Database Manual / Security / Auditing

Configure Auditing配置审核

Note

Auditing in MongoDB AtlasMongoDB Atlas中的审计

MongoDB Atlas supports auditing for all M10 and larger clusters. Atlas supports specifying a JSON-formatted audit filter as documented in Configure Audit Filters and using the Atlas audit filter builder for simplified auditing configuration. MongoDB Atlas支持对所有M10及更大的集群进行审计。Atlas支持指定JSON格式的审计筛选器,如配置审计筛选器中所述,并使用Atlas审计筛选器构建器简化审计配置。To learn more, see the Atlas documentation for Set Up Database Auditing and Configure a Custom Auditing Filter.要了解更多信息,请参阅Atlas文档中的设置数据库审核配置自定义审核筛选器

MongoDB Enterprise supports auditing of various operations. A complete auditing solution must involve all mongod server and mongos router processes.MongoDB Enterprise支持对各种操作进行审计。一个完整的审计解决方案必须涉及所有mongod服务器和mongos路由器进程。

The audit facility can write audit events to the console, the syslog (option is unavailable on Windows), a JSON file, or a BSON file. 审计工具可以将审计事件写入控制台、syslog(在Windows上不可用)、JSON文件或BSON文件。For details on the audited operations and the audit log messages, see System Event Audit Messages.有关已审核操作和审核日志消息的详细信息,请参阅系统事件审核消息

Enable and Configure Audit Output启用和配置审核输出

To enable auditing in MongoDB Enterprise, set an audit output destination with --auditDestination.要在MongoDB Enterprise中启用审核,请使用--auditDestination设置审核输出目标。

Warning

For sharded clusters, if you enable auditing on mongos instances you must also enable auditing on the cluster's mongod instances. 对于分片集群,如果您对mongos实例启用审计,则还必须对集群的mongod实例启用审计。Configure auditing for mongod on all of the shards and config servers.在所有分片和配置服务器上为mongod配置审计。

Output to Syslog输出到Syslog

To enable auditing and print audit events to the syslog (option is unavailable on Windows) in JSON format, specify syslog for the --auditDestination setting. For example:要启用审核并以JSON格式将审核事件打印到syslog(Windows上没有此选项),请为--auditDestination设置指定syslog。例如:

mongod --dbpath data/db --auditDestination syslog

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

Important

Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist for Self-Managed Deployments to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用自我管理部署的安全检查表中列出的访问控制和其他安全措施,以防止未经授权的访问。

Warning

The syslog message limit can result in the truncation of the audit messages. The auditing system will neither detect the truncation nor error upon its occurrence.syslog消息限制可能会导致审计消息被截断。审计系统既不会检测到截断,也不会在截断发生时检测到错误。

In a Linux system, messages are subject to the rules defined in the Linux configuration file /etc/systemd/journald.conf. By default, log message bursts are limited to 1000 messages within a 30 second period. 在Linux系统中,消息受Linux配置文件/etc/systemd/journald.conf中定义的规则的约束。默认情况下,日志消息突发在30秒内限制为1000条消息。To see more messages, increase the RateLimitBurst parameter in /etc/systemd/journald.conf.要查看更多消息,请增加/etc/systemd/journald.conf中的RateLimitBurst参数。

You may also specify these options in the configuration file:您也可以在配置文件中指定这些选项:

storage:
   dbPath: data/db
auditLog:
   destination: syslog

Output to Console输出到控制台

To enable auditing and print the audit events to standard output (i.e. stdout), specify console for the --auditDestination setting. For example:要启用审核并将审核事件打印到标准输出(即stdout),请为--auditDestination设置指定控制台。例如:

mongod --dbpath data/db --auditDestination console

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

Important

Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist for Self-Managed Deployments to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用自我管理部署的安全检查表中列出的访问控制和其他安全措施,以防止未经授权的访问。

