Audit events and format
We can record any of the following events in the console, the syslog, a JSON file, or a BSON file:
- Schema (DDL) such as creating or dropping a collection
- Replica set and sharded cluster operations such as sharding an existing collection or adding a new shard
- Authentication and authorization such as authentication failure events
- CRUD operations, such as inserting, updating, deleting, or querying documents in the collection
The audit message format is as follows:
{
atype: <string>,
ts : { $date: <timestamp> },
uuid : { $binary: <string>, $type: <string> },
local: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> },
remote: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> },
users : [ { user: <string>, db: <string> }, ... ],
...
