OPTIONS

System Event Audit Messages

Note

The audit system is available only in MongoDB Enterprise.

The event auditing feature can record events in JSON format. The recorded JSON messages have the following syntax:

{
  atype: <String>,
  ts : { "$date": <timestamp> },
  local: { ip: <String>, port: <int> },
  remote: { ip: <String>, port: <int> },
  users : [ { user: <String>, db: String> }, ... ],
  params: <document>,
  result: <int>
}
Field Type Description
atype String Action type. See Event Actions, Details, and Results.
ts document Document that contains the date and UTC time of the event, in ISO 8601 format.
local document Document that contains the local ip address and the port number of the running instance.
remote document Document that contains the remote ip address and the port number of the incoming connection associated with the event.
users array Array of user identification documents. Because MongoDB allows a session to log in with different user per database, this array can have more than one user. Each document contains a user field for the username and a db field for the authentication database for that user.
params document Specific details for the event. See Event Actions, Details, and Results.
result integer Error code. See Event Actions, Details, and Results.

Event Actions, Details, and Results

The following table lists for each atype or action type, the associated params details and the result values, if any.

atype params result Notes
authenticate
{
  user: <user name>,
  db: <database>,
  mechanism: <mechanism>
}

0 - Success

18 - Authentication Failed

 
authCheck
{
  command: <name>,
  ns: <database>.<collection>,
  args: <command object>
}

0 - Success

13 - Unauthorized to perform the operation.

The auditing system logs only authorization failures.

ns field is optional.

args field may be redacted.

createCollection
{ ns: <database>.<collection> }
0 - Success  
createDatabase
{ ns: <database> }
0 - Success  
createIndex
{
  ns: <database>.<collection>,
  indexName: <index name>,
  indexSpec: <full index specification>
}
0 - Success  
renameCollection
{
  old: <database>.<collection>,
  new: <database>.<collection>
}
0 - Success  
dropCollection
{ ns: <database>.<collection> }
0 - Success  
dropDatabase
{ ns: <database> }
0 - Success  
dropIndex
{
  ns: <database>.<collection>,
  indexName: <index name>
}
0 - Success  
createUser
{
  user: <user name>,
  db: <database>,
  customData: <document>,
  roles: [ <role1>, ... ]
}
0 - Success customData field is optional.
dropUser
{
  user: <user name>,
  db: <database>
}
0 - Success  
dropAllUsersFromDatabase
{ db: <database> }
0 - Success  
updateUser
{
  user: <user name>,
  db: <database>,
  passwordChanged: <boolean>,
  customData: <document>,
  roles: [ <role1>, ... ]
}
0 - Success customData field is optional.
grantRolesToUser
{
  user: <user name>,
  db: <database>,
  roles: [ <role1>, ... ]
}
0 - Success The roles array contains role documents. See role Document.
revokeRolesFromUser
{
  user: <user name>,
  db: <database>,
  roles: [ <role1>, ... ]
}
0 - Success The roles array contains role documents. See role Document.
createRole
{
  role: <role name>,
  db: <database>,
  roles: [ <role1>, ... ],
  privileges: [ <privilege1>, ... ]
}
0 - Success

Either roles or the privileges field can be optional.

The roles array contains role documents. See role Document.

The privileges array contains privilege documents. See privilege Document.

updateRole
{
  role: <role name>,
  db: <database>,
  roles: [ <role1>, ... ],
  privileges: [ <privilege1>, ... ]
}
0 - Success

Either roles or the privileges field can be optional.

The roles array contains role documents. See role Document.

The privileges array contains privilege documents. See privilege Document.

dropRole
{
  role: <role name>,
  db: <database>
}
0 - Success  
dropAllRolesFromDatabase
{ db: <database> }
0 - Success  
grantRolesToRole
{
  role: <role name>,
  db: <database>,
  roles: [ <role1>, ... ]
}
0 - Success The roles array contains role documents. See role Document.
revokeRolesFromRole
{
  role: <role name>,
  db: <database>,
  roles: [ <role1>, ... ]
}
0 - Success The roles array contains role documents. See role Document.
grantPrivilegesToRole
{
  role: <role name>,
  db: <database>,
  privileges: [ <privilege1>, ... ]
}
0 - Success The privileges array contains privilege documents. See privilege Document.
revokePrivilegesFromRole
{
  role: <role name>,
  db: <database name>,
  privileges: [ <privilege1>, ... ]
}
0 - Success The privileges array contains privilege documents. See privilege Document.
replSetReconfig
{
  old: <configuration>,
  new: <configuration>
}
0 - Success  
enableSharding
{ ns: <database> }
0 - Success  
shardCollection
{
  ns: <database>.<collection>,
  key: <shard key pattern>,
  options: { unique: <boolean> }
}
0 - Success  
addShard
{
  shard: <shard name>,
  connectionString: <hostname>:<port>,
  maxSize: <maxSize>
}
0 - Success When a shard is a replica set, the connectionString includes the replica set name and can include other members of the replica set.
removeShard
{ shard: <shard name> }
0 - Success  
shutdown
{ }
0 - Success Indicates commencement of database shutdown.
applicationMessage
{ msg: <custom message string> }
0 - Success See logApplicationMessage.

Additional Information

role Document

The <role> document in the roles array has the following form:

{
  role: <role name>,
  db: <database>
}

privilege Document

The <privilege> document in the privilege array has the following form:

{
  resource: <resource document> ,
  actions: [ <action>, ... ]
}

See Resource Document for details on the resource document. For a list of actions, see Privilege Actions.