Configure Auditing配置审核
On this page本页内容
Auditing in MongoDB AtlasMongoDB Atlas中的审计
MongoDB Atlas supports auditing for all MongoDB Atlas支持对所有M10 and larger clusters. M10及更大集群的审计。Atlas supports specifying a JSON-formatted audit filter as documented in Configure Audit Filters and using the Atlas audit filter builder for simplified auditing configuration. Atlas支持指定JSON格式的审计筛选器,如配置审计筛选器中所述,并使用Atlas审计筛选器生成器简化审计配置。To learn more, see the Atlas documentation for Set Up Database Auditing and Configure a Custom Auditing Filter.要了解更多信息,请参阅Atlas文档中的设置数据库审核和配置自定义审核筛选器。
MongoDB EnterpriseMongoDB Enterprise
supports auditing of various operations. 支持对各种操作的审计。A complete auditing solution must involve all 一个完整的审计解决方案必须涉及所有mongod server and mongos router processes.mongod服务器和mongos路由器进程。
The audit facility can write audit events to the console, the syslog (option is unavailable on Windows), a JSON file, or a BSON file. For details on the audited operations and the audit log messages, see System Event Audit Messages.审计功能可以将审计事件写入控制台、syslog(选项在Windows上不可用)、JSON文件或BSON文件。有关已审核操作和审核日志消息的详细信息,请参阅系统事件审核消息。
Enable and Configure Audit Output启用和配置审核输出
To enable auditing in MongoDB Enterprise, set an audit output destination with 要在MongoDB Enterprise中启用审计,请使用--auditDestination.--auditDestination设置一个审计输出目标。
Output to Syslog输出到Syslog
To enable auditing and print audit events to the syslog (option is unavailable on Windows) in JSON format, specify 要启用审核并以JSON格式将审核事件打印到syslog for the --auditDestination setting. syslog(选项在Windows上不可用),请为--auditDestination设置指定syslog。For example:例如:
mongod --dbpath data/db --auditDestination syslog
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅Localhost绑定兼容性更改。
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用安全检查表中列出的访问控制和其他安全措施,以防止未经授权的访问。
The syslog message limit can result in the truncation of the audit messages. The auditing system will neither detect the truncation nor error upon its occurrence.系统日志消息限制可能导致审核消息被截断。审计系统既不会检测到截断,也不会在出现错误时检测到。
In a Linux system, messages are subject to the rules defined in the Linux configuration file 在Linux系统中,消息受Linux配置文件/etc/systemd/journald.conf. By default, log message bursts are limited to 1000 messages within a 30 second period. To see more messages, increase the RateLimitBurst parameter in /etc/systemd/journald.conf./etc/systemd/journald.conf中定义的规则的约束。默认情况下,日志消息突发在30秒内限制为1000条消息。要查看更多消息,请增加/etc/systemd/journald.conf中的RateLimitBurst参数。
You may also specify these options in the configuration file:您也可以在配置文件中指定以下选项:
storage:
dbPath: data/db
auditLog:
destination: syslog
Output to Console输出到控制台
To enable auditing and print the audit events to standard output (i.e. 要启用审核并将审核事件打印到标准输出(即stdout), specify console for the --auditDestination setting. stdout),请为--auditDestination设置指定控制台。For example:例如:
mongod --dbpath data/db --auditDestination console
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅Localhost绑定兼容性更改。
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用安全检查表中列出的访问控制和其他安全措施,以防止未经授权的访问。
You may also specify these options in the configuration file:您也可以在配置文件中指定以下选项:
storage:
dbPath: data/db
auditLog:
destination: console
Output to JSON File输出到JSON文件
To enable auditing and print audit events to a file in JSON format, specify the following options:要启用审核并将审核事件打印到JSON格式的文件,请指定以下选项:
--auditDestination | file |
--auditFormat | JSON |
--auditPath |
For example, the following enables auditing and records audit events to a file with the relative path name of 例如,以下内容启用审计并将审计事件记录到相对路径名为data/db/auditLog.json:data/db/auditLog.json的文件中:
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 包括配置所需的其他选项。例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. For more information, see Localhost Binding Compatibility Changes.--bind_ip。有关详细信息,请参阅Localhost绑定兼容性更改。
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用安全检查表中列出的访问控制和其他安全措施,以防止未经授权的访问。
The audit file may be rotated with the 可以使用logRotate command, either alongside the server log or independently. logRotate命令旋转审核文件,可以与服务器日志一起旋转,也可以独立旋转。Rotation specifics may be configured with the 旋转细节可以使用systemLog.logRotate configuration file option or the --logRotate command-line option.systemLog.logRotate配置文件选项或--logRotate命令行选项进行配置。
You may also specify these options in the configuration file:您也可以在配置文件中指定以下选项:
storage:
dbPath: data/db
auditLog:
destination: file
format: JSON
path: data/db/auditLog.json
