Database Manual / Security / Auditing / Audit Messages

mongo Schema Audit Messagesmongo架构审核消息

In the mongo schema, recorded log messages have this syntax:mongo模式中,记录的日志消息具有以下语法:

{
  atype: <string>,
  ts : { $date: <timestamp> },
  uuid : { $binary: <string>, $type: <string> },
  local: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> },
  remote: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> },
  intermediates: [   // Added in MongoDB 8.1
     {
        // IP address and port for mongos or load balancer
        ip: <string>,
        port: <int>
     }, {
        //  IP address and port for mongos or load balancer
        ip: <string>,
        port: <int>
     }
  ],
  users : [ { user: <string>, db: <string> }, ... ],
  roles: [ { role: <string>, db: <string> }, ... ],
  param: <document>,
  result: <int>
}

The following table describes the fields in the mongo schema.下表描述了mongo模式中的字段。

Field字段Type类型Description描述
atypestring字符串Action type. See Audit Event Actions, Details, and Results.动作类型。请参阅审核事件操作、详细信息和结果
tsdocument文档Document that contains the date and UTC time of the event, in ISO 8601 format.包含事件日期和UTC时间的文档,采用ISO 8601格式。

uuid

document文档

A document that contains a message identifier.包含消息标识符的文档。

The UUID identifies a client connection. Use the UUID to track audit events connected to that client.UUID标识客户端连接。使用UUID跟踪连接到该客户端的审核事件。

The value of the $type field is BSON type 04 which indicates that the $binary field contains a UUID.$type字段的值是BSON类型04,表示$binary字段包含UUID。

New in version 5.0.在版本5.0中新增。

local

document文档

A document that contains the ip address and the port number of the running instance.包含正在运行的实例的ip地址和port号的文档。

Starting in MongoDB 5.0, can alternatively be a document with one of these fields:从MongoDB 5.0开始,也可以是具有以下字段之一的文档:

  • isSystemUser that indicates whether the user who caused the event was a system user. Logged for self-referential jobs initiated by a background process that runs on the same server instance.其指示引起事件的用户是否是系统用户。已记录由在同一服务器实例上运行的后台进程启动的自引用作业。
  • unix that contains the MongoDB socket file path if the client connects through a Unix domain socket.如果客户端通过Unix域套接字连接,则包含MongoDB套接字文件路径。

Starting in MongoDB 5.0, the local field is deprecated. 从MongoDB 5.0开始,local字段被弃用。Use the localEndpoint field in the clientMetadata audit message instead.请改用clientMetadata审核消息中的localEndpoint字段。

Changed in version 5.0.在版本5.0中的更改。

intermediatesarray of documents

Starting in MongoDB 8.1, if a client application connects to mongos through a load balancer, the origin client computer and load balancer IP addresses and ports are included in the audit log. You can use the log to match an audit event with the origin client computer.从MongoDB 8.1开始,如果客户端应用程序通过负载均衡器连接到mongos,则源客户端计算机和负载均衡器IP地址和端口将包含在审计日志中。您可以使用日志将审核事件与源客户端计算机进行匹配。

Starting in MongoDB 8.1, mongos parses the proxy protocol header and stores the origin client computer IP address and port in the remote field. 从MongoDB 8.1开始,mongos解析代理协议头,并将源客户端计算机IP地址和端口存储在remote字段中。Also, if a load balancer is used, the intermediates document stores the load balancer IP address and port.此外,如果使用负载均衡器,intermediates文档将存储负载均衡器的IP地址和端口。

In MongoDB versions earlier than 8.1, the load balancer IP address and port are stored in the remote field and the origin client computer IP address and port are omitted.在早于8.1的MongoDB版本中,负载均衡器IP地址和端口存储在remote字段中,省略了源客户端计算机IP地址和港口。

Each array element in intermediates is a document with ip and port fields, which are either the IP address and port of a load balancer or mongos that the origin client computer request passes through.intermediates中的每个数组元素都是一个包含ipport字段的文档,这些字段要么是负载均衡器的ip地址和端口,要么是源客户端计算机请求通过的mongos

If the origin client computer request passes through a load balancer:如果源客户端计算机请求通过负载均衡器:

