Write Operations读取和写入操作筛选

Filter on Read and Write Operations for a Collection对集合的读写操作进行筛选

See also: 另请参阅：