Database Manual / Security / Auditing / Audit Messages

OCSF Schema Audit MessagesOCSF架构审核消息

~~In the OCSF schema, recorded log messages have this syntax:~~在OCSF模式中，记录的日志消息具有以下语法：

{
   "activity_id" : <int>,
   "category_uid" : <int>,
   "class_uid" : <int>,
   "time" : <int>,
   "severity_id" : <int>,
   "type_uid" : <int>,
   "metadata" : <document>
   "actor" : {
      "user" : {
         "type_id" : <int>,
         "name" : <string>,
         "groups" : <array of documents>
      }
   },
   "src_endpoint" : {
      "ip": <string>,   // IP address for origin client computer
      "port": <int>,    // Port for origin client computer
      "intermediate_ips": [ {
         // IP address and port for mongos or load balancermongos或负载均衡器的IP地址和端口
         "ip": <string>,
         "port": <int>
      }, {
         // IP address and port for mongos or load balancermongos或负载均衡器的IP地址和端口
         "ip": <string>,
         "port": <int>
      } ]
   },
   "dst_endpoint" : {
      // IP address and port for local MongoDB server本地MongoDB服务器的IP地址和端口
      "ip": <string>,
      "port": <int>
   }
}

~~The following table describes the fields in the log message.~~下表描述了日志消息中的字段。

~~Field~~字段	~~Type~~类型	~~Description~~描述
`activity_id`	~~Integer~~整数	~~Activity type. See OCSF Type Mapping.~~活动类型。请参阅OCSF类型映射。
`category_uid`	~~Integer~~整数	~~Audit event category. See OCSF Category Mapping.~~审核事件类别。请参阅OCSF类别映射。
`class_uid`	~~Integer~~整数	~~Audit event class. See OCSF Class Mapping.~~审核事件类别。请参阅OCSF类映射。
`time`	~~Integer~~整数	~~Number of milliseconds after the Unix epoch that the event occurred.~~事件发生的Unix纪元后的毫秒数。
`severity_id`	~~Integer~~整数	~~Severity of the audited event.~~受审核事件的严重性。
`type_uid`	~~Integer~~整数	~~Combination of the audited event's class, activity, and category. See OCSF Type Mapping.~~被审计事件的类别、活动和类别的组合。请参阅OCSF类型映射。
`metadata`	~~Document~~文档	~~Metadata about the event such as product and schema version.~~有关事件的元数据，如产品和架构版本。
`actor`	~~Document~~文档	~~Information about the user who performed the action.~~关于执行该操作的用户的信息。
`src_endpoint`	~~Document~~文档	Starting in MongoDB 8.1, if a client application connects to `mongos` through a load balancer, the origin client computer and load balancer IP addresses and ports are included in the audit log. You can use the log to match an audit event with the origin client computer.从MongoDB 8.1开始，如果客户端应用程序通过负载均衡器连接到`mongos`，则源客户端计算机和负载均衡器IP地址和端口将包含在审计日志中。您可以使用日志将审核事件与源客户端计算机进行匹配。 `src_endpoint` stores information about IP addresses and ports. Each element in the `intermediate_ips` array is a document with an IP address and port for a load balancer or `mongos` that the origin client computer request passed through.存储有关IP地址和端口的信息。`intermediate_ips`数组中的每个元素都是一个文档，其中包含源客户端计算机请求通过的负载均衡器或`mongos`的IP地址和端口。 ~~If the request passes through a load balancer:~~如果请求通过负载均衡器： `src_endpoint` ~~stores the origin client computer IP address and port read from the proxy protocol header.~~存储从代理协议报头读取的源客户端计算机IP地址和端口。 `src_endpoint.intermediate_ips` ~~stores the load balancer IP address and port.~~存储负载均衡器IP地址和端口。 ~~If the audit event occurs on a shard:~~如果审计事件发生在分片上： `src_endpoint` stores the origin client computer IP address and port. The address and port are read from the proxy protocol header or, if the origin client computer connects to `mongos`, the address and port are read from the client computer connection.存储源客户端计算机的IP地址和端口。地址和端口从代理协议头读取，或者，如果源客户端计算机连接到`mongos`，则从客户端计算机连接读取。 `src_endpoint.intermediate_ips` ~~stores the `mongos` IP address and port. And, if a load balancer is used, there is an additional `src_endpoint.intermediate_ips` that stores the IP address and port of the load balancer.~~存储`mongos` IP地址和端口。如果使用负载均衡器，则还有一个额外的`src_endpoint.intermediate_ips`，用于存储负载均衡器的IP地址和港口。 ~~Changed in version 8.1.~~在版本8.1中的更改。
`dst_endpoint`	~~Document~~文档	~~IP address and port of the local MongoDB server.~~本地MongoDB服务器的IP地址和端口。 ~~Changed in version 8.1.~~在版本8.1中的更改。

Note

~~Log messages may contain additional fields depending on the event that was logged.~~日志消息可能包含其他字段，具体取决于记录的事件。

OCSF Category MappingOCSF类别映射

~~This table describes the category_uid values:~~此表描述了category_uid值：

`category_uid`	~~Category~~类别
`1`	~~System Activity~~系统活动
`2`	~~Findings~~研究结果
`3`	IAM
`4`	~~Network Activity~~网络活动
`5`	~~Discovery~~发现
`6`	~~Application Activity~~应用活动

OCSF Class MappingOCSF类映射

~~For a complete list of OCSF class_uids and how they map to different classes, see the OCSF Documentation.~~有关OCSF class_uid的完整列表以及它们如何映射到不同的类，请参阅OCSF文档。