  • Starting in MongoDB 8.1, the remote field stores the client computer IP address and port that are read from the proxy protocol header. The intermediates document contains the load balancer IP address and port.从MongoDB 8.1开始,remote字段存储从代理协议头读取的客户端计算机IP地址和端口。intermediates文档包含负载平衡器IP地址和端口。
  • In MongoDB versions earlier than 8.1, the remote field stores the load balancer IP address and port. 在早于8.1的MongoDB版本中,远程字段存储负载均衡器IP地址和端口。The intermediates document isn't in the audit log.intermediates文档不在审核日志中。

If the audit event occurs on a shard:如果审计事件发生在分片上:

  • Starting in MongoDB 8.1, the remote field stores the client computer IP address and port. 从MongoDB 8.1开始,remote字段存储客户端计算机IP地址和端口。The address and port are read from the proxy protocol header or, if the client computer connects to mongos, the address and port are read from the origin client computer connection. 地址和端口从代理协议头读取,或者,如果客户端计算机连接到mongos,则从源客户端计算机连接读取地址和端口。The intermediates document stores the mongos IP address and port. If a load balancer is used, the intermediates document also stores the load balancer IP address and port.intermediates文档存储mongos IP地址和端口。如果使用负载均衡器,中间文档还存储负载均衡器IP地址和港口。
  • In MongoDB versions earlier than 8.1, the remote field stores the mongos IP address and port. The intermediates document isn't in the audit log.在早于8.1的MongoDB版本中,remote字段存储mongos IP地址和端口。intermediates文件不在审计日志中。

New in version 8.1.在版本8.1中新增。

remotedocument文档

A document that stores the ip address and the port number of the incoming connection associated with the event.存储与事件关联的传入连接的ip地址和port号的文档。

Starting in MongoDB 8.1, mongos parses the proxy protocol header and stores the origin client computer IP address and port in the remote field. Also, if a load balancer is used, the intermediates document stores the load balancer IP address and port.从MongoDB 8.1开始,mongos解析代理协议头,并将源客户端计算机IP地址和端口存储在remote字段中。此外,如果使用负载均衡器,intermediates文档将存储负载均衡器的IP地址和端口。

In MongoDB versions earlier than 8.1, the load balancer IP address and port are stored in the remote field and the origin client computer IP address and port are omitted.在早于8.1的MongoDB版本中,负载均衡器IP地址和端口存储在remote字段中,省略了源客户端计算机IP地址和港口。

Starting in MongoDB 5.0, can alternatively be a document with one of these fields:从MongoDB 5.0开始,也可以是具有以下字段之一的文档:

  • isSystemUser that indicates whether the user who caused the event was a system user. Logged for self-referential jobs initiated by a background process that runs on the same server instance.其指示引起事件的用户是否是系统用户。已记录由在同一服务器实例上运行的后台进程启动的自引用作业。
  • unix that contains the MongoDB socket file path if the client connects through a Unix domain socket.如果客户端通过Unix域套接字连接,则包含MongoDB套接字文件路径。

Changed in version 8.1.在版本8.1中的更改。

usersarray数组Array of user identification documents. Because MongoDB allows a session to log in with different user per database, this array can have more than one user. 一系列用户身份证明文件。因为MongoDB允许每个数据库使用不同的用户登录会话,所以这个数组可以有多个用户。Each document contains a user field for the username and a db field for the authentication database for that user.每个文档都包含用户名的用户字段和该用户的身份验证数据库的db字段。
rolesarray数组Array of documents that specify the roles granted to the user. Each document contains a role field for the name of the role and a db field for the database associated with the role.指定授予用户的角色的文档数组。每个文档都包含一个角色名称的role字段和一个与角色关联的数据库的db字段。
paramdocument文档Specific details for the event. See Audit Event Actions, Details, and Results.活动的具体细节。请参阅审核事件操作、详细信息和结果
resultinteger整数Error code. See Audit Event Actions, Details, and Results.错误代码。请参阅审核事件操作、详细信息和结果

