Content Store auditing
The Content Store can log each event executed on it, we call this auditing. To do this the Content Store utilizes the MongoDB audit capabilities.
Prerequisite
- Mongo Enterprise Server version 5.x or higher
Configuration
To enable auditing, you need to add the following to your config file: Program Files/mongodb/server/6.0/bin/mongod.cfg
:
auditLog:
destination: file
format: JSON
path: C:\Program Files\MongoDB\Server\6.0\log\audit.json
setParameter: { auditAuthorizationSuccess: true }
The auditAuthorizationSuccess
parameter is needed if you want to capture read and write operations.
Other destinations are supported. For more information, please refer to the MongoDB documentation.
AuditLog filtering
The avoid cluttering the audit log, it can be filtered by adding a filter
to the auditLog
configuration.
auditLog:
destination: file
format: JSON
path: C:\Program Files\MongoDB\Server\6.0\log\audit.json
filter: '{
"$or": [
{ "atype": { "$in": ["createDatabase", "dropDatabase", "createCollection","dropCollection"] }},
{
"atype": "authCheck",
"param.command": { "$in": ["insert", "update", "delete", "findAndModify" ]}
}
]
}'
setParameter: { auditAuthorizationSuccess: true }
This is an example of a filter that will log the most import operations (mainly CRUD operations that change migration data). For more information, please refer to the MongoDB documentation.
It is recommended to exclude CRUD operations from the xill4_system
database from the audit log, as it contains logs itself. To do this you have to add the param.ns
to the authCheck
filter with the following value: { "$not": { "$regex": "^xill4_system\\." }}
resulting in the following filter:
```yaml
auditLog:
filter: '{
"$or": [
{ "atype": { "$in": ["createDatabase", "dropDatabase", "createCollection","dropCollection"] }},
{
"atype": "authCheck",
"param.command": { "$in": ["insert", "update", "delete",
"findAndModify" ]},
"param.ns": { "$not": { "$regex": "^xill4_system\\." }}
}
]
}'