Printing audit events to a file in JSON format degrades server performance more than printing to a file in BSON format.将审核事件打印到JSON格式的文件比打印到BSON格式的文件更能降低服务器性能。
Output to BSON File输出到BSON文件
To enable auditing and print audit events to a file in BSON binary format, specify the following options:要启用审核并将审核事件打印到BSON二进制格式的文件,请指定以下选项:
--auditDestination | file |
--auditFormat | BSON |
--auditPath |
For example, the following enables auditing and records audit events to a BSON file with the relative path name of 例如,以下命令启用审核并将审核事件记录到BSON文件中,该文件的相对路径名为data/db/auditLog.bson:data/db/auditLog.bson:
mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 包括配置所需的其他选项。例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅Localhost绑定兼容性更改。
Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用安全检查表中列出的访问控制和其他安全措施,以防止未经授权的访问。
The audit file is 审核文件与服务器日志文件同时旋转。旋转细节可以使用rotated at the same time as the server log file. Rotation specifics may be configured with the systemLog.logRotate configuration file option or the --logRotate command-line option.systemLog.logRotate配置文件选项或--logRotate命令行选项进行配置。
You may also specify these options in the configuration file:您也可以在配置文件中指定以下选项:
storage:
dbPath: data/db
auditLog:
destination: file
format: BSON
path: data/db/auditLog.bson
The following example converts the audit log into readable form using 以下示例使用bsondump and outputs the result:bsondump将审核日志转换为可读形式,并输出结果:
bsondump data/db/auditLog.bson
Runtime Audit Filter Management运行时审核筛选器管理
Starting in MongoDB 5.0, audit filters can be configured at runtime. Runtime Audit Filter Management provides three benefits compared to audit filter configurations that are specified in a local 从MongoDB 5.0开始,可以在运行时配置审计筛选器。与在本地mongod or mongos configuration file:mongod或mongos配置文件中指定的审核筛选器配置相比,运行时审核筛选器管理提供了三个好处:
Separation of Concerns关注分离
Prior to MongoDB 5.0, anyone auditing a MongoDB 在MongoDB 5.0之前,任何审核MongoDB mongod or mongos instance had to have write access to the host server's file system in order to update audit filters. mongod或mongos实例的人都必须具有对主机服务器文件系统的写访问权限,才能更新审核筛选器。Runtime Audit Filter Management improves security by separating audit access from administrative access.运行时审核筛选器管理通过将审核访问与管理访问分离来提高安全性。
Using Runtime Audit Filter Management instead of editing configuration files directly means:使用运行时审核筛选器管理而不是直接编辑配置文件意味着:
File system access is not required so an auditor does not need access to the不需要文件系统访问权限,因此审计员不需要访问mongodormongoshost server.mongod或mongos主机服务器。There is no direct access to the无法直接访问mongodormongosinstance's configuration file.mongod或mongos实例的配置文件。Runtime Audit Filter Management only exposes audit filters and the运行时审核筛选器管理仅公开审核筛选器和auditAuthorizationSuccessparameter.auditAuthorizationSuccess参数。
Runtime Configurability运行时可配置性
Starting in MongoDB 5.0, when Runtime Audit Filter Management is enabled, auditing can be reconfigured at runtime without restarting the 从MongoDB 5.0开始,当启用了运行时审计筛选器管理时,可以在运行时重新配置审计,而无需重新启动mongod or mongos instance. A statically configured instance has to be restarted to update its audit settings.mongod或mongos实例。必须重新启动静态配置的实例才能更新其审核设置。
Audit filter modifications made at runtime persist when an instance is shutdown and restarted.当实例关闭并重新启动时,在运行时所做的审核筛选器修改将保持不变。
Consistency
Within a cluster, if all participating mongod and mongos nodes are configured to use Runtime Audit Filter Management, then every node will use the same audit filters. In contrast, if each node has its own locally configured audit filters, there is no guarantee of audit filter consistency across nodes.
Enable Runtime Audit Filter Management启用运行时审核筛选器管理
Starting in MongoDB 5.0, audit configurations for 从MongoDB 5.0开始,可以在运行时配置mongod and mongos nodes can be configured at runtime. A group of these nodes can take part in a distributed audit configuration.mongod和mongos节点的审核配置。这些节点中的一组可以参与分布式审核配置。
To include a node in a distributed audit configuration, update the node's configuration file as follows and restart the server.要将节点包括在分布式审核配置中,请按如下方式更新节点的配置文件,然后重新启动服务器。
auditLog.runtimeConfiguration | true |
auditLog.filter | Unset |
auditAuthorizationSuccess | Unset |
The server logs an error and fails to start if:如果出现以下情况,服务器将记录错误并无法启动:
runtimeConfigurationistrueand- either
auditLog.filterorauditAuthorizationSuccessis set.
To modify audit filters and the 要在运行时修改审核筛选器和auditAuthorizationSuccess parameter at runtime, see setAuditConfig.auditAuthorizationSuccess参数,请参阅setAuditConfig。