Understanding MongoDB Auditing: Security, Compliance, and Logging

Effective auditing and logging are essential for the upkeep and administrator of database systems, but each has its own approach. Although there are areas of overlap, the more you know about the differences among them the more effective you will be. 

1. Goal

• Auditing is concerned with granular activities such as who viewed or edited a file. Fundamentally, it addresses security concerns, pursues compliance, or aids in investigative work. 
• Logging captures system activities like operational errors, warning signals, or indicators that a system is running, which are crucial for enhancing efficiency and performance issue mitigation. 

2. Degree of Customization

• Auditing comes with a high degree of flexibility, and an administrator can specify criteria, such as login and document deletion. 
• In contrast, logging captures a system’s wide categorized events and does not allow specification of lower limits. 

3. Record Format

• Audit logs are well structured, as they contain essential elements of who performed the action, what action it was, when the action took place, and where it was executed from. 
• From version 4.4 onward, System logs are offered in JSON format which is easier for analysis compared to former versions where they were kept in text format. 

4. Duration and Definition

• Audit logs tend to be kept longer because they need to check compliance policies such as GDPR or HIPAA. 
• System logs are often stored in a temporary fashion, set up to be replaced after a time because they take up too much space.

In Short

• Auditing = Security & Compliance (tracking sensitive actions).
• Logging = System Health (debugging and performance monitoring).

What Can You Audit in MongoDB?

MongoDB’s auditing feature lets you track important events happening in your database. Here are the key types of activities you can monitor

1. User Access & Permissions

• Login/Logout: Who logged in (authenticate) and when they logged out (logout).
• User & Role Changes:

1. Creating or deleting users (createUser, dropUser).
2. Modifying roles (createRole, dropRole, grantRoles, revokeRoles).
3. Updating user permissions (updateUser).

2. Database Administration

• Sharding (Scaling Your Database):

1. Enabling sharding (enableSharding).
2. Adding/removing shards (addShard, removeShard).
3. Assigning collections to shards (shardCollection).

• Replica Sets (High Availability):

1. Initializing or reconfiguring a replica set (replSetInitiate, replSetReconfig).
2. Leader elections (replSetElect), freezing nodes (replSetFreeze), and more.

• Maintenance Operations:

1. Compacting or repairing databases (compact, repairDatabase).

3. Server Activity

• Startup & Shutdown: When the database starts (startup) or stops (shutdown).

Full list of events you can find in the Mongodb website

Why Does This Matter?

By enabling auditing, you can:

✔ Track who did what in your database.

✔ Detects unauthorized changes.

✔ Meet compliance requirements (like GDPR or HIPAA).

Setting Up Auditing in MongoDB

While auditing can work without authentication, it’s most useful when authentication is enabled. This way, you can track who performed actions, not just what was done.  

Step 1: Choose an Audit Log Format

MongoDB supports different log formats depending on your needs:  

1. JSON Format

- Stores logs as structured JSON documents.  

- Best for:  

  - Tools that process JSON .  

  - Storing logs in MongoDB collections or document databases.  

Example Configuration:

auditLog:
  destination: file  
  format: JSON  
  path: /var/log/mongodb/audit.json          

2. BSON Format 

- Binary version of JSON .  

- Best for:  

  - Storing logs directly in MongoDB.  

  - High-performance logging needs.  

Example Configuration:  

auditLog:
  destination: file  
  format: BSON  
  path: /var/log/mongodb/audit.bson          

3. Syslog (Linux/Unix Systems)  

- Sends logs directly to the system’s syslog.  

- Best for:  

  - Centralized logging solutions.  

  - Integration with monitoring tools (like Splunk or ELK).  

Filtering Audit Events  

Instead of logging everything, you can set up filters to track only the most important events. This improves performance and reduces log clutter.  

How to Define Audit Filters  

Filters are set in MongoDB’s config file or at runtime.  

Example 1: Track Collection Creation & Deletion 

auditLog:
  filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'        

Example 2: Monitor CRUD Operations on a Specific Collection  

{
  "atype": "authCheck",
  "params.ns": "myDB.myCollection",
  "params.command": { "$in": ["find", "insert", "delete", "update"] }
}        

Example 3: Log Only Delete Operations 

{ "atype": "delete" }        

Changing Filters at Runtime  

You can update filters without restarting MongoDB:  

db.adminCommand({
  setAuditConfig: 1,
  filter: {
    "atype": "authCheck",
    "params.command": { "$in": ["find", "insert", "update", "delete"] }
  }
})        

Checking Current Audit Settings 

db.adminCommand({ getAuditConfig: 1 })
        

By implementing auditing effectively, you enhance security, transparency, and compliance, ensuring a more robust database environment.