Navigation

Configure a Custom Auditing Filter

Note

This feature is not available for M0 (Free Tier), M2, and M5 clusters. For more information, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas supports specifying a JSON-formatted audit filter for customizing MongoDB Auditing.

Custom audit filters allow users to forgo the managed Atlas UI auditing filter builder in favor of hand-tailored granular control of event auditing. Atlas only checks that the custom filter uses valid JSON syntax, and does not validate or test the filter’s functionality.

The audit filter document must resolve to a query that matches one or more fields in the audit event message. The filter document can use combinations of query operators and equality conditions to match the desired audit messages.

For a selection of example auditing filters, see Example Auditing Filters. For complete documentation on configuring MongoDB auditing filters, see Configure Audit Filter.

Important

Atlas uses a rolling upgrade strategy for enabling or updating audit configuration settings across all clusters in the Atlas project. Rolling upgrades require at least one election per replica set.

For instructions on testing application resilience to replica set elections, see Test Failover. For more information on how Atlas provides high availability, see Atlas High Availability.

Procedure

1

Log in to your Atlas project.

2

Click Security, then click Enterprise Security.

3

Toggle the button next to Database Auditing to On.

4

Select Use Custom JSON Filter.

5

Enter your audit filter into the text box.

6

Optional: Toggle Audit authorization successes.

Warning

Enabling Audit authorization successes can severely impact cluster performance. Enable this option with caution.

For audit filters specifying the authCheck action type, by default the auditing system logs only authorization failures for any specified param.command. Enabling Audit authorization successes directs the auditing system to also log authorization successes. For more information, see auditAuthorizationSuccess

7

Click Save.

You can edit your filter at any time from the Security tab by clicking Audit Filter Settings, then Use Custom JSON Filter. Make the required changes, then click Save.

Example Auditing Filters

Use the following example auditing filters for guidance in constructing your own filters.

Important

These examples are not intended for use in production environments, nor are they a replacement for familiarity with the MongoDB Auditing Documentation.

Audit all authentication events

{
  "atype": "authenticate"
}

Audit authentication events for the “myClusterAdministrator” user

{
  "atype" : "authenticate",
  "param" : {
    "user" : "myClusterAdministrator",
    "db" : "admin",
    "mechanism" : "SCRAM-SHA-1"
  }
}

Audit unauthorized attempts at executing the selected commands

{
  "atype" : "authCheck",
  "param.command" : {
    "$in" : [
       "insert",
       "update",
       "delete"
    ]
  }
}