OCSF Type MappingOCSF类型映射

~~The type_uid field represents a combination of the audited event's class, activity, and category. The resulting UUID indicates the type of activity that occurred.~~type_uid字段表示被审核事件的类、活动和类别的组合。生成的UUID指示发生的活动类型。

~~Specifically, type_uid is ( class_uid * 100 ) + (activity_id), with category_id being the thousands place in a class_id.~~具体来说，type_uid是( class_uid * 100 ) + (activity_id)，category_id是class_id中的千位。

~~This table describes how audited actions map to type_uid:~~此表描述了经审核的操作如何映射到type_uid：

Action Type	`type_uid`	Category	Class	Activity
`addShard`	`500101`	Configuration	~~Device Config State~~设备配置状态	Log
`applicationMessage`	`100799`	System	~~Process Activity~~流程活动	Other
`auditConfigure`	`500201` or `500203`	~~Discovery~~发现	Device Config State	`1` is Create `3` is Update
`authzCheck`	`600301` - `600304`	Application	API Activity	`1` is Create `2` is Read `3` is Update `4` is Delete
`authenticate`	`300201`	IAM	Authentication	Logon
`clientMetadata`	`400101`	Network	Network Activity	Open
`createCollection`	`300401`	IAM	Entity Management	Create
`createDatabase`	`300401`	IAM	Entity Management	Create
`createIndex`	`300401`	IAM	Entity Management	Create
`createRole`	`300101`	IAM	Account Change	Create
`createUser`	`300101`	IAM	Account Change	Create
`directAuthMutation`	`300100`	IAM	Account Change	Unknown
`dropAllRolesFromDatabase`	`300106`	IAM	Account Change	Delete
`dropAllUsersFromDatabase`	`300106`	IAM	Account Change	Delete
`dropCollection`	`300404`	IAM	Entity Management	Delete
`dropDatabase`	`300404`	IAM	Entity Management	Delete
`dropIndex`	`300404`	IAM	Entity Management	Delete
`dropPrivilegesToRole`	`300107`	IAM	Account Change	Attach Policy
`dropRole`	`300106`	IAM	Account Change	Delete
`dropUser`	`300106`	IAM	Account Change	Delete
`enableSharding`	`500201`	Configuration	Device Config State	Log
`getClusterParameter`	`600302`	Application	API Activity	Read
`grantRolesToRole`	`300107`	IAM	Account Change	Attach Policy
`grantRolesToUser`	`300107`	IAM	Account Change	Attach Policy
`importCollection`	`300401`	IAM	Entity Management	Create
`logout`	`300202`	IAM	Authentication	Logoff
`refineCollectionShardKey`	`500201`	Configuration	Device Config State	Log
`removeShard`	`500201`	Configuration	Device Config State	Log
`renameCollection`	`300403`	IAM	Entity Management	Update
`replSetReconfig`	`500201`	Configuration	Device Config State	Log
`revokePrivilegesFromRole`	`300108`	IAM	Account Change	Detach Policy
`revokeRolesFromRole`	`300108`	IAM	Account Change	Detach Policy
`revokeRolesFromUser`	`300108`	IAM	Account Change	Detach Policy
`rotateLog`	`100799`	System	Process	Other
`setClusterParameter`	`500201`	Configuration	Device Config State	Log
`shardCollection`	`500201`	Configuration	Device Config State	Log
`shutdown`	`100702`	System	Process	Terminate
`startup`	`100701`	System	Process	Launch
`updateCachedClusterServerParameter`	`500201`	Configuration	Device Config State	Log
`updateRole`	`300199`	IAM	Account Change	Other
`updateUser`	`300199`	IAM	Account Change	Other

Examples示例

~~The following examples show OCSF schema log messages for different action types.~~以下示例显示了不同操作类型的OCSF模式日志消息。

Authenticate Action身份验证操作

{
   "activity_id" : 1,
   "category_uid" : 3,
   "class_uid" : 3002,
   "time" : 1710715316123,
   "severity_id" : 1,
   "type_uid" : 300201,
   "metadata" : {
      "correlation_uid" : "20ec4769-984d-445c-aea7-da0429da9122",
      "product" : "MongoDB Server",
      "version" : "1.0.0"
   },
   "actor" : {
      "user" : {
         "type_id" : 1,
         "name" : "admin.admin",
         "groups" : [ { "name" : "admin.root" } ]
      }
   },
   "src_endpoint" : { "ip" : "127.0.0.1", "port" : 56692 },
   "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 },
   "user" : { "type_id" : 1, "name" : "admin.admin" },
   "auth_protocol" : "SCRAM-SHA-256",
   "unmapped" : { "atype" : "authenticate" }
}

AuthCheck Action身份验证操作

{
   "activity_id" : 0,
   "category_uid" : 6,
   "class_uid" : 6003,
   "time" : 1710715315002,
   "severity_id" : 1,
   "type_uid" : 600300,
   "metadata" : {
      "correlation_uid" : "af4510fb-0a9f-49aa-b988-06259a7a861d",
      "product" : "MongoDB Server",
      "version" : "1.0.0"
   },
   "actor" : {},
   "src_endpoint" : { "ip" : "127.0.0.1", "port" : 45836 },
   "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 },
   "api" : {
      "operation" : "getParameter",
      "request" : { "uid" : "admin" },
      "response" : { "code" : 13, "error" : "Unauthorized" }
   }
}

Back

mongo ~~Schema~~模式

~~Use Field Level Redaction~~使用字段级重动作