Audit Event Actions, Details, and Results审核事件操作、详细信息和结果

The following table lists for each atype or action type, the associated param details and the result values, if any.下表列出了每种atype或操作类型、相关param详细信息和result值(如果有的话)。

atypeparamresult

authenticate

 
{
  user: <user name>,
  db: <database>,
  mechanism: <mechanism>
}

Starting in MongoDB 5.0, authenticate:从MongoDB 5.0开始,进行authenticate(身份验证):

  • Is logged for incomplete authentication attempts.记录了未完成的身份验证尝试。
  • Includes the principle name and identifier in mechanism for external authentication mechanisms such as X.509 and Amazon Web Services Identity and Access Management (AWS-IAM) (see authMechanism).X.509和Amazon Web Services身份和访问管理(AWS-IAM)等外部身份验证机制的机制中包括原则名称和标识符(请参阅authMechanism)。

Changed in version 5.0.在版本5.0中的更改。

0 - Success成功
18 - Authentication Failed认证失败
334 - Mechanism Unavailable机制不可用
337 - Authentication Abandoned身份验证已放弃

authCheck

 
{
  command: <name>,
  ns: <database>.<collection>,
  args: <command object>
}

ns field is optional.字段是可选的。
args field may be redacted.字段可以被编辑。

By default, the auditing system logs only the authorization failures. To enable the system to log authorization successes, use the auditAuthorizationSuccess parameter.默认情况下,审核系统只记录授权失败。要使系统能够记录授权成功,请使用auditAuthorizationSuccess参数。

Enabling auditAuthorizationSuccess degrades performance more than logging only the authorization failures.启用auditAuthorizationSuccess比仅记录授权失败更会降低性能。

Starting in MongoDB 5.0, authCheck is not logged for actions that are generated internally.从MongoDB 5.0开始,内部生成的操作不会记录authCheck

Changed in version 5.0.在版本5.0中的更改。

0 - Success成功
13 - Unauthorized to perform the operation.未经授权执行该操作。

clientMetadata

 
{
   localEndpoint : {
      ip : <IP address of running instance>,
      port : <port of running instance>
   } || {
      unix : <MongoDB socket file path if connecting through
              a Unix domain socket>
   },
   clientMetadata : {
      driver : {
         name : <client driver name>,
         version : <client driver version>
      },
      os : {
         type : <client operating system type>,
         name : <client operating system name>,
         architecture : <client operating system architecture>,
         version : <client operating system version>
      },
      platform : <client platform name>,
      application : {
         name : <client application name>
      }
   }
}

Contains the client metadata. Logged when the client runs the hello command.包含客户端元数据。客户端运行hello命令时记录。

For more details, see Client Data.有关更多详细信息,请参阅客户端数据

New in version 5.0.在版本5.0中新增。

0 - Success

createCollection

 
{
   ns: <database>.<collection || view>,
   viewOn: <database>.<collection>,
   pipeline: [ <pipeline definition> ]
}

Logged when a:在以下情况下登录:

  • Collection is created.集合已创建。
  • View is created, with the view name logged in the ns field.创建视图,视图名称记录在ns字段中。

Starting in MongoDB 5.0, this additional information is logged for a view:从MongoDB 5.0开始,将为视图记录以下附加信息:

  • viewOn field with the database and collection for the view.字段中包含视图的数据库和集合。
  • pipeline field with the aggregation pipeline definition for the view.pipeline字段中包含视图的聚合管道定义。

Changed in version 5.0.在版本5.0中的更改。

0 - Success
createDatabase 
{ ns: <database> }
0 - Success

createIndex

 
{
  ns: <database>.<collection>,
  indexName: <index name>,
  indexSpec: <index specification>,
  indexBuildState: <index build state>
}

Possible values for indexBuildState are:indexBuildState的可能值包括:

  • IndexBuildStarted
  • IndexBuildSucceeded
  • IndexBuildAborted

Starting in MongoDB 5.0, createIndex audit events are:从MongoDB 5.0开始,createIndex审核事件是:

  • Logged at the start and end of index creation, and includes a message indicating if the index was successfully created or not.在索引创建的开始和结束时记录,并包含一条消息,指示索引是否已成功创建。
  • Attributed to the originating user for the action that caused the createIndex audit event.归因于导致createIndex审核事件的操作的发起用户。
  • Logged for a createCollection event if the collection has an index.如果集合有索引,则记录createCollection事件。

