Database Manual / Security / Auditing

Configure Audit Filters配置审核筛选器

Note

Auditing in MongoDB AtlasMongoDB Atlas中的审计

MongoDB Atlas supports auditing for all M10 and larger clusters. Atlas supports specifying a JSON-formatted audit filter as documented below and using the Atlas audit filter builder for simplified auditing configuration. MongoDB Atlas支持对所有M10及更大的集群进行审计。Atlas支持指定JSON格式的审计筛选器,如下所述,并使用Atlas审计筛选器构建器简化审计配置。To learn more, see the Atlas documentation for Set Up Database Auditing and Configure a Custom Auditing Filter.要了解更多信息,请参阅Atlas文档中的设置数据库审核配置自定义审核筛选器

MongoDB Enterprise supports auditing of various operations. MongoDB Enterprise支持对各种操作进行审计When enabled, the audit facility, by default, records all auditable operations as detailed in Audit Event Actions, Details, and Results. You can specify event filters to limit which events are recorded.启用后,默认情况下,审核功能会记录所有可审核的操作,详见审核事件操作、详细信息和结果。您可以指定事件筛选器来限制记录哪些事件。

You can configure audit filters at startup or you can configure MongoDB to allow filter configuration at runtime.您可以在启动时配置审计筛选器,也可以配置MongoDB以允许在运行时配置筛选器。

Audit Filter Syntax审核筛选器语法

Audit filters have the same form as query predicate documents specified to find commands. To see example audit filters, see Examples.审核筛选器与指定用于find命令的查询谓词文档具有相同的形式。要查看示例审核筛选器,请参阅示例

Filter Configuration at Runtime运行时的筛选器配置

Starting in MongoDB 5.0, audit configurations for mongod and mongos nodes can be configured at runtime. A group of these nodes can take part in a distributed audit configuration.从MongoDB 5.0开始,可以在运行时配置mongodmongos节点的审计配置。一组这样的节点可以参与分布式审计配置。

To include a node in a distributed audit configuration, update the node's configuration file as follows and restart the server.要在分布式审计配置中包含节点,请按如下方式更新节点的配置文件,然后重新启动服务器。

Parameter参数Value价值
auditLog.runtimeConfigurationtrue
auditLog.filterUnset
auditAuthorizationSuccessUnset

The server logs an error and fails to start if:在以下情况下,服务器会记录错误并无法启动:

To modify audit filters and the auditAuthorizationSuccess parameter at runtime, see auditConfig.要在运行时修改审核筛选器和auditAuthorizationSuccess参数,请参阅auditConfig

Filter Configuration at System Startup系统启动时的筛选器配置

Audit filters can be specified on the command line or else in the configuration file used to start the mongod or mongos instance.审计筛选器可以在命令行上指定,也可以在用于启动mongodmongos实例的配置文件中指定。

Configuration File Usage配置文件使用情况

Filters can be specified in YAML under the auditLog session of the configuration file. See the examples below for sample configurations.筛选器可以在配置文件的auditLog会话下的YAML中指定。有关示例配置,请参阅下面的示例。

Note

If runtimeConfiguration is enabled, then the configuration file cannot be used to specify audit filters.如果启用了runtimeConfiguration,则配置文件不能用于指定审核筛选器。

Examples示例

Record All Auditable Events记录所有可审计事件

To record all auditable events, do not specify an audit filter. By default, the audit facility records all auditable operations.要记录所有可审核的事件,请不要指定审核筛选器。默认情况下,审计工具会记录所有可审计的操作。

Filter for Multiple Operation Types多种操作类型的筛选器

The following example audits only the createCollection and dropCollection actions by using the filter:以下示例使用筛选器仅审核createCollectiondropCollection操作:

{ atype: { $in: [ "createCollection", "dropCollection" ] } }

To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档括在单引号中,以字符串形式传递文档。

mongod --dbpath data/db --auditDestination file --auditFilter '{ atype: { $in: [ "createCollection", "dropCollection" ] } }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'

Filter on Authentication Operations on a Single Database对单个数据库上的身份验证操作进行筛选

The <field> can include any field in the audit message. For authentication operations (i.e. atype: "authenticate"), the audit messages include a db field in the param document.<field>可以包含审核消息中的任何字段。对于身份验证操作(即atype: "authenticate"),审计消息在param文档中包含一个db字段。

The following example audits only the authenticate operations that occur against the test database by using the filter:以下示例仅审核使用筛选器对测试数据库进行的authenticate(身份验证)操作:

{ atype: "authenticate", "param.db": "test" }

To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档括在单引号中,以字符串形式传递文档。

mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ atype: "authenticate", "param.db": "test" }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: "authenticate", "param.db": "test" }'

To filter on all authenticate operations across databases, omit "param.db": "test" and use the filter { atype: "authenticate" }.要筛选跨数据库的所有authenticate(身份验证)操作,请省略"param.db": "test",并使用筛选器{ atype: "authenticate" }

Filter on Collection Creation and Drop Operations for a Single Database对单个数据库的集合创建和删除操作进行筛选

The <field> can include any field in the audit message. For collection creation and drop operations (i.e. atype: "createCollection" and atype: "dropCollection"), the audit messages include a namespace ns field in the param document.<field>可以包含审核消息中的任何字段。对于集合创建和删除操作(即atype: "createCollection"atype: "dropCollection"),审计消息在param文档中包含一个命名空间ns字段。

The following example audits only the createCollection and dropCollection operations that occur against the test database by using the filter:以下示例仅使用筛选器审核针对test数据库发生的createCollectiondropCollection操作:

Note

The regular expression requires two backslashes (\\) to escape the dot (.).正则表达式需要两个反斜杠(\\)来转义点(.)。

