We enabled the audit logs for the specific collections, as follows
filter: ‘{ atype: “authCheck”, “param.command”: { $in: [ “find”, “insert”, “delete”, “update”, “findandmodify” ] }, “param.ns”: /^test\./ } }’
setParameter: { auditAuthorizationSuccess: true }
Not able get the param args as its showing empty
here is the sample logs
{ “role” : “readWrite”, “db” : “xxxxxx” }, { “role” : “readWrite”} ], “param” : { “command” : “update”, “ns” : “dbname.testcollection”, “args” : { “update” : “testcollection”, “ordered” : true, “txnNumber” : { “$numberLong” : “35” }, “$db” : “dbname”, “$clusterTime” : { “clusterTime” : { “$timestamp” : { “t” : 1661239196, “i” : 26 } }, “signature” : { “hash” : { “$binary” : “dZOF9oVablHHk8TFl4OiJ3smnFk=”, “$type” : “00” }, “keyId” : { “$numberLong” : “7079044695896096769” } } }, “lsid” : { “id” : { “$binary” : “puZq+Dz3RDa/GFZ8a2Kxjw==”, “$type” : “04” } } } }, “result” : 0 }
In args we need the exact update opeartion.
“args” :