You may also specify these options in the configuration file:您也可以在配置文件中指定这些选项:

storage:
   dbPath: data/db
auditLog:
   destination: console

Output to JSON File输出为JSON文件

To enable auditing and print audit events to a file in JSON format, specify the following options:要启用审核并将审核事件以JSON格式打印到文件中,请指定以下选项:

Option选项Value价值
--auditDestinationfile
--auditFormatJSON
--auditPathThe output filename. Accepts either the full path name or relative path name.输出文件名。接受完整路径名或相对路径名。

For example, the following enables auditing and records audit events to a file with the relative path name of data/db/auditLog.json:例如,以下内容允许审计并将审计事件记录到相对路径名为data/db/auditLog.json的文件中:

mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

Important

Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist for Self-Managed Deployments to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用自我管理部署的安全检查表中列出的访问控制和其他安全措施,以防止未经授权的访问。

The audit file may be rotated with the logRotate command, either alongside the server log or independently. 审计文件可以与logRotate命令一起旋转,可以与服务器日志一起旋转,也可以单独旋转。Rotation specifics may be configured with the systemLog.logRotate configuration file option or the --logRotate command-line option.可以使用systemLog.logRotate配置文件选项或--logRotate命令行选项配置旋转细节。

You may also specify these options in the configuration file:您也可以在配置文件中指定这些选项:

storage:
   dbPath: data/db
auditLog:
   destination: file
   format: JSON
   path: data/db/auditLog.json

Note

Printing audit events to a file in JSON format degrades server performance more than printing to a file in BSON format.以JSON格式将审核事件打印到文件比以BSON格式打印到文件更会降低服务器性能。

Output to BSON File输出到BSON文件

To enable auditing and print audit events to a file in BSON binary format, specify the following options:要启用审核并将审核事件打印到BSON二进制格式的文件中,请指定以下选项:

Option选项Value
--auditDestinationfile
--auditFormatBSON
--auditPathThe output filename. Accepts either the full path name or relative path name.输出文件名。接受完整路径名或相对路径名。

For example, the following enables auditing and records audit events to a BSON file with the relative path name of data/db/auditLog.bson:例如,以下选项启用审核并将审核事件记录到相对路径名为data/db/auditLog.bson的BSON文件中:

mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip.根据配置要求,包括其他选项。例如,如果您希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip

Important

Before you bind to other ip addresses, consider enabling access control and other security measures listed in Security Checklist for Self-Managed Deployments to prevent unauthorized access.在绑定到其他ip地址之前,请考虑启用自我管理部署的安全检查表中列出的访问控制和其他安全措施,以防止未经授权的访问。

The audit file is rotated at the same time as the server log file. 审计文件与服务器日志文件同时轮换Rotation specifics may be configured with the systemLog.logRotate configuration file option or the --logRotate command-line option.可以使用systemLog.logRotate配置文件选项或--logRotate命令行选项配置旋转细节。

You may also specify these options in the configuration file:您也可以在配置文件中指定这些选项:

storage:
   dbPath: data/db
auditLog:
   destination: file
   format: BSON
   path: data/db/auditLog.bson

The following example converts the audit log into readable form using bsondump and outputs the result:以下示例使用bsondump将审计日志转换为可读形式并输出结果:

bsondump data/db/auditLog.bson

Output Messages in OCSF Format以OCSF格式输出消息

Starting in MongoDB 8.0, MongoDB can write log messages in OCSF format. The OCSF schema provides logs in a standardized format compatible with log processors.从MongoDB 8.0开始,MongoDB可以以OCSF格式编写日志消息。OCSF模式以与日志处理器兼容的标准化格式提供日志。

To use the OCSF schema for log messages, set the --auditSchema option to OCSF. For example:要对日志消息使用OCSF模式,请将--auditSchema选项设置为OCSF。例如:

mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json --auditSchema OCSF

You can also specify the OCSF schema in the auditLog.schema configuration file option:您还可以在auditLog.schema配置文件选项中指定OCSF架构:

storage:
   dbPath: data/db
auditLog:
   destination: file
   format: JSON
   path: data/db/auditLog.json
   schema: OCSF