Changed in version 5.0.在版本5.0中的更改。

0 - Success
276 - Index build aborted.索引构建已中止。

The audit message contains result code 276 for createIndex audit events with IndexBuildState set to IndexBuildAborted. 审计消息包含IndexBuildState设置为IndexBuildAbortedcreateIndex审计事件的结果代码276The audit message contains result code 0 for createIndex audit events with IndexBuildState set to IndexBuildStarted or IndexBuildSucceeded.审核消息包含IndexBuildState设置为IndexBuildStartedIndexBuildSuccededcreateIndex审核事件的结果代码0

directAuthMutation

 
{
   document: {
      <collection modifications>
   },
   ns: <database>.<collection>,
   operation: <database operation>
}

Logged when a database operation directly modifies the contents of the admin.system.users or admin.system.roles collections.当数据库操作直接修改admin.system.usersadmin.system.roles集合的内容时记录。

New in version 5.0.在版本5.0中新增。

0 - Success成功
renameCollection 
{
  old: <database>.<collection>,
  new: <database>.<collection>
}
0 - Success成功

dropCollection

 
{
   ns: <database>.<collection || view>,
   viewOn: <database>.<collection>,
   pipeline: [ <pipeline definition> ]
}

Logged when a:在以下情况下登录:

  • Collection is dropped.集合已删除。
  • View is dropped, with the view name logged in the ns field.视图被删除,视图名称记录在ns字段中。

Starting in MongoDB 5.0, this additional information is logged for a view:从MongoDB 5.0开始,将为视图记录以下附加信息:

  • viewOn field with the database and collection for the view.字段中包含视图的数据库和集合。
  • pipeline field with the aggregation pipeline definition for the view.

In addition, starting in MongoDB 5.0, a dropCollection audit event is logged when a dropDatabase event occurs.

Changed in version 5.0.在版本5.0中的更改。

0 - Success
26 - NamespaceNotFound

If the collection or view does not exist, the audit message shows the return code as result: 26.如果集合或视图不存在,审核消息将显示返回代码result: 26

dropDatabase 
{ ns: <database> }
0 - Success
dropIndex 
{
  ns: <database>.<collection>,
  indexName: <index name>
}
0 - Success
createUser 
{
  user: <user name>,
  db: <database>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

The customData field is optional.customData字段是可选的。

0 - Success
dropUser 
{
  user: <user name>,
  db: <database>
}
0 - Success
dropAllUsersFromDatabase 
{ db: <database> }
0 - Success

getClusterParameter

 
{
    requestedClusterServerParameters: <parameters>
}
0 - Success

setClusterParameter

 
{
    originalClusterServerParameter: <original parameter value>,
    updatedClusterServerParameter": <new parameter value>
}
0 - Success

updateCachedClusterServerParameter

 
{
    originalClusterServerParameter: <original parameter value>,
    updatedClusterServerParameter": <new parameter value>
}

Logged when a parameter is changed because of:由于以下原因更改参数时记录:

  • Propagation of a setClusterParameter commandsetClusterParameter命令的传播
  • Replication event such as rollback回滚等复制事件
  • A refresh of new cluster parameter values from the config server on mongosmongos上配置服务器上新集群参数值的刷新
0 - Success成功
updateUser 
{
  user: <user name>,
  db: <database>,
  passwordChanged: <boolean>,
  customData: <document>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}

The customData field is optional.customData字段是可选的。

0 - Success
grantRolesToUser 
{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
revokeRolesFromUser 
{
  user: <user name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
createRole 
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

The roles and the privileges fields are optional.rolesprivileges字段是可选的。

For details on the resource document, see Resource Document on Self-Managed Deployments. 有关资源文档的详细信息,请参阅关于自我管理部署的资源文档For a list of actions, see Privilege Actions.有关操作列表,请参阅权限操作

0 - Success
updateRole 
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ],
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

The roles and the privileges fields are optional.rolesprivileges字段是可选的。

For details on the resource document, see Resource Document on Self-Managed Deployments. 有关资源文档的详细信息,请参阅关于自我管理部署的资源文档For a list of actions, see Privilege Actions.有关操作列表,请参阅权限操作

