系统事件审计信息¶

On this page

Audit Message
Audit Event Actions, Details, and Results

注解

Audit Message¶

The event auditing feature can record events in JSON format. To configure auditing output, see Configure Auditing

The recorded JSON messages have the following syntax:

{
  atype: <String>,
  ts : { "$date": <timestamp> },
  local: { ip: <String>, port: <int> },
  remote: { ip: <String>, port: <int> },
  users : [ { user: <String>, db: <String> }, ... ],
  roles: [ { role: <String>, db: <String> }, ... ],
  param: <document>,
  result: <int>
}

Field	Type	Description
类型	string	Action type. See Audit Event Actions, Details, and Results.
`ts`	document	Document that contains the date and UTC time of the event, in ISO 8601 format.
`local`	document	Document that contains the local `ip` address and the `port` number of the running instance.
`remote`	document	Document that contains the remote `ip` address and the `port` number of the incoming connection associated with the event.
`users`	array	Array of user identification documents. Because MongoDB allows a session to log in with different user per database, this array can have more than one user. Each document contains a `user` field for the username and a `db` field for the authentication database for that user.
`roles`	array	Array of documents that specify the roles granted to the user. Each document contains a `role` field for the name of the role and a `db` field for the database associated with the role.
`param`	document	Specific details for the event. See Audit Event Actions, Details, and Results.
结果	integer	Error code. See Audit Event Actions, Details, and Results.

Audit Event Actions, Details, and Results¶

The following table lists for each atype or action type, the associated param details and the result values, if any.

类型	`param`	结果
认证	{ user: <user name>, db: <database>, mechanism: <mechanism> }	‘0‘ 表示成功 ’18’表示认证失败
自动认证	{ command: <name>, ns: <database>.<collection>, args: <command object> } `ns` field is optional. `args` field may be redacted.	‘0‘ 表示成功 `13` - Unauthorized to perform the operation. By default, the auditing system logs only the authorization failures. To enable the system to log authorization successes, use the `auditAuthorizationSuccess` parameter. [1]
认证：createCollection	{ ns: <database>.<collection> }	‘0‘ 表示成功
认证：createDatabase	{ ns: <database> }	‘0‘ 表示成功
认证：createIndex	{ ns: <database>.<collection>, indexName: <index name>, indexSpec: <index specification> }	‘0‘ 表示成功
认证：renameCollection	{ old: <database>.<collection>, new: <database>.<collection> }	‘0‘ 表示成功
认证：dropCollection	{ ns: <database>.<collection> }	‘0‘ 表示成功
认证：dropDatabase	{ ns: <database> }	‘0‘ 表示成功
认证：dropIndex	{ ns: <database>.<collection>, indexName: <index name> }	‘0‘ 表示成功
认证：createUser	{ user: <user name>, db: <database>, customData: <document>, roles: [ { role: <role name>, db: <database> }, ... ] } The `customData` field is optional.	‘0‘ 表示成功
认证：dropUser	{ user: <user name>, db: <database> }	‘0‘ 表示成功
认证：dropAllUsersFromDatabase	{ db: <database> }	‘0‘ 表示成功
认证：updateUser	{ user: <user name>, db: <database>, passwordChanged: <boolean>, customData: <document>, roles: [ { role: <role name>, db: <database> }, ... ] } The `customData` field is optional.	‘0‘ 表示成功
认证：grantRolesToUser	{ user: <user name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ] }	‘0‘ 表示成功
认证：revokeRolesFromUser	{ user: <user name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ] }	‘0‘ 表示成功
认证：createRole	{ role: <role name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ], privileges: [ { resource: <resource document>, actions: [ <action>, ... ] }, ... ] } The `roles` and the `privileges` fields are optional. For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.	‘0‘ 表示成功
认证：updateRole	{ role: <role name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ], privileges: [ { resource: <resource document>, actions: [ <action>, ... ] }, ... ] } The `roles` and the `privileges` fields are optional. For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.	‘0‘ 表示成功
认证：dropRole	{ role: <role name>, db: <database> }	‘0‘ 表示成功
认证：dropAllRolesFromDatabase	{ db: <database> }	‘0‘ 表示成功
认证：grantRolesToRole	{ role: <role name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ] }	‘0‘ 表示成功
认证：revokeRolesFromRole	{ role: <role name>, db: <database>, roles: [ { role: <role name>, db: <database> }, ... ] }	‘0‘ 表示成功
认证：grantPrivilegesToRole	{ role: <role name>, db: <database>, privileges: [ { resource: <resource document>, actions: [ <action>, ... ] }, ... ] } For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.	‘0‘ 表示成功
认证：revokePrivilegesFromRole	{ role: <role name>, db: <database name>, privileges: [ { resource: <resource document>, actions: [ <action>, ... ] }, ... ] } For details on the resource document, see Resource Document. For a list of actions, see Privilege Actions.	‘0‘ 表示成功
认证：enableSharding	{ ns: <database> }	‘0‘ 表示成功
认证：shardCollection	{ ns: <database>.<collection>, key: <shard key pattern>, options: { unique: <boolean> } }	‘0‘ 表示成功
认证：addShard	{ shard: <shard name>, connectionString: <hostname>:<port>, maxSize: <maxSize> } When a shard is a replica set, the `connectionString` includes the replica set name and can include other members of the replica set.	‘0‘ 表示成功
认证：removeShard	{ shard: <shard name> }	‘0‘ 表示成功
认证：shutdown	{ } 显示数据库即将关闭。	‘0‘ 表示成功
认证：applicationMessage	{ msg: <custom message string> } 见数据库命令：logApplicationMessage	‘0‘ 表示成功

[1]	Enabling `auditAuthorizationSuccess` degrades performance more than logging only the authorization failures.

← Privilege Actions Create a Vulnerability Report →