Audit Logging for MongoDB

Agus Syafaat

One of the security aspects of managing a database is to understand who accessed the database, when, and what did they do. Although we have already secured the MongoDB service,  we still want to know who is doing what, and detect if there is something weird. In a data breach investigation, an audit log allows us to analyze historical activity, understand from which endpoint the attacker came from, and what operations they did once they were inside the database. 

In this blog, we will review audit logging for MongoDB and implementation.

Enabling Audit Logging in MongoDB

To enable audit logging in MongoDB, we need to go to the mongod.conf configuration file, section auditLog:

auditLog:
   destination: file
   format: BSON
   path: /var/lib/mongodb/audit_mongodb.bson

 

There are 3 types of log destinations, which are: file, syslog, and console. Ideally, we can send the audit log to a file, in JSON or BSON supported format. We can also enable the audit log during startup of the MongoDB service as shown below:

mongod --dbpath /var/lib/mongodb --auditDestination file --auditFormat BSON --auditPath /var/lib/mongodb/audit_mongodb.bson

Audit Filter in MongoDB

Still in the auditLog section, there is a parameter called filter. We can filter the action pattern that we want to log. For example, if we want to log authentication to a specific database, we can use the below command:

auditLog:
   destination: file
   format: BSON
   path: /var/lib/mongodb/audit_mongodb.bson
   filter: '{ atype: "authenticate", "param.db": "user_profile" }'

It will track every authentication to the user_profile database. Another example: we want to track the actions; drop index, rename collection, and drop collection in user_profile database. The command would be :

auditLog:
   destination: file
   format: BSON
   path: /var/lib/mongodb/audit_mongodb.bson
   filter: { atype: { $in: [ "dropIndex", "renameCollection", "dropCollection" ] }, "param.ns": /^user_profile\\./ } }

 

We can also monitor the audit process for the specific roles, we would need to define the roles and database in the filter:

auditLog:
   destination: file
   format: BSON
   path: /var/lib/mongodb/audit_mongodb.bson
   filter: { roles: { role: "readWrite", db: "user_profile" } }

It will log every action related to the user which has the readWrite roles in the user_profile database.

For audit logging of write and read operations, we need to enable the auditAuthorizationSuccess in MongoDB first. We can run below command :

db.adminCommand( { setParameter: 1, auditAuthorizationSuccess: true } )

Or another option is to change the following in the mongod.conf as below:

auditLog:
   destination: file
   format: BSON
   path: /var/lib/mongodb/audit_mongodb.bson
   filter: { roles: { role: "readWrite", db: "user_profile" } }
setParameter: { auditAuthorizationSuccess: true }

Percona Server for MongoDB gives the audit logging features for free, while in MongoDB it is only available in Enterprise Edition.  Please take note that enabling the parameter will impact the database performance of your MongoDB, especially in the production environment.

What’s next ?

We can send the MongoDB audit log to a Logging Management System, example : ELK (Elasticsearch, Logstash, and Kibana) stack or we can use the Log Management System from the provider for analysis purposes.  

The simplest way is to use jq tools utility in the Linux environment to read the log in JSON or BSON format.

ClusterControl
The only management system you’ll ever need to take control of your open source database infrastructure.