{ atype: { $in: [ "createCollection", "dropCollection" ] }, "param.ns": /^test\\./ }

To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档括在单引号中,以字符串形式传递文档。

mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ atype: { $in: [ "createCollection", "dropCollection" ] }, "param.ns": /^test\\./ }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] }, "param.ns": /^test\\./ }'

Filter by Authorization Role按授权角色筛选

The following example audits operations by users with readWrite role on the test database, including users with roles that inherit from readWrite, by using the filter:以下示例使用筛选器审核test数据库上具有readWrite角色的用户的操作,包括具有从readWrite继承的角色的用户:

{ roles: { role: "readWrite", db: "test" } }

To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档括在单引号中,以字符串形式传递文档。

mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ roles: { role: "readWrite", db: "test" } }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ roles: { role: "readWrite", db: "test" } }'

Filter on Read and Write Operations读写操作筛选器

To capture read and write operations in the audit, you must also enable the audit system to log authorization successes using the auditAuthorizationSuccess parameter. 要捕获审核中的读写操作,您还必须启用审核系统,使用auditAuthorizationSuccess参数记录授权成功。[1]

Note

Enabling auditAuthorizationSuccess degrades performance more than logging only the authorization failures.启用auditAuthorizationSuccess比仅记录授权失败更会降低性能。

This filter audits multiple read and write operations:此筛选器审核多个读写操作:

{
   atype: "authCheck",
   "param.command": { $in: [ "find", "insert", "delete", "update", "findAndModify" ] }
}

The audited operations include:经审计的业务包括:

To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档括在单引号中,以字符串形式传递文档。

mongod --dbpath data/db --auth --setParameter auditAuthorizationSuccess=true --auditDestination file --auditFilter '{ atype: "authCheck", "param.command": { $in: [ "find", "insert", "delete", "update", "findAndModify" ] } }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: "authCheck", "param.command": { $in: [ "find", "insert", "delete", "update", "findAndModify" ] } }'
setParameter: { auditAuthorizationSuccess: true }

Filter on Read and Write Operations for a Collection对集合的读写操作进行筛选

To capture read and write operations in the audit, you must also enable the audit system to log authorization successes using the auditAuthorizationSuccess parameter. 要捕获审核中的读写操作,您还必须启用审核系统,使用auditAuthorizationSuccess参数记录授权成功。[1]

Note

Enabling auditAuthorizationSuccess degrades performance more than logging only the authorization failures.启用auditAuthorizationSuccess比仅记录授权失败更会降低性能。

This filter audits multiple read and write operations on the orders collection in the test database:此筛选器审核test数据库中orders集合的多个读写操作:

{
    atype: "authCheck",
    "param.ns": "test.orders",
    "param.command": { $in: [ "find", "insert", "delete", "update", "findAndModify" ] }
}

The audited operations include:经审计的业务包括:

To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档括在单引号中,以字符串形式传递文档。

mongod --dbpath data/db --auth --setParameter auditAuthorizationSuccess=true --auditDestination file --auditFilter '{ atype: "authCheck", "param.ns": "test.orders", "param.command": { $in: [ "find", "insert", "delete", "update", "findAndModify" ] } }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ atype: "authCheck", "param.ns": "test.orders", "param.command": { $in: [ "find", "insert", "delete", "update", "findAndModify" ] } }'
setParameter: { auditAuthorizationSuccess: true }

Filter OCSF Schema Log Messages筛选OCSF架构日志消息

Starting in MongoDB 8.0, MongoDB can write log messages in OCSF format. The OCSF schema contains different fields than the default mongo schema.从MongoDB 8.0开始,MongoDB可以以OCSF格式编写日志消息。OCSF模式包含与默认mongo模式不同的字段。

The following audit filter captures Network Activity actions that are recorded in the OCSF schema:以下审核筛选器捕获记录在OCSF架构中的网络活动操作:

{ category_uid: 4 }

To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档括在单引号中,以字符串形式传递文档。

mongod --dbpath data/db --auth --setParameter auditAuthorizationSuccess=true --auditDestination file --auditFilter '{ category_uid: 4 }' --auditFormat JSON --auditSchema OCSF --auditPath data/db/auditLog.json

To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: JSON
   path: data/db/auditLog.json
   filter: '{ category_uid: 4 }'
   schema: OCSF
setParameter: { auditAuthorizationSuccess: true }

For more information on OCSF log messages, see OCSF Schema Audit Messages.有关OCSF日志消息的更多信息,请参阅OCSF架构审核消息

Specify Top-Level Query Operators ($or)指定顶级查询运算符($or

To filter on multiple audit message fields, you can specify a top-level query operator like $or. 要筛选多个审核消息字段,您可以指定一个顶级查询运算符,如$orFor example, the following filter captures operations where either atype is authenticate or the operation was performed by a user with the readWrite role:例如,以下筛选器捕获了atypeauthenticate或由具有readWrite角色的用户执行的操作:

{
   $or: [
      { atype: "authenticate" },
      { "roles.role": "readWrite" }
   ]
}

To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档括在单引号中,以字符串形式传递文档。

mongod --dbpath data/db --auth --setParameter auditAuthorizationSuccess=true --auditDestination file --auditFilter '{ $or: [ { atype: "authenticate" }, { "roles.role": "readWrite" } ] }' --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。

storage:
   dbPath: data/db
security:
   authorization: enabled
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson
   filter: '{ $or: [ { atype: "authenticate" }, { "roles.role": "readWrite" } ] }'

Learn More了解更多

[1](1, 2) You can enable auditAuthorizationSuccess parameter without enabling --auth; however, all operations will return success for authorization checks.您可以在不启用--auth的情况下启用auditAuthorizationSuccess参数;但是,所有操作都将返回授权检查成功。