Navigation

Configure a Custom Auditing Filter

Info With Circle IconCreated with Sketch.Note
Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas supports specifying a JSON-formatted audit filter for customizing MongoDB Auditing.

Custom audit filters allow users to forgo the managed Atlas UI auditing filter builder in favor of hand-tailored granular control of event auditing. Atlas only checks that the custom filter uses valid JSON syntax, and does not validate or test the filter's functionality.

The audit filter document must resolve to a query that matches one or more fields in the audit event message. The filter document can use combinations of query operators and equality conditions to match the desired audit messages.

For a selection of example auditing filters, see Example Auditing Filters. For complete documentation on configuring MongoDB auditing filters, see Configure Audit Filter.

Important With Circle IconCreated with Sketch.Important

Atlas uses a rolling upgrade strategy for enabling or updating audit configuration settings across all clusters in the Atlas project. Rolling upgrades require at least one election per replica set.

For instructions on testing application resilience to replica set elections, see Test Failover. For more information on how Atlas provides high availability, see Atlas High Availability.

1
2
3
4
5
6
Warning IconCreated with Sketch.Warning

Enabling Audit authorization successes can severely impact cluster performance. Enable this option with caution.

For audit filters specifying the authCheck action type, by default the auditing system logs only authorization failures for any specified param.command. Enabling Audit authorization successes directs the auditing system to also log authorization successes. For more information, see auditAuthorizationSuccess

7

You can edit your filter at any time:

  1. In the Security section of the left navigation, click Advanced.
  2. Under Database Auditing Configure Your Auditing Filter, click Use Custom JSON Filter.
  3. Make the required changes.
  4. Click Save.

Use the following example auditing filters for guidance in constructing your own filters.

Important With Circle IconCreated with Sketch.Important

These examples are not intended for use in production environments, nor are they a replacement for familiarity with the MongoDB Auditing Documentation.

{
"atype": "authenticate"
}
{
"$or": [
{
"users": []
},
{
"atype": "authenticate"
}
]
}
Info With Circle IconCreated with Sketch.Note

The authenticate action is required to log authentication failures from known and unknown users.

{
"atype": "authenticate",
"param": {
"user": "myClusterAdministrator",
"db": "admin",
"mechanism": "SCRAM-SHA-1"
}
}
{
"atype": "authCheck",
"param.command": {
"$in": [
"insert",
"update",
"delete"
]
}
}
Give Feedback