For more information on the OCSF schema, see OCSF Schema Audit Messages.有关OCSF架构的更多信息,请参阅OCSF架构审核消息

Runtime Audit Filter Management运行时审核筛选器管理

Starting in MongoDB 5.0, audit filters can be configured at runtime. Runtime Audit Filter Management provides three benefits compared to audit filter configurations that are specified in a local mongod or mongos configuration file:从MongoDB 5.0开始,可以在运行时配置审计筛选器。与在本地mongodmongos配置文件中指定的审核筛选器配置相比,运行时审核筛选器管理提供了三个好处:

Separation of Concerns关注分离

Prior to MongoDB 5.0, anyone auditing a MongoDB mongod or mongos instance had to have write access to the host server's file system in order to update audit filters. 在MongoDB 5.0之前,任何审核MongoDB mongodmongos实例的人都必须对主机服务器的文件系统具有写访问权限,才能更新审核筛选器。Runtime Audit Filter Management improves security by separating audit access from administrative access.运行时审核筛选器管理通过将审核访问与管理访问分离来提高安全性。

Using Runtime Audit Filter Management instead of editing configuration files directly means:使用运行时审核筛选器管理而不是直接编辑配置文件意味着:

  • File system access is not required so an auditor does not need access to the mongod or mongos host server.不需要文件系统访问权限,因此审计员不需要访问mongodmongos主机服务器。
  • There is no direct access to the mongod or mongos instance's configuration file.无法直接访问mongodmongos实例的配置文件。
  • Runtime Audit Filter Management only exposes audit filters and the auditAuthorizationSuccess parameter.运行时审核筛选器管理仅公开审核筛选器auditAuthorizationSuccess参数。

Runtime Configurability运行时可配置性

Starting in MongoDB 5.0, when Runtime Audit Filter Management is enabled, auditing can be reconfigured at runtime without restarting the mongod or mongos instance. 从MongoDB 5.0开始,启用运行时审计筛选器管理后,可以在运行时重新配置审计,而无需重新启动mongodmongos实例。A statically configured instance has to be restarted to update its audit settings.必须重新启动静态配置的实例才能更新其审核设置。

Audit filter modifications made at runtime persist when an instance is shutdown and restarted.当实例关闭并重新启动时,在运行时所做的审核筛选器修改仍然有效。

Consistency一致性

Within a cluster, if all participating mongod and mongos nodes are configured to use Runtime Audit Filter Management, then every node will use the same audit filters. 在集群内,如果所有参与的mongodmongos节点都配置为使用运行时审计筛选器管理,那么每个节点都将使用相同的审计筛选器。In contrast, if each node has its own locally configured audit filters, there is no guarantee of audit filter consistency across nodes.相比之下,如果每个节点都有自己的本地配置的审计筛选器,则无法保证跨节点的审计筛选器的一致性。

Enable Runtime Audit Filter Management启用运行时审核筛选器管理

Starting in MongoDB 5.0, audit configurations for mongod and mongos nodes can be configured at runtime. A group of these nodes can take part in a distributed audit configuration.从MongoDB 5.0开始,可以在运行时配置mongodmongos节点的审计配置。一组这样的节点可以参与分布式审计配置。

To include a node in a distributed audit configuration, update the node's configuration file as follows and restart the server.要在分布式审计配置中包含节点,请按如下方式更新节点的配置文件,然后重新启动服务器。

Parameter参数Value
auditLog.runtimeConfigurationtrue
auditLog.filterUnset
auditAuthorizationSuccessUnset

The server logs an error and fails to start if:在以下情况下,服务器会记录错误并无法启动:

To modify audit filters and the auditAuthorizationSuccess parameter at runtime, see auditConfig.要在运行时修改审核筛选器和auditAuthorizationSuccess参数,请参阅auditConfig

Tip