Skip to main content
Version: 4.47.0

Content Store auditing

The Content Store can log each event executed on it, we call this auditing. To do this the Content Store utilizes the MongoDB audit capabilities.

Prerequisite

  • Mongo Enterprise Server version 5.x or higher

Configuration

To enable auditing, you need to add the following to your config file: Program Files/mongodb/server/6.0/bin/mongod.cfg:

auditLog:
destination: file
format: JSON
path: C:\Program Files\MongoDB\Server\6.0\log\audit.json
setParameter: { auditAuthorizationSuccess: true }

The auditAuthorizationSuccess parameter is needed if you want to capture read and write operations.

Other destinations are supported. For more information, please refer to the MongoDB documentation.

AuditLog filtering

The avoid cluttering the audit log, it can be filtered by adding a filter to the auditLog configuration.

auditLog:
destination: file
format: JSON
path: C:\Program Files\MongoDB\Server\6.0\log\audit.json
filter: '{
"$or": [
{ "atype": { "$in": ["createDatabase", "dropDatabase", "createCollection","dropCollection"] }},
{
"atype": "authCheck",
"param.command": { "$in": ["insert", "update", "delete", "findAndModify" ]}
}
]
}'
setParameter: { auditAuthorizationSuccess: true }

This is an example of a filter that will log the most import operations (mainly CRUD operations that change migration data). For more information, please refer to the MongoDB documentation.

It is recommended to exclude CRUD operations from the xill4_system database from the audit log, as it contains logs itself. To do this you have to add the param.ns to the authCheck filter with the following value: { "$not": { "$regex": "^xill4_system\\." }} resulting in the following filter:


```yaml
auditLog:
filter: '{
"$or": [
{ "atype": { "$in": ["createDatabase", "dropDatabase", "createCollection","dropCollection"] }},
{
"atype": "authCheck",
"param.command": { "$in": ["insert", "update", "delete",
"findAndModify" ]},
"param.ns": { "$not": { "$regex": "^xill4_system\\." }}
}
]
}'