Auditing does not log write operation details

Dear all,
We are using Percona Server for MongoDB 4.4.13 and within our server, auditing is active. The system logs almost everything perfectly but we have two problems which may caouse serious trouble against official regulatory audit.

In write operations, we can not see the details of the operation. For example; in an update operation such; db.getCollection(‘COLLECTION’).updateOne({_id:“197”}, {$set: {FieldName:“1” }}) the audit log include timestamp, the user, the collection name, the “update” command. But the missing part is the {$set: {FieldName:“1” }} whch means what is updated. A a result, we are unable to provide solid proof to official regulatory audits. We would appreciate if anyone can help us.
The log is;
{ “atype” : “authCheck”, “ts” : { “$date” : “2023-07-12T16:29:44.224+03:00” }, “local” : { “ip” : “”, “port” : 27017 }, “remote” : { “ip” : “CLIENT_IP”, “port” : 64767 }, “users” : [ { “user” : “DBA_USER”, “db” : “admin” } ], “roles” : [ { “role” : “root”, “db” : “admin” } ], “param” : { “command” : “update”, “ns” : “DATABASE.COLLECTION”, “args” : { “update” : “COLLECTION”, “ordered” : true, “lsid” : { “id” : { “$binary” : “husM1jiGSjCQJTIUOPO0Zw==”, “$type” : “04” } }, “$clusterTime” : { “clusterTime” : { “$timestamp” : { “t” : 1689168565, “i” : 7 } }, “signature” : { “hash” : { “$binary” : “UzBeH2eAjOJZfeWcAQaLkVQaSHY=”, “$type” : “00” }, “keyId” : { “$numberLong” : “7209318063370403841” } } }, “$readPreference” : { “mode” : “secondaryPreferred” }, “$db” : “DATABASE” } }, “result” : 0 }

The second problem is; auditing logs successful authentication as “atype : authentication” and “result : 0”. But accoring to all documents provided, authentication failures should be logged as “result : 18” as well. We are using Studio3T, using a wrong password and creating an authentication failure but yet still the system does not log this failed authentication event into the audit.json file. Interestingly, we can see the authentication failure log within mongod.log file which we do not prefer as we are sending only audit.json file(s) to SIEM system.

Below you can see our mongo audit config;
destination: file
format: JSON
path: /var/log/mongodb/audit.json
filter: ‘{ “users”: { $exists: true, $not: {$size: 0} }, “users.user”: { $nin: [“serviceaccount1”, “serviceaccount2”, “automationAccount”, “__system”, “monitoringAccount”, “backupAccount”] } }’

setParameter: { auditAuthorizationSuccess: true }

Hello @alpertunga7878

I checked PSMDB 4.4.22 behavior in my testing environment and it looks like “update” command is logged in the way you expect: updated field name and new value are logged. I will check if this have been changed somewhere in between 4.4.13 and 4.4.22.

I will also check authentication failure logging and will add more comment s here.

Thank you very much Igor. Waiting for your upcoming comments and news impatiently :slight_smile:

Hello @alpertunga7878

Please try to remove/comment the filter parameter in your config. It looks like it just filters out those records which you don’t see in the log.

Dear Igor,

I have to filter those users’ activities otherwise there will be huge blocks of logs which we will never use :frowning:

Hi @alpertunga7878

Sure you can filter out unnecessary records. I only asked you to temporary disable that filter to ensure that records of interest are generated by Percona Server for MongoDB. And if those records are in place then you can adjust your filter expression to not exclude them from the output.