Configuring MongoDB auditing

The following instructions describe how to configure MongoDB 7.0 event auditing, which assumes the transmission of events via syslog in JSON format, and is applicable only to databases installed on Unix-like operating systems. Configuring event auditing can increase the load on the database. For information about the audit subsystem, please refer to the MongoDB documentation: https://www.mongodb.com/docs/manual/core/auditing/ .

To configure event auditing in MongoDB:

1. Create a backup copy of the /etc/mongod.conf MongoDB configuration file.
2. Edit the /etc/mongod.conf file.

   The "auditLog" section in the edited file should look like this:

   auditLog:

   destination: syslog

   filter: '{atype: {$in: ["authenticate", "authCheck", "logout", "renameCollection", "dropCollection", "dropDatabase", "createUser", "dropUser", "dropAllUsersFromDatabase", "updateUser","grantRolesToUser", "grantRolesToRole", "revokeRolesFromUser", "revokeRolesFromRole", "createRole", "updateRole", "dropRole", "dropAllRolesFromDatabase", "grantRolesToRole", "revokeRolesFromRole", "grantPrivilegesToRole", "revokePrivilegesFromRole", "replSetReconfig", "enableSharding", "shardCollection", "addShard", "removeShard", "applicationMessage", "shutdown"]}}'

   setParameter: { auditAuthorizationSuccess: true }

   When editing, you must pay attention to the formatting of the yaml file.

3. Save the changes made to the /etc/mongod.conf file.
4. Restart the MongoDB service:

   systemctl restart mongod.service

MongoDB auditing is configured.

Page top