Skip to main content

Auditing in MongoDB Atlas

This article describes how to download Audit logs and some of the information you can find within those logs.

A
Written by Ayush Mallik
Updated over 2 weeks ago

Auditing in MongoDB Atlas enables the tracking of system activity by users and applications. It enables you to capture a detailed log of database activities, including changes to the database schema, authentication attempts, and data access.​

You will get all these values in the audit logs. Going ahead, you can go ahead and configure a Custom Auditing Filter. Please refer to Configure a Custom Auditing Filter.

After you apply filters, your database will log activity that matches the filter. Since the audit logs are in JSON format, you can upload the file into a mongod deployment and run MQL (MongoDB Query Language) queries on the mongod to find the information that you are looking for.

Steps:

  1. Download the audit logs from your cluster.

  2. Start a local mongod or use an Atlas cluster.

  3. Import audit logs using mongoimport. In the following example, mongoimport is used to import audit-log.json into the “auditTest.auditColl” namespace:

4. If the full audit-log.json file was imported, you will see the following ending message:

Successful import

5. Connect to the cluster using the MongoDB Shell (mongosh).

6. The following is an example of an audit log entry:

{
  "atype": "authCheck",
  "ts": {
    "$date": "2023-10-21T07:20:57.225+00:00"
  },
  "uuid": {
    "$binary": "AinogblVRY2y+aigHI/Peg==",
    "$type": "04"
  },
  "local": {
    "ip": "192.168.152.9",
    "port": 27017
  },
  "remote": {
    "ip": "171.10.230.10",
    "port": 58238
  },
  "users": [],
  "roles": [],
  "param": {
    "command": "isMaster",
    "ns": "admin",
    "args": {
      "isMaster": 1,
      "helloOk": true,
      "client": {
        "driver": {
          "name": "PyMongo|Motor",
          "version": "4.6.0|3.1.1"
        },
        "os": {
          "type": "Linux",
          "name": "Linux",
          "architecture": "amd64",
          "version": "5.10.196-205.748.amzn2.x86_64"
        },
        "platform": "Java/Azul Systems, Inc./1.7.0_362-a09|Scala/1.12.14/Spark/2.2.1"
      },
      "$db": "admin"
    }
  },
  "result": 0
}

7. To find the unique remote IP of all clients listed in your audit log and write to a new collection, use the following query:

​> db.auditColl.aggregate( [{ $group: { _id: "$remote.ip" } },{ $project: { _id: 0, remote: "$_id" }}] )

Modify the query based on the information you are looking for. Note: You can write the output of the query to a new collection by adding the $out stage at the end, where ipAddresses is the name of the collection. For example:

​{$out: "ipAddresses"}

Please feel free to reach out if you have any further questions.

Did this answer your question?