What Is MongoDB Auditing?
MongoDB is an open source, NoSQL database management system that enables storage and retrieval of document-oriented data. Organizations can use MongoDB for ad hoc queries, indexing, load balancing, aggregation, and server-side JavaScript execution.
MongoDB also provides security features such as authentication, access control, and encryption. Among these MongoDB security features, the database platform provides an auditing mechanism that writes every database event to a journal. MongoDB can be set up with an auditing guarantee, meaning that all database operations are guaranteed to be audited. This enables inspection of historic database activities for security, compliance, and troubleshooting purposes.
In this article:
The Importance of Database Auditing
Database auditing is one of the key components organizations must set up to ensure compliance with industry standards and regulations. For example, the EU General Data Protection Regulation (GDPR) sets data protection rules that must be integrated into applications, products, and services from the ground up, starting from the database.
Any system component that can access data might be compromised, leading to a data breach. Database auditing ensures that there is a clear audit trail of any activity on the database, especially sensitive operations such as changing user permissions, accessing sensitive data tables or fields, and deleting data. When a breach occurs, auditing makes it possible to trace back the breach to specific users and database operations.
Related content: Read our guide on MongoDB monitoring and Securing data platforms keeps you away from data engineering
MongoDB Audit Guarantees
MongoDB’s auditing system records each audit event using an in-memory audit event buffer, periodically writing the buffer to disk. Suppose MongoDB collects multiple events from a given connection to the disk. In that case, it arranges them in order—the system ensures that all previous events related to the connection have been recorded before writing a new event.
MongoDB always writes audit event entries that correspond to operations affecting the database’s state first. Only then can the system write to the journal for the entry. For example, if an event modifies data in the database, MongoDB writes it to disk before adding the operation to the journal.
MongoDB must have journaling enabled to enable audit guarantees.
How to Configure Auditing in MongoDB
Specify the –auditDestination option to enable auditing in MongoDB. Set the configuration by specifying the output destination for audit events.
Syslog output
Under the –auditDestination setting, specify syslog to output audit events in JSON to the system log. It should look like this:
mongod --dbpath data/db --auditDestination syslog It is possible to add more options to the configuration. For example, specifying the –bind_ip lets clients connect to the deployment. Before binding to different IP addresses, it is recommended to enable security measures such as access control to prevent unauthorized access.
The syslog might have a message limit that truncates the audit messages. The auditing system cannot detect this truncation, so it may be necessary to specify the following configuration options:
storage: dbPath: DATA/db auditLog: destination: syslog
Console output
Under the –auditDestination setting, specify console to enable the printing of audit events to stdout (standard output). It should look like this:
mongod --dbpath data/db --auditDestination console It is possible to add more options to the configuration. For example, specifying the –bind_ip will allow clients to connect to the deployment and support running deployment members on multiple hosts. Before binding to different IP addresses, it is recommended to enable security measures such as access control to prevent unauthorized access.
It may be necessary to specify the following configuration options:
storage: dbPath: DATA/db auditLog: destination: console
JSON output
There are several specifications for enabling the auditing system to print events to file using the JSON format:
--auditDestination --auditFormat --auditPath
The configuration might look like this:
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json This configuration enables the writing of audit events to file using the data/db/auditLog.json relative pathname.
An additional option is to rotate the audit file using the logRotate command—this may be independently or in combination with the server log. Use the systemLog.logRotate option to configure the specifics of rotation. Alternatively, use the –logRotate option in the command line.
Additional configuration options may include:
storage: dbPath: DATA/db auditLog: destination: file format: JSON path: DATA/db/auditLog.json
BSON output
The following specifications enable the auditing system to write audit events to file in the BSON format:
--auditDestination --auditFormat --auditPath
The configuration might look like this:
mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson This configuration enables audits and records events to a BSON file using the data/db/auditLog.bson relative pathname.
The server log file and audit file are rotated at the same time. Use the systemLog.logRotate option to configure the specifics of rotation. The –logRotate command-line configuration is also an option.
Additional configuration options may include:
storage: dbPath: DATA/db auditLog: destination: file format: BSON path: DATA/db/auditLog.bson
For example, the bsondump data/db/auditLog.bson configuration will convert audit logs to a readable format using bsondump, outputting the result.
MongoDB Security with Satori
Satori’s data security platform provides comprehensive data auditing and monitoring. Complete data access audits and aggregated auditing of all query logs in a single location to store all logs. MongoDB.
To learn more:
