Navigation

Configure a Custom Auditing Filter

On this page

  • Procedure
  • Example Auditing Filters
Note
Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 free clusters, M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Cluster), M2, and M5 Limitations.

Important
Serverless Instances are in Preview

Serverless instances are in preview and do not support this feature at this time. To learn more, see Serverless Instance Limitations.

Atlas supports specifying a JSON-formatted audit filter for customizing MongoDB Auditing.

Custom audit filters allow users to forgo the managed Atlas UI auditing filter builder in favor of hand-tailored granular control of event auditing. Atlas only checks that the custom filter uses valid JSON syntax, and does not validate or test the filter's functionality.

The audit filter document must resolve to a query that matches one or more fields in the audit event message. The filter document can use combinations of query operators and equality conditions to match the desired audit messages.

For a selection of example auditing filters, see Example Auditing Filters. For complete documentation on configuring MongoDB auditing filters, see Configure Audit Filter.

Important

Atlas uses a rolling upgrade strategy for enabling or updating audit configuration settings across all clusters in the Atlas project. Rolling upgrades require at least one election per replica set.

For instructions on testing application resilience to replica set elections, see Test Failover. For more information on how Atlas provides high availability, see Atlas High Availability.

1
2
3
4
5
6
Warning

Enabling Audit authorization successes can severely impact cluster performance. Enable this option with caution.

For audit filters specifying the authCheck action type, by default the auditing system logs only authorization failures for any specified param.command. Enabling Audit authorization successes directs the auditing system to also log authorization successes. For more information, see auditAuthorizationSuccess

7

You can edit your filter at any time:

  1. In the Security section of the left navigation, click Advanced.
  2. Under Database Auditing Configure Your Auditing Filter, click Use Custom JSON Filter.
  3. Make the required changes.
  4. Click Save.

Use the following example auditing filters for guidance in constructing your own filters.

Important

These examples are not intended for use in production environments, nor are they a replacement for familiarity with the MongoDB Auditing Documentation.

{
"atype": "authenticate"
}
{
"$or": [
{
"users": []
},
{
"atype": "authenticate"
}
]
}
Note

The authenticate action is required to log authentication failures from known and unknown users.

{
"atype": "authenticate",
"param": {
"user": "myClusterAdministrator",
"db": "admin",
"mechanism": "SCRAM-SHA-1"
}
}
{
"atype": "authCheck",
"param.command": {
"$in": [
"insert",
"update",
"delete"
]
}
}
Give Feedback

On this page

  • Procedure
  • Example Auditing Filters