0 - Success
dropRole 
{
  role: <role name>,
  db: <database>
}
0 - Success
dropAllRolesFromDatabase 
{ db: <database> }
0 - Success
grantRolesToRole 
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
revokeRolesFromRole 
{
  role: <role name>,
  db: <database>,
  roles: [
     {
       role: <role name>,
       db: <database>
     },
     ...
  ]
}
0 - Success
grantPrivilegesToRole 
{
  role: <role name>,
  db: <database>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

For details on the resource document, see Resource Document on Self-Managed Deployments. 有关资源文档的详细信息,请参阅关于自我管理部署的资源文档For a list of actions, see Privilege Actions.有关操作列表,请参阅权限操作

0 - Success
revokePrivilegesFromRole 
{
  role: <role name>,
  db: <database name>,
  privileges: [
    {
      resource: <resource document>,
      actions: [ <action>, ... ]
    },
    ...
  ]
}

For details on the resource document, see Resource Document on Self-Managed Deployments. 有关资源文档的详细信息,请参阅关于自我管理部署的资源文档For a list of actions, see Privilege Actions.有关操作列表,请参阅权限操作

0 - Success
replSetReconfig 
{
  old: {
   _id: <replicaSetName>,
   version: <number>,
   ...
   members: [ ... ],
   settings: { ... }
  },
  new: {
   _id: <replicaSetName>,
   version: <number>,
   ...
   members: [ ... ],
   settings: { ... }
  }
}

For details on the replica set configuration document, see Self-Managed Replica Set Configuration.有关副本集配置文档的详细信息,请参阅自我管理副本集配置

0 - Success
enableSharding 
{ ns: <database> }
0 - Success
shardCollection 
{
  ns: <database>.<collection>,
  key: <shard key pattern>,
  options: { unique: <boolean> }
}
0 - Success
addShard 
{
  shard: <shard name>,
  connectionString: <hostname>:<port>,
}

When a shard is a replica set, the connectionString includes the replica set name and can include other members of the replica set.当分片是副本集时,connectionString包括副本集名称,并且可以包括副本集的其他成员。

0 - Success
refineCollectionShardKey 
{
  ns: <database>.<collection>,
  key: <shard key pattern>
}
0 - Success
removeShard 
{ shard: <shard name> }
0 - Success
shutdown 
{ }

Indicates commencement of database shutdown.表示数据库开始关闭。

0 - Success
applicationMessage 
{ msg: <custom message string> }

See logApplicationMessage.请参阅logApplicationMessage

0 - Success成功

logout

 
{
  reason: <string>,
  initialUsers: [ <document>, ... ],
  updatedUsers: [ <document>, ... ],
}
reason will be either:将是:
  • "Explicit logout from <database>"“从<database>显式注销”
  • "Implicit logout due to client connection closure"“由于客户端连接关闭而隐式注销”

initialUsers is an array of documents containing users authenticated on the current client prior to logout.是一组文档,其中包含注销前在当前客户端上经过身份验证的用户。

updatedUsers is an array of documents containing users expected to be authenticated on the current client after the logout event.是一组文档,其中包含注销事件后预期在当前客户端上进行身份验证的用户。

Each document in initialUsers and updatedUsers contains:initialUsersupdatedUsers中的每个文档都包含:
  • user: the username:用户名
  • db: the database user is authenticated to:数据库user已通过身份验证

New in version 5.0.在版本5.0中新增。

0 - Success

startup

 
{
    startupOptions: <document>,
    initialClusterServerParameter: <array of documents>
}
  • startupOptions contains all of the options that the node has after startup包含节点启动后的所有选项

  • initialClusterServerParameters contains the initial values of the cluster server parameters that the node has at the end of startup:包含节点在启动结束时具有的群集服务器参数的初始值:

    • after they have been loaded from storage (for mongod)从仓库装载后(适用于mongod
    • after they have been refreshed from the config server (for mongos).从配置服务器刷新后(对于mongos)。

New in version 5.0.在版本5.0中新增。

Changed in version 6.1.在版本6.1中的更改。

0 - Success